The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c

Version: -  FREEBSD  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-2  -  FREEBSD-11-1  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-4  -  FREEBSD-10-3  -  FREEBSD-10-2  -  FREEBSD-10-1  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-3  -  FREEBSD-9-2  -  FREEBSD-9-1  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-4  -  FREEBSD-8-3  -  FREEBSD-8-2  -  FREEBSD-8-1  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-4  -  FREEBSD-7-3  -  FREEBSD-7-2  -  FREEBSD-7-1  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-4  -  FREEBSD-6-3  -  FREEBSD-6-2  -  FREEBSD-6-1  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-5  -  FREEBSD-5-4  -  FREEBSD-5-3  -  FREEBSD-5-2  -  FREEBSD-5-1  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
    3  *      The Regents of the University of California.  All rights reserved.
    4  * (c) UNIX System Laboratories, Inc.
    5  * All or some portions of this file are derived from material licensed
    6  * to the University of California by American Telephone and Telegraph
    7  * Co. or Unix System Laboratories, Inc. and are reproduced herein with
    8  * the permission of UNIX System Laboratories, Inc.
    9  * Copyright (c) 2000-2001 Robert N. M. Watson.  All rights reserved.
   10  *
   11  * Redistribution and use in source and binary forms, with or without
   12  * modification, are permitted provided that the following conditions
   13  * are met:
   14  * 1. Redistributions of source code must retain the above copyright
   15  *    notice, this list of conditions and the following disclaimer.
   16  * 2. Redistributions in binary form must reproduce the above copyright
   17  *    notice, this list of conditions and the following disclaimer in the
   18  *    documentation and/or other materials provided with the distribution.
   19  * 4. Neither the name of the University nor the names of its contributors
   20  *    may be used to endorse or promote products derived from this software
   21  *    without specific prior written permission.
   22  *
   23  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
   24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
   27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   33  * SUCH DAMAGE.
   34  *
   35  *      @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
   36  */
   37 
   38 /*
   39  * System calls related to processes and protection
   40  */
   41 
   42 #include <sys/cdefs.h>
   43 __FBSDID("$FreeBSD: releng/6.0/sys/kern/kern_prot.c 145234 2005-04-18 13:36:57Z rwatson $");
   44 
   45 #include "opt_compat.h"
   46 #include "opt_mac.h"
   47 
   48 #include <sys/param.h>
   49 #include <sys/systm.h>
   50 #include <sys/acct.h>
   51 #include <sys/kdb.h>
   52 #include <sys/kernel.h>
   53 #include <sys/lock.h>
   54 #include <sys/mac.h>
   55 #include <sys/malloc.h>
   56 #include <sys/mutex.h>
   57 #include <sys/sx.h>
   58 #include <sys/proc.h>
   59 #include <sys/sysproto.h>
   60 #include <sys/jail.h>
   61 #include <sys/pioctl.h>
   62 #include <sys/resourcevar.h>
   63 #include <sys/socket.h>
   64 #include <sys/socketvar.h>
   65 #include <sys/sysctl.h>
   66 
   67 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
   68 
   69 SYSCTL_DECL(_security);
   70 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
   71     "BSD security policy");
   72 
   73 #ifndef _SYS_SYSPROTO_H_
   74 struct getpid_args {
   75         int     dummy;
   76 };
   77 #endif
   78 /*
   79  * MPSAFE
   80  */
   81 /* ARGSUSED */
   82 int
   83 getpid(struct thread *td, struct getpid_args *uap)
   84 {
   85         struct proc *p = td->td_proc;
   86 
   87         td->td_retval[0] = p->p_pid;
   88 #if defined(COMPAT_43)
   89         PROC_LOCK(p);
   90         td->td_retval[1] = p->p_pptr->p_pid;
   91         PROC_UNLOCK(p);
   92 #endif
   93         return (0);
   94 }
   95 
   96 #ifndef _SYS_SYSPROTO_H_
   97 struct getppid_args {
   98         int     dummy;
   99 };
  100 #endif
  101 /*
  102  * MPSAFE
  103  */
  104 /* ARGSUSED */
  105 int
  106 getppid(struct thread *td, struct getppid_args *uap)
  107 {
  108         struct proc *p = td->td_proc;
  109 
  110         PROC_LOCK(p);
  111         td->td_retval[0] = p->p_pptr->p_pid;
  112         PROC_UNLOCK(p);
  113         return (0);
  114 }
  115 
  116 /*
  117  * Get process group ID; note that POSIX getpgrp takes no parameter.
  118  */
  119 #ifndef _SYS_SYSPROTO_H_
  120 struct getpgrp_args {
  121         int     dummy;
  122 };
  123 #endif
  124 /*
  125  * MPSAFE
  126  */
  127 int
  128 getpgrp(struct thread *td, struct getpgrp_args *uap)
  129 {
  130         struct proc *p = td->td_proc;
  131 
  132         PROC_LOCK(p);
  133         td->td_retval[0] = p->p_pgrp->pg_id;
  134         PROC_UNLOCK(p);
  135         return (0);
  136 }
  137 
  138 /* Get an arbitary pid's process group id */
  139 #ifndef _SYS_SYSPROTO_H_
  140 struct getpgid_args {
  141         pid_t   pid;
  142 };
  143 #endif
  144 /*
  145  * MPSAFE
  146  */
  147 int
  148 getpgid(struct thread *td, struct getpgid_args *uap)
  149 {
  150         struct proc *p;
  151         int error;
  152 
  153         if (uap->pid == 0) {
  154                 p = td->td_proc;
  155                 PROC_LOCK(p);
  156         } else {
  157                 p = pfind(uap->pid);
  158                 if (p == NULL)
  159                         return (ESRCH);
  160                 error = p_cansee(td, p);
  161                 if (error) {
  162                         PROC_UNLOCK(p);
  163                         return (error);
  164                 }
  165         }
  166         td->td_retval[0] = p->p_pgrp->pg_id;
  167         PROC_UNLOCK(p);
  168         return (0);
  169 }
  170 
  171 /*
  172  * Get an arbitary pid's session id.
  173  */
  174 #ifndef _SYS_SYSPROTO_H_
  175 struct getsid_args {
  176         pid_t   pid;
  177 };
  178 #endif
  179 /*
  180  * MPSAFE
  181  */
  182 int
  183 getsid(struct thread *td, struct getsid_args *uap)
  184 {
  185         struct proc *p;
  186         int error;
  187 
  188         if (uap->pid == 0) {
  189                 p = td->td_proc;
  190                 PROC_LOCK(p);
  191         } else {
  192                 p = pfind(uap->pid);
  193                 if (p == NULL)
  194                         return (ESRCH);
  195                 error = p_cansee(td, p);
  196                 if (error) {
  197                         PROC_UNLOCK(p);
  198                         return (error);
  199                 }
  200         }
  201         td->td_retval[0] = p->p_session->s_sid;
  202         PROC_UNLOCK(p);
  203         return (0);
  204 }
  205 
  206 #ifndef _SYS_SYSPROTO_H_
  207 struct getuid_args {
  208         int     dummy;
  209 };
  210 #endif
  211 /*
  212  * MPSAFE
  213  */
  214 /* ARGSUSED */
  215 int
  216 getuid(struct thread *td, struct getuid_args *uap)
  217 {
  218 
  219         td->td_retval[0] = td->td_ucred->cr_ruid;
  220 #if defined(COMPAT_43)
  221         td->td_retval[1] = td->td_ucred->cr_uid;
  222 #endif
  223         return (0);
  224 }
  225 
  226 #ifndef _SYS_SYSPROTO_H_
  227 struct geteuid_args {
  228         int     dummy;
  229 };
  230 #endif
  231 /*
  232  * MPSAFE
  233  */
  234 /* ARGSUSED */
  235 int
  236 geteuid(struct thread *td, struct geteuid_args *uap)
  237 {
  238 
  239         td->td_retval[0] = td->td_ucred->cr_uid;
  240         return (0);
  241 }
  242 
  243 #ifndef _SYS_SYSPROTO_H_
  244 struct getgid_args {
  245         int     dummy;
  246 };
  247 #endif
  248 /*
  249  * MPSAFE
  250  */
  251 /* ARGSUSED */
  252 int
  253 getgid(struct thread *td, struct getgid_args *uap)
  254 {
  255 
  256         td->td_retval[0] = td->td_ucred->cr_rgid;
  257 #if defined(COMPAT_43)
  258         td->td_retval[1] = td->td_ucred->cr_groups[0];
  259 #endif
  260         return (0);
  261 }
  262 
  263 /*
  264  * Get effective group ID.  The "egid" is groups[0], and could be obtained
  265  * via getgroups.  This syscall exists because it is somewhat painful to do
  266  * correctly in a library function.
  267  */
  268 #ifndef _SYS_SYSPROTO_H_
  269 struct getegid_args {
  270         int     dummy;
  271 };
  272 #endif
  273 /*
  274  * MPSAFE
  275  */
  276 /* ARGSUSED */
  277 int
  278 getegid(struct thread *td, struct getegid_args *uap)
  279 {
  280 
  281         td->td_retval[0] = td->td_ucred->cr_groups[0];
  282         return (0);
  283 }
  284 
  285 #ifndef _SYS_SYSPROTO_H_
  286 struct getgroups_args {
  287         u_int   gidsetsize;
  288         gid_t   *gidset;
  289 };
  290 #endif
  291 /*
  292  * MPSAFE
  293  */
  294 int
  295 getgroups(struct thread *td, register struct getgroups_args *uap)
  296 {
  297         struct ucred *cred;
  298         u_int ngrp;
  299         int error;
  300 
  301         cred = td->td_ucred;
  302         if ((ngrp = uap->gidsetsize) == 0) {
  303                 td->td_retval[0] = cred->cr_ngroups;
  304                 return (0);
  305         }
  306         if (ngrp < cred->cr_ngroups)
  307                 return (EINVAL);
  308         ngrp = cred->cr_ngroups;
  309         error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
  310         if (error == 0)
  311                 td->td_retval[0] = ngrp;
  312         return (error);
  313 }
  314 
  315 #ifndef _SYS_SYSPROTO_H_
  316 struct setsid_args {
  317         int     dummy;
  318 };
  319 #endif
  320 /*
  321  * MPSAFE
  322  */
  323 /* ARGSUSED */
  324 int
  325 setsid(register struct thread *td, struct setsid_args *uap)
  326 {
  327         struct pgrp *pgrp;
  328         int error;
  329         struct proc *p = td->td_proc;
  330         struct pgrp *newpgrp;
  331         struct session *newsess;
  332 
  333         error = 0;
  334         pgrp = NULL;
  335 
  336         MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
  337         MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
  338 
  339         sx_xlock(&proctree_lock);
  340 
  341         if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
  342                 if (pgrp != NULL)
  343                         PGRP_UNLOCK(pgrp);
  344                 error = EPERM;
  345         } else {
  346                 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
  347                 td->td_retval[0] = p->p_pid;
  348                 newpgrp = NULL;
  349                 newsess = NULL;
  350         }
  351 
  352         sx_xunlock(&proctree_lock);
  353 
  354         if (newpgrp != NULL)
  355                 FREE(newpgrp, M_PGRP);
  356         if (newsess != NULL)
  357                 FREE(newsess, M_SESSION);
  358 
  359         return (error);
  360 }
  361 
  362 /*
  363  * set process group (setpgid/old setpgrp)
  364  *
  365  * caller does setpgid(targpid, targpgid)
  366  *
  367  * pid must be caller or child of caller (ESRCH)
  368  * if a child
  369  *      pid must be in same session (EPERM)
  370  *      pid can't have done an exec (EACCES)
  371  * if pgid != pid
  372  *      there must exist some pid in same session having pgid (EPERM)
  373  * pid must not be session leader (EPERM)
  374  */
  375 #ifndef _SYS_SYSPROTO_H_
  376 struct setpgid_args {
  377         int     pid;            /* target process id */
  378         int     pgid;           /* target pgrp id */
  379 };
  380 #endif
  381 /*
  382  * MPSAFE
  383  */
  384 /* ARGSUSED */
  385 int
  386 setpgid(struct thread *td, register struct setpgid_args *uap)
  387 {
  388         struct proc *curp = td->td_proc;
  389         register struct proc *targp;    /* target process */
  390         register struct pgrp *pgrp;     /* target pgrp */
  391         int error;
  392         struct pgrp *newpgrp;
  393 
  394         if (uap->pgid < 0)
  395                 return (EINVAL);
  396 
  397         error = 0;
  398 
  399         MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
  400 
  401         sx_xlock(&proctree_lock);
  402         if (uap->pid != 0 && uap->pid != curp->p_pid) {
  403                 if ((targp = pfind(uap->pid)) == NULL) {
  404                         error = ESRCH;
  405                         goto done;
  406                 }
  407                 if (!inferior(targp)) {
  408                         PROC_UNLOCK(targp);
  409                         error = ESRCH;
  410                         goto done;
  411                 }
  412                 if ((error = p_cansee(td, targp))) {
  413                         PROC_UNLOCK(targp);
  414                         goto done;
  415                 }
  416                 if (targp->p_pgrp == NULL ||
  417                     targp->p_session != curp->p_session) {
  418                         PROC_UNLOCK(targp);
  419                         error = EPERM;
  420                         goto done;
  421                 }
  422                 if (targp->p_flag & P_EXEC) {
  423                         PROC_UNLOCK(targp);
  424                         error = EACCES;
  425                         goto done;
  426                 }
  427                 PROC_UNLOCK(targp);
  428         } else
  429                 targp = curp;
  430         if (SESS_LEADER(targp)) {
  431                 error = EPERM;
  432                 goto done;
  433         }
  434         if (uap->pgid == 0)
  435                 uap->pgid = targp->p_pid;
  436         if ((pgrp = pgfind(uap->pgid)) == NULL) {
  437                 if (uap->pgid == targp->p_pid) {
  438                         error = enterpgrp(targp, uap->pgid, newpgrp,
  439                             NULL);
  440                         if (error == 0)
  441                                 newpgrp = NULL;
  442                 } else
  443                         error = EPERM;
  444         } else {
  445                 if (pgrp == targp->p_pgrp) {
  446                         PGRP_UNLOCK(pgrp);
  447                         goto done;
  448                 }
  449                 if (pgrp->pg_id != targp->p_pid &&
  450                     pgrp->pg_session != curp->p_session) {
  451                         PGRP_UNLOCK(pgrp);
  452                         error = EPERM;
  453                         goto done;
  454                 }
  455                 PGRP_UNLOCK(pgrp);
  456                 error = enterthispgrp(targp, pgrp);
  457         }
  458 done:
  459         sx_xunlock(&proctree_lock);
  460         KASSERT((error == 0) || (newpgrp != NULL),
  461             ("setpgid failed and newpgrp is NULL"));
  462         if (newpgrp != NULL)
  463                 FREE(newpgrp, M_PGRP);
  464         return (error);
  465 }
  466 
  467 /*
  468  * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
  469  * compatible.  It says that setting the uid/gid to euid/egid is a special
  470  * case of "appropriate privilege".  Once the rules are expanded out, this
  471  * basically means that setuid(nnn) sets all three id's, in all permitted
  472  * cases unless _POSIX_SAVED_IDS is enabled.  In that case, setuid(getuid())
  473  * does not set the saved id - this is dangerous for traditional BSD
  474  * programs.  For this reason, we *really* do not want to set
  475  * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
  476  */
  477 #define POSIX_APPENDIX_B_4_2_2
  478 
  479 #ifndef _SYS_SYSPROTO_H_
  480 struct setuid_args {
  481         uid_t   uid;
  482 };
  483 #endif
  484 /*
  485  * MPSAFE
  486  */
  487 /* ARGSUSED */
  488 int
  489 setuid(struct thread *td, struct setuid_args *uap)
  490 {
  491         struct proc *p = td->td_proc;
  492         struct ucred *newcred, *oldcred;
  493         uid_t uid;
  494         struct uidinfo *uip;
  495         int error;
  496 
  497         uid = uap->uid;
  498         newcred = crget();
  499         uip = uifind(uid);
  500         PROC_LOCK(p);
  501         oldcred = p->p_ucred;
  502 
  503 #ifdef MAC
  504         error = mac_check_proc_setuid(p, oldcred, uid);
  505         if (error)
  506                 goto fail;
  507 #endif
  508 
  509         /*
  510          * See if we have "permission" by POSIX 1003.1 rules.
  511          *
  512          * Note that setuid(geteuid()) is a special case of
  513          * "appropriate privileges" in appendix B.4.2.2.  We need
  514          * to use this clause to be compatible with traditional BSD
  515          * semantics.  Basically, it means that "setuid(xx)" sets all
  516          * three id's (assuming you have privs).
  517          *
  518          * Notes on the logic.  We do things in three steps.
  519          * 1: We determine if the euid is going to change, and do EPERM
  520          *    right away.  We unconditionally change the euid later if this
  521          *    test is satisfied, simplifying that part of the logic.
  522          * 2: We determine if the real and/or saved uids are going to
  523          *    change.  Determined by compile options.
  524          * 3: Change euid last. (after tests in #2 for "appropriate privs")
  525          */
  526         if (uid != oldcred->cr_ruid &&          /* allow setuid(getuid()) */
  527 #ifdef _POSIX_SAVED_IDS
  528             uid != oldcred->cr_svuid &&         /* allow setuid(saved gid) */
  529 #endif
  530 #ifdef POSIX_APPENDIX_B_4_2_2   /* Use BSD-compat clause from B.4.2.2 */
  531             uid != oldcred->cr_uid &&           /* allow setuid(geteuid()) */
  532 #endif
  533             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  534                 goto fail;
  535 
  536         /*
  537          * Copy credentials so other references do not see our changes.
  538          */
  539         crcopy(newcred, oldcred);
  540 #ifdef _POSIX_SAVED_IDS
  541         /*
  542          * Do we have "appropriate privileges" (are we root or uid == euid)
  543          * If so, we are changing the real uid and/or saved uid.
  544          */
  545         if (
  546 #ifdef POSIX_APPENDIX_B_4_2_2   /* Use the clause from B.4.2.2 */
  547             uid == oldcred->cr_uid ||
  548 #endif
  549             suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
  550 #endif
  551         {
  552                 /*
  553                  * Set the real uid and transfer proc count to new user.
  554                  */
  555                 if (uid != oldcred->cr_ruid) {
  556                         change_ruid(newcred, uip);
  557                         setsugid(p);
  558                 }
  559                 /*
  560                  * Set saved uid
  561                  *
  562                  * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
  563                  * the security of seteuid() depends on it.  B.4.2.2 says it
  564                  * is important that we should do this.
  565                  */
  566                 if (uid != oldcred->cr_svuid) {
  567                         change_svuid(newcred, uid);
  568                         setsugid(p);
  569                 }
  570         }
  571 
  572         /*
  573          * In all permitted cases, we are changing the euid.
  574          */
  575         if (uid != oldcred->cr_uid) {
  576                 change_euid(newcred, uip);
  577                 setsugid(p);
  578         }
  579         p->p_ucred = newcred;
  580         PROC_UNLOCK(p);
  581         uifree(uip);
  582         crfree(oldcred);
  583         return (0);
  584 
  585 fail:
  586         PROC_UNLOCK(p);
  587         uifree(uip);
  588         crfree(newcred);
  589         return (error);
  590 }
  591 
  592 #ifndef _SYS_SYSPROTO_H_
  593 struct seteuid_args {
  594         uid_t   euid;
  595 };
  596 #endif
  597 /*
  598  * MPSAFE
  599  */
  600 /* ARGSUSED */
  601 int
  602 seteuid(struct thread *td, struct seteuid_args *uap)
  603 {
  604         struct proc *p = td->td_proc;
  605         struct ucred *newcred, *oldcred;
  606         uid_t euid;
  607         struct uidinfo *euip;
  608         int error;
  609 
  610         euid = uap->euid;
  611         newcred = crget();
  612         euip = uifind(euid);
  613         PROC_LOCK(p);
  614         oldcred = p->p_ucred;
  615 
  616 #ifdef MAC
  617         error = mac_check_proc_seteuid(p, oldcred, euid);
  618         if (error)
  619                 goto fail;
  620 #endif
  621 
  622         if (euid != oldcred->cr_ruid &&         /* allow seteuid(getuid()) */
  623             euid != oldcred->cr_svuid &&        /* allow seteuid(saved uid) */
  624             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  625                 goto fail;
  626 
  627         /*
  628          * Everything's okay, do it.  Copy credentials so other references do
  629          * not see our changes.
  630          */
  631         crcopy(newcred, oldcred);
  632         if (oldcred->cr_uid != euid) {
  633                 change_euid(newcred, euip);
  634                 setsugid(p);
  635         }
  636         p->p_ucred = newcred;
  637         PROC_UNLOCK(p);
  638         uifree(euip);
  639         crfree(oldcred);
  640         return (0);
  641 
  642 fail:
  643         PROC_UNLOCK(p);
  644         uifree(euip);
  645         crfree(newcred);
  646         return (error);
  647 }
  648 
  649 #ifndef _SYS_SYSPROTO_H_
  650 struct setgid_args {
  651         gid_t   gid;
  652 };
  653 #endif
  654 /*
  655  * MPSAFE
  656  */
  657 /* ARGSUSED */
  658 int
  659 setgid(struct thread *td, struct setgid_args *uap)
  660 {
  661         struct proc *p = td->td_proc;
  662         struct ucred *newcred, *oldcred;
  663         gid_t gid;
  664         int error;
  665 
  666         gid = uap->gid;
  667         newcred = crget();
  668         PROC_LOCK(p);
  669         oldcred = p->p_ucred;
  670 
  671 #ifdef MAC
  672         error = mac_check_proc_setgid(p, oldcred, gid);
  673         if (error)
  674                 goto fail;
  675 #endif
  676 
  677         /*
  678          * See if we have "permission" by POSIX 1003.1 rules.
  679          *
  680          * Note that setgid(getegid()) is a special case of
  681          * "appropriate privileges" in appendix B.4.2.2.  We need
  682          * to use this clause to be compatible with traditional BSD
  683          * semantics.  Basically, it means that "setgid(xx)" sets all
  684          * three id's (assuming you have privs).
  685          *
  686          * For notes on the logic here, see setuid() above.
  687          */
  688         if (gid != oldcred->cr_rgid &&          /* allow setgid(getgid()) */
  689 #ifdef _POSIX_SAVED_IDS
  690             gid != oldcred->cr_svgid &&         /* allow setgid(saved gid) */
  691 #endif
  692 #ifdef POSIX_APPENDIX_B_4_2_2   /* Use BSD-compat clause from B.4.2.2 */
  693             gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
  694 #endif
  695             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  696                 goto fail;
  697 
  698         crcopy(newcred, oldcred);
  699 #ifdef _POSIX_SAVED_IDS
  700         /*
  701          * Do we have "appropriate privileges" (are we root or gid == egid)
  702          * If so, we are changing the real uid and saved gid.
  703          */
  704         if (
  705 #ifdef POSIX_APPENDIX_B_4_2_2   /* use the clause from B.4.2.2 */
  706             gid == oldcred->cr_groups[0] ||
  707 #endif
  708             suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
  709 #endif
  710         {
  711                 /*
  712                  * Set real gid
  713                  */
  714                 if (oldcred->cr_rgid != gid) {
  715                         change_rgid(newcred, gid);
  716                         setsugid(p);
  717                 }
  718                 /*
  719                  * Set saved gid
  720                  *
  721                  * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
  722                  * the security of setegid() depends on it.  B.4.2.2 says it
  723                  * is important that we should do this.
  724                  */
  725                 if (oldcred->cr_svgid != gid) {
  726                         change_svgid(newcred, gid);
  727                         setsugid(p);
  728                 }
  729         }
  730         /*
  731          * In all cases permitted cases, we are changing the egid.
  732          * Copy credentials so other references do not see our changes.
  733          */
  734         if (oldcred->cr_groups[0] != gid) {
  735                 change_egid(newcred, gid);
  736                 setsugid(p);
  737         }
  738         p->p_ucred = newcred;
  739         PROC_UNLOCK(p);
  740         crfree(oldcred);
  741         return (0);
  742 
  743 fail:
  744         PROC_UNLOCK(p);
  745         crfree(newcred);
  746         return (error);
  747 }
  748 
  749 #ifndef _SYS_SYSPROTO_H_
  750 struct setegid_args {
  751         gid_t   egid;
  752 };
  753 #endif
  754 /*
  755  * MPSAFE
  756  */
  757 /* ARGSUSED */
  758 int
  759 setegid(struct thread *td, struct setegid_args *uap)
  760 {
  761         struct proc *p = td->td_proc;
  762         struct ucred *newcred, *oldcred;
  763         gid_t egid;
  764         int error;
  765 
  766         egid = uap->egid;
  767         newcred = crget();
  768         PROC_LOCK(p);
  769         oldcred = p->p_ucred;
  770 
  771 #ifdef MAC
  772         error = mac_check_proc_setegid(p, oldcred, egid);
  773         if (error)
  774                 goto fail;
  775 #endif
  776 
  777         if (egid != oldcred->cr_rgid &&         /* allow setegid(getgid()) */
  778             egid != oldcred->cr_svgid &&        /* allow setegid(saved gid) */
  779             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  780                 goto fail;
  781 
  782         crcopy(newcred, oldcred);
  783         if (oldcred->cr_groups[0] != egid) {
  784                 change_egid(newcred, egid);
  785                 setsugid(p);
  786         }
  787         p->p_ucred = newcred;
  788         PROC_UNLOCK(p);
  789         crfree(oldcred);
  790         return (0);
  791 
  792 fail:
  793         PROC_UNLOCK(p);
  794         crfree(newcred);
  795         return (error);
  796 }
  797 
  798 #ifndef _SYS_SYSPROTO_H_
  799 struct setgroups_args {
  800         u_int   gidsetsize;
  801         gid_t   *gidset;
  802 };
  803 #endif
  804 /*
  805  * MPSAFE
  806  */
  807 /* ARGSUSED */
  808 int
  809 setgroups(struct thread *td, struct setgroups_args *uap)
  810 {
  811         struct proc *p = td->td_proc;
  812         struct ucred *newcred, *tempcred, *oldcred;
  813         u_int ngrp;
  814         int error;
  815 
  816         ngrp = uap->gidsetsize;
  817         if (ngrp > NGROUPS)
  818                 return (EINVAL);
  819         tempcred = crget();
  820         error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
  821         if (error != 0) {
  822                 crfree(tempcred);
  823                 return (error);
  824         }
  825         newcred = crget();
  826         PROC_LOCK(p);
  827         oldcred = p->p_ucred;
  828 
  829 #ifdef MAC
  830         error = mac_check_proc_setgroups(p, oldcred, ngrp,
  831             tempcred->cr_groups);
  832         if (error)
  833                 goto fail;
  834 #endif
  835 
  836         error = suser_cred(oldcred, SUSER_ALLOWJAIL);
  837         if (error)
  838                 goto fail;
  839 
  840         /*
  841          * XXX A little bit lazy here.  We could test if anything has
  842          * changed before crcopy() and setting P_SUGID.
  843          */
  844         crcopy(newcred, oldcred);
  845         if (ngrp < 1) {
  846                 /*
  847                  * setgroups(0, NULL) is a legitimate way of clearing the
  848                  * groups vector on non-BSD systems (which generally do not
  849                  * have the egid in the groups[0]).  We risk security holes
  850                  * when running non-BSD software if we do not do the same.
  851                  */
  852                 newcred->cr_ngroups = 1;
  853         } else {
  854                 bcopy(tempcred->cr_groups, newcred->cr_groups,
  855                     ngrp * sizeof(gid_t));
  856                 newcred->cr_ngroups = ngrp;
  857         }
  858         setsugid(p);
  859         p->p_ucred = newcred;
  860         PROC_UNLOCK(p);
  861         crfree(tempcred);
  862         crfree(oldcred);
  863         return (0);
  864 
  865 fail:
  866         PROC_UNLOCK(p);
  867         crfree(newcred);
  868         crfree(tempcred);
  869         return (error);
  870 }
  871 
  872 #ifndef _SYS_SYSPROTO_H_
  873 struct setreuid_args {
  874         uid_t   ruid;
  875         uid_t   euid;
  876 };
  877 #endif
  878 /*
  879  * MPSAFE
  880  */
  881 /* ARGSUSED */
  882 int
  883 setreuid(register struct thread *td, struct setreuid_args *uap)
  884 {
  885         struct proc *p = td->td_proc;
  886         struct ucred *newcred, *oldcred;
  887         uid_t euid, ruid;
  888         struct uidinfo *euip, *ruip;
  889         int error;
  890 
  891         euid = uap->euid;
  892         ruid = uap->ruid;
  893         newcred = crget();
  894         euip = uifind(euid);
  895         ruip = uifind(ruid);
  896         PROC_LOCK(p);
  897         oldcred = p->p_ucred;
  898 
  899 #ifdef MAC
  900         error = mac_check_proc_setreuid(p, oldcred, ruid, euid);
  901         if (error)
  902                 goto fail;
  903 #endif
  904 
  905         if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
  906               ruid != oldcred->cr_svuid) ||
  907              (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
  908               euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
  909             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  910                 goto fail;
  911 
  912         crcopy(newcred, oldcred);
  913         if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
  914                 change_euid(newcred, euip);
  915                 setsugid(p);
  916         }
  917         if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
  918                 change_ruid(newcred, ruip);
  919                 setsugid(p);
  920         }
  921         if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
  922             newcred->cr_svuid != newcred->cr_uid) {
  923                 change_svuid(newcred, newcred->cr_uid);
  924                 setsugid(p);
  925         }
  926         p->p_ucred = newcred;
  927         PROC_UNLOCK(p);
  928         uifree(ruip);
  929         uifree(euip);
  930         crfree(oldcred);
  931         return (0);
  932 
  933 fail:
  934         PROC_UNLOCK(p);
  935         uifree(ruip);
  936         uifree(euip);
  937         crfree(newcred);
  938         return (error);
  939 }
  940 
  941 #ifndef _SYS_SYSPROTO_H_
  942 struct setregid_args {
  943         gid_t   rgid;
  944         gid_t   egid;
  945 };
  946 #endif
  947 /*
  948  * MPSAFE
  949  */
  950 /* ARGSUSED */
  951 int
  952 setregid(register struct thread *td, struct setregid_args *uap)
  953 {
  954         struct proc *p = td->td_proc;
  955         struct ucred *newcred, *oldcred;
  956         gid_t egid, rgid;
  957         int error;
  958 
  959         egid = uap->egid;
  960         rgid = uap->rgid;
  961         newcred = crget();
  962         PROC_LOCK(p);
  963         oldcred = p->p_ucred;
  964 
  965 #ifdef MAC
  966         error = mac_check_proc_setregid(p, oldcred, rgid, egid);
  967         if (error)
  968                 goto fail;
  969 #endif
  970 
  971         if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
  972             rgid != oldcred->cr_svgid) ||
  973              (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
  974              egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
  975             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  976                 goto fail;
  977 
  978         crcopy(newcred, oldcred);
  979         if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
  980                 change_egid(newcred, egid);
  981                 setsugid(p);
  982         }
  983         if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
  984                 change_rgid(newcred, rgid);
  985                 setsugid(p);
  986         }
  987         if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
  988             newcred->cr_svgid != newcred->cr_groups[0]) {
  989                 change_svgid(newcred, newcred->cr_groups[0]);
  990                 setsugid(p);
  991         }
  992         p->p_ucred = newcred;
  993         PROC_UNLOCK(p);
  994         crfree(oldcred);
  995         return (0);
  996 
  997 fail:
  998         PROC_UNLOCK(p);
  999         crfree(newcred);
 1000         return (error);
 1001 }
 1002 
 1003 /*
 1004  * setresuid(ruid, euid, suid) is like setreuid except control over the
 1005  * saved uid is explicit.
 1006  */
 1007 
 1008 #ifndef _SYS_SYSPROTO_H_
 1009 struct setresuid_args {
 1010         uid_t   ruid;
 1011         uid_t   euid;
 1012         uid_t   suid;
 1013 };
 1014 #endif
 1015 /*
 1016  * MPSAFE
 1017  */
 1018 /* ARGSUSED */
 1019 int
 1020 setresuid(register struct thread *td, struct setresuid_args *uap)
 1021 {
 1022         struct proc *p = td->td_proc;
 1023         struct ucred *newcred, *oldcred;
 1024         uid_t euid, ruid, suid;
 1025         struct uidinfo *euip, *ruip;
 1026         int error;
 1027 
 1028         euid = uap->euid;
 1029         ruid = uap->ruid;
 1030         suid = uap->suid;
 1031         newcred = crget();
 1032         euip = uifind(euid);
 1033         ruip = uifind(ruid);
 1034         PROC_LOCK(p);
 1035         oldcred = p->p_ucred;
 1036 
 1037 #ifdef MAC
 1038         error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid);
 1039         if (error)
 1040                 goto fail;
 1041 #endif
 1042 
 1043         if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
 1044              ruid != oldcred->cr_svuid &&
 1045               ruid != oldcred->cr_uid) ||
 1046              (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
 1047             euid != oldcred->cr_svuid &&
 1048               euid != oldcred->cr_uid) ||
 1049              (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
 1050             suid != oldcred->cr_svuid &&
 1051               suid != oldcred->cr_uid)) &&
 1052             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
 1053                 goto fail;
 1054 
 1055         crcopy(newcred, oldcred);
 1056         if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
 1057                 change_euid(newcred, euip);
 1058                 setsugid(p);
 1059         }
 1060         if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
 1061                 change_ruid(newcred, ruip);
 1062                 setsugid(p);
 1063         }
 1064         if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
 1065                 change_svuid(newcred, suid);
 1066                 setsugid(p);
 1067         }
 1068         p->p_ucred = newcred;
 1069         PROC_UNLOCK(p);
 1070         uifree(ruip);
 1071         uifree(euip);
 1072         crfree(oldcred);
 1073         return (0);
 1074 
 1075 fail:
 1076         PROC_UNLOCK(p);
 1077         uifree(ruip);
 1078         uifree(euip);
 1079         crfree(newcred);
 1080         return (error);
 1081 
 1082 }
 1083 
 1084 /*
 1085  * setresgid(rgid, egid, sgid) is like setregid except control over the
 1086  * saved gid is explicit.
 1087  */
 1088 
 1089 #ifndef _SYS_SYSPROTO_H_
 1090 struct setresgid_args {
 1091         gid_t   rgid;
 1092         gid_t   egid;
 1093         gid_t   sgid;
 1094 };
 1095 #endif
 1096 /*
 1097  * MPSAFE
 1098  */
 1099 /* ARGSUSED */
 1100 int
 1101 setresgid(register struct thread *td, struct setresgid_args *uap)
 1102 {
 1103         struct proc *p = td->td_proc;
 1104         struct ucred *newcred, *oldcred;
 1105         gid_t egid, rgid, sgid;
 1106         int error;
 1107 
 1108         egid = uap->egid;
 1109         rgid = uap->rgid;
 1110         sgid = uap->sgid;
 1111         newcred = crget();
 1112         PROC_LOCK(p);
 1113         oldcred = p->p_ucred;
 1114 
 1115 #ifdef MAC
 1116         error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid);
 1117         if (error)
 1118                 goto fail;
 1119 #endif
 1120 
 1121         if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
 1122               rgid != oldcred->cr_svgid &&
 1123               rgid != oldcred->cr_groups[0]) ||
 1124              (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
 1125               egid != oldcred->cr_svgid &&
 1126               egid != oldcred->cr_groups[0]) ||
 1127              (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
 1128               sgid != oldcred->cr_svgid &&
 1129               sgid != oldcred->cr_groups[0])) &&
 1130             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
 1131                 goto fail;
 1132 
 1133         crcopy(newcred, oldcred);
 1134         if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
 1135                 change_egid(newcred, egid);
 1136                 setsugid(p);
 1137         }
 1138         if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
 1139                 change_rgid(newcred, rgid);
 1140                 setsugid(p);
 1141         }
 1142         if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
 1143                 change_svgid(newcred, sgid);
 1144                 setsugid(p);
 1145         }
 1146         p->p_ucred = newcred;
 1147         PROC_UNLOCK(p);
 1148         crfree(oldcred);
 1149         return (0);
 1150 
 1151 fail:
 1152         PROC_UNLOCK(p);
 1153         crfree(newcred);
 1154         return (error);
 1155 }
 1156 
 1157 #ifndef _SYS_SYSPROTO_H_
 1158 struct getresuid_args {
 1159         uid_t   *ruid;
 1160         uid_t   *euid;
 1161         uid_t   *suid;
 1162 };
 1163 #endif
 1164 /*
 1165  * MPSAFE
 1166  */
 1167 /* ARGSUSED */
 1168 int
 1169 getresuid(register struct thread *td, struct getresuid_args *uap)
 1170 {
 1171         struct ucred *cred;
 1172         int error1 = 0, error2 = 0, error3 = 0;
 1173 
 1174         cred = td->td_ucred;
 1175         if (uap->ruid)
 1176                 error1 = copyout(&cred->cr_ruid,
 1177                     uap->ruid, sizeof(cred->cr_ruid));
 1178         if (uap->euid)
 1179                 error2 = copyout(&cred->cr_uid,
 1180                     uap->euid, sizeof(cred->cr_uid));
 1181         if (uap->suid)
 1182                 error3 = copyout(&cred->cr_svuid,
 1183                     uap->suid, sizeof(cred->cr_svuid));
 1184         return (error1 ? error1 : error2 ? error2 : error3);
 1185 }
 1186 
 1187 #ifndef _SYS_SYSPROTO_H_
 1188 struct getresgid_args {
 1189         gid_t   *rgid;
 1190         gid_t   *egid;
 1191         gid_t   *sgid;
 1192 };
 1193 #endif
 1194 /*
 1195  * MPSAFE
 1196  */
 1197 /* ARGSUSED */
 1198 int
 1199 getresgid(register struct thread *td, struct getresgid_args *uap)
 1200 {
 1201         struct ucred *cred;
 1202         int error1 = 0, error2 = 0, error3 = 0;
 1203 
 1204         cred = td->td_ucred;
 1205         if (uap->rgid)
 1206                 error1 = copyout(&cred->cr_rgid,
 1207                     uap->rgid, sizeof(cred->cr_rgid));
 1208         if (uap->egid)
 1209                 error2 = copyout(&cred->cr_groups[0],
 1210                     uap->egid, sizeof(cred->cr_groups[0]));
 1211         if (uap->sgid)
 1212                 error3 = copyout(&cred->cr_svgid,
 1213                     uap->sgid, sizeof(cred->cr_svgid));
 1214         return (error1 ? error1 : error2 ? error2 : error3);
 1215 }
 1216 
 1217 #ifndef _SYS_SYSPROTO_H_
 1218 struct issetugid_args {
 1219         int dummy;
 1220 };
 1221 #endif
 1222 /*
 1223  * MPSAFE
 1224  */
 1225 /* ARGSUSED */
 1226 int
 1227 issetugid(register struct thread *td, struct issetugid_args *uap)
 1228 {
 1229         struct proc *p = td->td_proc;
 1230 
 1231         /*
 1232          * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
 1233          * we use P_SUGID because we consider changing the owners as
 1234          * "tainting" as well.
 1235          * This is significant for procs that start as root and "become"
 1236          * a user without an exec - programs cannot know *everything*
 1237          * that libc *might* have put in their data segment.
 1238          */
 1239         PROC_LOCK(p);
 1240         td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
 1241         PROC_UNLOCK(p);
 1242         return (0);
 1243 }
 1244 
 1245 /*
 1246  * MPSAFE
 1247  */
 1248 int
 1249 __setugid(struct thread *td, struct __setugid_args *uap)
 1250 {
 1251 #ifdef REGRESSION
 1252         struct proc *p;
 1253 
 1254         p = td->td_proc;
 1255         switch (uap->flag) {
 1256         case 0:
 1257                 PROC_LOCK(p);
 1258                 p->p_flag &= ~P_SUGID;
 1259                 PROC_UNLOCK(p);
 1260                 return (0);
 1261         case 1:
 1262                 PROC_LOCK(p);
 1263                 p->p_flag |= P_SUGID;
 1264                 PROC_UNLOCK(p);
 1265                 return (0);
 1266         default:
 1267                 return (EINVAL);
 1268         }
 1269 #else /* !REGRESSION */
 1270 
 1271         return (ENOSYS);
 1272 #endif /* REGRESSION */
 1273 }
 1274 
 1275 /*
 1276  * Check if gid is a member of the group set.
 1277  *
 1278  * MPSAFE (cred must be held)
 1279  */
 1280 int
 1281 groupmember(gid_t gid, struct ucred *cred)
 1282 {
 1283         register gid_t *gp;
 1284         gid_t *egp;
 1285 
 1286         egp = &(cred->cr_groups[cred->cr_ngroups]);
 1287         for (gp = cred->cr_groups; gp < egp; gp++)
 1288                 if (*gp == gid)
 1289                         return (1);
 1290         return (0);
 1291 }
 1292 
 1293 /*
 1294  * `suser_enabled' (which can be set by the security.suser_enabled
 1295  * sysctl) determines whether the system 'super-user' policy is in effect.
 1296  * If it is nonzero, an effective uid of 0 connotes special privilege,
 1297  * overriding many mandatory and discretionary protections.  If it is zero,
 1298  * uid 0 is offered no special privilege in the kernel security policy.
 1299  * Setting it to zero may seriously impact the functionality of many
 1300  * existing userland programs, and should not be done without careful
 1301  * consideration of the consequences.
 1302  */
 1303 int     suser_enabled = 1;
 1304 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
 1305     &suser_enabled, 0, "processes with uid 0 have privilege");
 1306 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
 1307 
 1308 /*
 1309  * Test whether the specified credentials imply "super-user" privilege.
 1310  * Return 0 or EPERM.
 1311  */
 1312 int
 1313 suser_cred(struct ucred *cred, int flag)
 1314 {
 1315 
 1316         if (!suser_enabled)
 1317                 return (EPERM);
 1318         if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0)
 1319                 return (EPERM);
 1320         if (jailed(cred) && !(flag & SUSER_ALLOWJAIL))
 1321                 return (EPERM);
 1322         return (0);
 1323 }
 1324 
 1325 /*
 1326  * Shortcut to hide contents of struct td and struct proc from the
 1327  * caller, promoting binary compatibility.
 1328  */
 1329 int
 1330 suser(struct thread *td)
 1331 {
 1332 
 1333 #ifdef INVARIANTS
 1334         if (td != curthread) {
 1335                 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n",
 1336                     td, td->td_proc->p_pid, td->td_proc->p_comm,
 1337                     curthread, curthread->td_proc->p_pid,
 1338                     curthread->td_proc->p_comm);
 1339 #ifdef KDB
 1340                 kdb_backtrace();
 1341 #endif
 1342         }
 1343 #endif
 1344         return (suser_cred(td->td_ucred, 0));
 1345 }
 1346 
 1347 /*
 1348  * Test the active securelevel against a given level.  securelevel_gt()
 1349  * implements (securelevel > level).  securelevel_ge() implements
 1350  * (securelevel >= level).  Note that the logic is inverted -- these
 1351  * functions return EPERM on "success" and 0 on "failure".
 1352  *
 1353  * MPSAFE
 1354  */
 1355 int
 1356 securelevel_gt(struct ucred *cr, int level)
 1357 {
 1358         int active_securelevel;
 1359 
 1360         active_securelevel = securelevel;
 1361         KASSERT(cr != NULL, ("securelevel_gt: null cr"));
 1362         if (cr->cr_prison != NULL)
 1363                 active_securelevel = imax(cr->cr_prison->pr_securelevel,
 1364                     active_securelevel);
 1365         return (active_securelevel > level ? EPERM : 0);
 1366 }
 1367 
 1368 int
 1369 securelevel_ge(struct ucred *cr, int level)
 1370 {
 1371         int active_securelevel;
 1372 
 1373         active_securelevel = securelevel;
 1374         KASSERT(cr != NULL, ("securelevel_ge: null cr"));
 1375         if (cr->cr_prison != NULL)
 1376                 active_securelevel = imax(cr->cr_prison->pr_securelevel,
 1377                     active_securelevel);
 1378         return (active_securelevel >= level ? EPERM : 0);
 1379 }
 1380 
 1381 /*
 1382  * 'see_other_uids' determines whether or not visibility of processes
 1383  * and sockets with credentials holding different real uids is possible
 1384  * using a variety of system MIBs.
 1385  * XXX: data declarations should be together near the beginning of the file.
 1386  */
 1387 static int      see_other_uids = 1;
 1388 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
 1389     &see_other_uids, 0,
 1390     "Unprivileged processes may see subjects/objects with different real uid");
 1391 
 1392 /*-
 1393  * Determine if u1 "can see" the subject specified by u2, according to the
 1394  * 'see_other_uids' policy.
 1395  * Returns: 0 for permitted, ESRCH otherwise
 1396  * Locks: none
 1397  * References: *u1 and *u2 must not change during the call
 1398  *             u1 may equal u2, in which case only one reference is required
 1399  */
 1400 static int
 1401 cr_seeotheruids(struct ucred *u1, struct ucred *u2)
 1402 {
 1403 
 1404         if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
 1405                 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
 1406                         return (ESRCH);
 1407         }
 1408         return (0);
 1409 }
 1410 
 1411 /*
 1412  * 'see_other_gids' determines whether or not visibility of processes
 1413  * and sockets with credentials holding different real gids is possible
 1414  * using a variety of system MIBs.
 1415  * XXX: data declarations should be together near the beginning of the file.
 1416  */
 1417 static int      see_other_gids = 1;
 1418 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
 1419     &see_other_gids, 0,
 1420     "Unprivileged processes may see subjects/objects with different real gid");
 1421 
 1422 /*
 1423  * Determine if u1 can "see" the subject specified by u2, according to the
 1424  * 'see_other_gids' policy.
 1425  * Returns: 0 for permitted, ESRCH otherwise
 1426  * Locks: none
 1427  * References: *u1 and *u2 must not change during the call
 1428  *             u1 may equal u2, in which case only one reference is required
 1429  */
 1430 static int
 1431 cr_seeothergids(struct ucred *u1, struct ucred *u2)
 1432 {
 1433         int i, match;
 1434         
 1435         if (!see_other_gids) {
 1436                 match = 0;
 1437                 for (i = 0; i < u1->cr_ngroups; i++) {
 1438                         if (groupmember(u1->cr_groups[i], u2))
 1439                                 match = 1;
 1440                         if (match)
 1441                                 break;
 1442                 }
 1443                 if (!match) {
 1444                         if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
 1445                                 return (ESRCH);
 1446                 }
 1447         }
 1448         return (0);
 1449 }
 1450 
 1451 /*-
 1452  * Determine if u1 "can see" the subject specified by u2.
 1453  * Returns: 0 for permitted, an errno value otherwise
 1454  * Locks: none
 1455  * References: *u1 and *u2 must not change during the call
 1456  *             u1 may equal u2, in which case only one reference is required
 1457  */
 1458 int
 1459 cr_cansee(struct ucred *u1, struct ucred *u2)
 1460 {
 1461         int error;
 1462 
 1463         if ((error = prison_check(u1, u2)))
 1464                 return (error);
 1465 #ifdef MAC
 1466         if ((error = mac_check_cred_visible(u1, u2)))
 1467                 return (error);
 1468 #endif
 1469         if ((error = cr_seeotheruids(u1, u2)))
 1470                 return (error);
 1471         if ((error = cr_seeothergids(u1, u2)))
 1472                 return (error);
 1473         return (0);
 1474 }
 1475 
 1476 /*-
 1477  * Determine if td "can see" the subject specified by p.
 1478  * Returns: 0 for permitted, an errno value otherwise
 1479  * Locks: Sufficient locks to protect p->p_ucred must be held.  td really
 1480  *        should be curthread.
 1481  * References: td and p must be valid for the lifetime of the call
 1482  */
 1483 int
 1484 p_cansee(struct thread *td, struct proc *p)
 1485 {
 1486 
 1487         /* Wrap cr_cansee() for all functionality. */
 1488         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1489         PROC_LOCK_ASSERT(p, MA_OWNED);
 1490         return (cr_cansee(td->td_ucred, p->p_ucred));
 1491 }
 1492 
 1493 /*
 1494  * 'conservative_signals' prevents the delivery of a broad class of
 1495  * signals by unprivileged processes to processes that have changed their
 1496  * credentials since the last invocation of execve().  This can prevent
 1497  * the leakage of cached information or retained privileges as a result
 1498  * of a common class of signal-related vulnerabilities.  However, this
 1499  * may interfere with some applications that expect to be able to
 1500  * deliver these signals to peer processes after having given up
 1501  * privilege.
 1502  */
 1503 static int      conservative_signals = 1;
 1504 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
 1505     &conservative_signals, 0, "Unprivileged processes prevented from "
 1506     "sending certain signals to processes whose credentials have changed");
 1507 /*-
 1508  * Determine whether cred may deliver the specified signal to proc.
 1509  * Returns: 0 for permitted, an errno value otherwise.
 1510  * Locks: A lock must be held for proc.
 1511  * References: cred and proc must be valid for the lifetime of the call.
 1512  */
 1513 int
 1514 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
 1515 {
 1516         int error;
 1517 
 1518         PROC_LOCK_ASSERT(proc, MA_OWNED);
 1519         /*
 1520          * Jail semantics limit the scope of signalling to proc in the
 1521          * same jail as cred, if cred is in jail.
 1522          */
 1523         error = prison_check(cred, proc->p_ucred);
 1524         if (error)
 1525                 return (error);
 1526 #ifdef MAC
 1527         if ((error = mac_check_proc_signal(cred, proc, signum)))
 1528                 return (error);
 1529 #endif
 1530         if ((error = cr_seeotheruids(cred, proc->p_ucred)))
 1531                 return (error);
 1532         if ((error = cr_seeothergids(cred, proc->p_ucred)))
 1533                 return (error);
 1534 
 1535         /*
 1536          * UNIX signal semantics depend on the status of the P_SUGID
 1537          * bit on the target process.  If the bit is set, then additional
 1538          * restrictions are placed on the set of available signals.
 1539          */
 1540         if (conservative_signals && (proc->p_flag & P_SUGID)) {
 1541                 switch (signum) {
 1542                 case 0:
 1543                 case SIGKILL:
 1544                 case SIGINT:
 1545                 case SIGTERM:
 1546                 case SIGALRM:
 1547                 case SIGSTOP:
 1548                 case SIGTTIN:
 1549                 case SIGTTOU:
 1550                 case SIGTSTP:
 1551                 case SIGHUP:
 1552                 case SIGUSR1:
 1553                 case SIGUSR2:
 1554                         /*
 1555                          * Generally, permit job and terminal control
 1556                          * signals.
 1557                          */
 1558                         break;
 1559                 default:
 1560                         /* Not permitted without privilege. */
 1561                         error = suser_cred(cred, SUSER_ALLOWJAIL);
 1562                         if (error)
 1563                                 return (error);
 1564                 }
 1565         }
 1566 
 1567         /*
 1568          * Generally, the target credential's ruid or svuid must match the
 1569          * subject credential's ruid or euid.
 1570          */
 1571         if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
 1572             cred->cr_ruid != proc->p_ucred->cr_svuid &&
 1573             cred->cr_uid != proc->p_ucred->cr_ruid &&
 1574             cred->cr_uid != proc->p_ucred->cr_svuid) {
 1575                 /* Not permitted without privilege. */
 1576                 error = suser_cred(cred, SUSER_ALLOWJAIL);
 1577                 if (error)
 1578                         return (error);
 1579         }
 1580 
 1581         return (0);
 1582 }
 1583 
 1584 
 1585 /*-
 1586  * Determine whether td may deliver the specified signal to p.
 1587  * Returns: 0 for permitted, an errno value otherwise
 1588  * Locks: Sufficient locks to protect various components of td and p
 1589  *        must be held.  td must be curthread, and a lock must be
 1590  *        held for p.
 1591  * References: td and p must be valid for the lifetime of the call
 1592  */
 1593 int
 1594 p_cansignal(struct thread *td, struct proc *p, int signum)
 1595 {
 1596 
 1597         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1598         PROC_LOCK_ASSERT(p, MA_OWNED);
 1599         if (td->td_proc == p)
 1600                 return (0);
 1601 
 1602         /*
 1603          * UNIX signalling semantics require that processes in the same
 1604          * session always be able to deliver SIGCONT to one another,
 1605          * overriding the remaining protections.
 1606          */
 1607         /* XXX: This will require an additional lock of some sort. */
 1608         if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
 1609                 return (0);
 1610         /*
 1611          * Some compat layers use SIGTHR and higher signals for
 1612          * communication between different kernel threads of the same
 1613          * process, so that they expect that it's always possible to
 1614          * deliver them, even for suid applications where cr_cansignal() can
 1615          * deny such ability for security consideration.  It should be
 1616          * pretty safe to do since the only way to create two processes
 1617          * with the same p_leader is via rfork(2).
 1618          */
 1619         if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
 1620             signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
 1621                 return (0);
 1622 
 1623         return (cr_cansignal(td->td_ucred, p, signum));
 1624 }
 1625 
 1626 /*-
 1627  * Determine whether td may reschedule p.
 1628  * Returns: 0 for permitted, an errno value otherwise
 1629  * Locks: Sufficient locks to protect various components of td and p
 1630  *        must be held.  td must be curthread, and a lock must
 1631  *        be held for p.
 1632  * References: td and p must be valid for the lifetime of the call
 1633  */
 1634 int
 1635 p_cansched(struct thread *td, struct proc *p)
 1636 {
 1637         int error;
 1638 
 1639         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1640         PROC_LOCK_ASSERT(p, MA_OWNED);
 1641         if (td->td_proc == p)
 1642                 return (0);
 1643         if ((error = prison_check(td->td_ucred, p->p_ucred)))
 1644                 return (error);
 1645 #ifdef MAC
 1646         if ((error = mac_check_proc_sched(td->td_ucred, p)))
 1647                 return (error);
 1648 #endif
 1649         if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
 1650                 return (error);
 1651         if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
 1652                 return (error);
 1653         if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
 1654                 return (0);
 1655         if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
 1656                 return (0);
 1657         if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
 1658                 return (0);
 1659 
 1660 #ifdef CAPABILITIES
 1661         if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL))
 1662                 return (0);
 1663 #endif
 1664 
 1665         return (EPERM);
 1666 }
 1667 
 1668 /*
 1669  * The 'unprivileged_proc_debug' flag may be used to disable a variety of
 1670  * unprivileged inter-process debugging services, including some procfs
 1671  * functionality, ptrace(), and ktrace().  In the past, inter-process
 1672  * debugging has been involved in a variety of security problems, and sites
 1673  * not requiring the service might choose to disable it when hardening
 1674  * systems.
 1675  *
 1676  * XXX: Should modifying and reading this variable require locking?
 1677  * XXX: data declarations should be together near the beginning of the file.
 1678  */
 1679 static int      unprivileged_proc_debug = 1;
 1680 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
 1681     &unprivileged_proc_debug, 0,
 1682     "Unprivileged processes may use process debugging facilities");
 1683 
 1684 /*-
 1685  * Determine whether td may debug p.
 1686  * Returns: 0 for permitted, an errno value otherwise
 1687  * Locks: Sufficient locks to protect various components of td and p
 1688  *        must be held.  td must be curthread, and a lock must
 1689  *        be held for p.
 1690  * References: td and p must be valid for the lifetime of the call
 1691  */
 1692 int
 1693 p_candebug(struct thread *td, struct proc *p)
 1694 {
 1695         int credentialchanged, error, grpsubset, i, uidsubset;
 1696 
 1697         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1698         PROC_LOCK_ASSERT(p, MA_OWNED);
 1699         if (!unprivileged_proc_debug) {
 1700                 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
 1701                 if (error)
 1702                         return (error);
 1703         }
 1704         if (td->td_proc == p)
 1705                 return (0);
 1706         if ((error = prison_check(td->td_ucred, p->p_ucred)))
 1707                 return (error);
 1708 #ifdef MAC
 1709         if ((error = mac_check_proc_debug(td->td_ucred, p)))
 1710                 return (error);
 1711 #endif
 1712         if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
 1713                 return (error);
 1714         if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
 1715                 return (error);
 1716 
 1717         /*
 1718          * Is p's group set a subset of td's effective group set?  This
 1719          * includes p's egid, group access list, rgid, and svgid.
 1720          */
 1721         grpsubset = 1;
 1722         for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
 1723                 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
 1724                         grpsubset = 0;
 1725                         break;
 1726                 }
 1727         }
 1728         grpsubset = grpsubset &&
 1729             groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
 1730             groupmember(p->p_ucred->cr_svgid, td->td_ucred);
 1731 
 1732         /*
 1733          * Are the uids present in p's credential equal to td's
 1734          * effective uid?  This includes p's euid, svuid, and ruid.
 1735          */
 1736         uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
 1737             td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
 1738             td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
 1739 
 1740         /*
 1741          * Has the credential of the process changed since the last exec()?
 1742          */
 1743         credentialchanged = (p->p_flag & P_SUGID);
 1744 
 1745         /*
 1746          * If p's gids aren't a subset, or the uids aren't a subset,
 1747          * or the credential has changed, require appropriate privilege
 1748          * for td to debug p.  For POSIX.1e capabilities, this will
 1749          * require CAP_SYS_PTRACE.
 1750          */
 1751         if (!grpsubset || !uidsubset || credentialchanged) {
 1752                 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
 1753                 if (error)
 1754                         return (error);
 1755         }
 1756 
 1757         /* Can't trace init when securelevel > 0. */
 1758         if (p == initproc) {
 1759                 error = securelevel_gt(td->td_ucred, 0);
 1760                 if (error)
 1761                         return (error);
 1762         }
 1763 
 1764         /*
 1765          * Can't trace a process that's currently exec'ing.
 1766          * XXX: Note, this is not a security policy decision, it's a
 1767          * basic correctness/functionality decision.  Therefore, this check
 1768          * should be moved to the caller's of p_candebug().
 1769          */
 1770         if ((p->p_flag & P_INEXEC) != 0)
 1771                 return (EAGAIN);
 1772 
 1773         return (0);
 1774 }
 1775 
 1776 /*-
 1777  * Determine whether the subject represented by cred can "see" a socket.
 1778  * Returns: 0 for permitted, ENOENT otherwise.
 1779  */
 1780 int
 1781 cr_canseesocket(struct ucred *cred, struct socket *so)
 1782 {
 1783         int error;
 1784 
 1785         error = prison_check(cred, so->so_cred);
 1786         if (error)
 1787                 return (ENOENT);
 1788 #ifdef MAC
 1789         SOCK_LOCK(so);
 1790         error = mac_check_socket_visible(cred, so);
 1791         SOCK_UNLOCK(so);
 1792         if (error)
 1793                 return (error);
 1794 #endif
 1795         if (cr_seeotheruids(cred, so->so_cred))
 1796                 return (ENOENT);
 1797         if (cr_seeothergids(cred, so->so_cred))
 1798                 return (ENOENT);
 1799 
 1800         return (0);
 1801 }
 1802 
 1803 /*-
 1804  * Determine whether td can wait for the exit of p.
 1805  * Returns: 0 for permitted, an errno value otherwise
 1806  * Locks: Sufficient locks to protect various components of td and p
 1807  *        must be held.  td must be curthread, and a lock must
 1808  *        be held for p.
 1809  * References: td and p must be valid for the lifetime of the call
 1810 
 1811  */
 1812 int
 1813 p_canwait(struct thread *td, struct proc *p)
 1814 {
 1815         int error;
 1816 
 1817         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1818         PROC_LOCK_ASSERT(p, MA_OWNED);
 1819         if ((error = prison_check(td->td_ucred, p->p_ucred)))
 1820                 return (error);
 1821 #ifdef MAC
 1822         if ((error = mac_check_proc_wait(td->td_ucred, p)))
 1823                 return (error);
 1824 #endif
 1825 #if 0
 1826         /* XXXMAC: This could have odd effects on some shells. */
 1827         if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
 1828                 return (error);
 1829 #endif
 1830 
 1831         return (0);
 1832 }
 1833 
 1834 /*
 1835  * Allocate a zeroed cred structure.
 1836  * MPSAFE
 1837  */
 1838 struct ucred *
 1839 crget(void)
 1840 {
 1841         register struct ucred *cr;
 1842 
 1843         MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
 1844         cr->cr_ref = 1;
 1845         cr->cr_mtxp = mtx_pool_find(mtxpool_sleep, cr);
 1846 #ifdef MAC
 1847         mac_init_cred(cr);
 1848 #endif
 1849         return (cr);
 1850 }
 1851 
 1852 /*
 1853  * Claim another reference to a ucred structure.
 1854  * MPSAFE
 1855  */
 1856 struct ucred *
 1857 crhold(struct ucred *cr)
 1858 {
 1859 
 1860         mtx_lock(cr->cr_mtxp);
 1861         cr->cr_ref++;
 1862         mtx_unlock(cr->cr_mtxp);
 1863         return (cr);
 1864 }
 1865 
 1866 /*
 1867  * Free a cred structure.
 1868  * Throws away space when ref count gets to 0.
 1869  * MPSAFE
 1870  */
 1871 void
 1872 crfree(struct ucred *cr)
 1873 {
 1874         struct mtx *mtxp = cr->cr_mtxp;
 1875 
 1876         mtx_lock(mtxp);
 1877         KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
 1878         if (--cr->cr_ref == 0) {
 1879                 mtx_unlock(mtxp);
 1880                 /*
 1881                  * Some callers of crget(), such as nfs_statfs(),
 1882                  * allocate a temporary credential, but don't
 1883                  * allocate a uidinfo structure.
 1884                  */
 1885                 if (cr->cr_uidinfo != NULL)
 1886                         uifree(cr->cr_uidinfo);
 1887                 if (cr->cr_ruidinfo != NULL)
 1888                         uifree(cr->cr_ruidinfo);
 1889                 /*
 1890                  * Free a prison, if any.
 1891                  */
 1892                 if (jailed(cr))
 1893                         prison_free(cr->cr_prison);
 1894 #ifdef MAC
 1895                 mac_destroy_cred(cr);
 1896 #endif
 1897                 FREE(cr, M_CRED);
 1898         } else {
 1899                 mtx_unlock(mtxp);
 1900         }
 1901 }
 1902 
 1903 /*
 1904  * Check to see if this ucred is shared.
 1905  * MPSAFE
 1906  */
 1907 int
 1908 crshared(struct ucred *cr)
 1909 {
 1910         int shared;
 1911 
 1912         mtx_lock(cr->cr_mtxp);
 1913         shared = (cr->cr_ref > 1);
 1914         mtx_unlock(cr->cr_mtxp);
 1915         return (shared);
 1916 }
 1917 
 1918 /*
 1919  * Copy a ucred's contents from a template.  Does not block.
 1920  * MPSAFE
 1921  */
 1922 void
 1923 crcopy(struct ucred *dest, struct ucred *src)
 1924 {
 1925 
 1926         KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
 1927         bcopy(&src->cr_startcopy, &dest->cr_startcopy,
 1928             (unsigned)((caddr_t)&src->cr_endcopy -
 1929                 (caddr_t)&src->cr_startcopy));
 1930         uihold(dest->cr_uidinfo);
 1931         uihold(dest->cr_ruidinfo);
 1932         if (jailed(dest))
 1933                 prison_hold(dest->cr_prison);
 1934 #ifdef MAC
 1935         mac_copy_cred(src, dest);
 1936 #endif
 1937 }
 1938 
 1939 /*
 1940  * Dup cred struct to a new held one.
 1941  * MPSAFE
 1942  */
 1943 struct ucred *
 1944 crdup(struct ucred *cr)
 1945 {
 1946         struct ucred *newcr;
 1947 
 1948         newcr = crget();
 1949         crcopy(newcr, cr);
 1950         return (newcr);
 1951 }
 1952 
 1953 /*
 1954  * Fill in a struct xucred based on a struct ucred.
 1955  * MPSAFE
 1956  */
 1957 void
 1958 cru2x(struct ucred *cr, struct xucred *xcr)
 1959 {
 1960 
 1961         bzero(xcr, sizeof(*xcr));
 1962         xcr->cr_version = XUCRED_VERSION;
 1963         xcr->cr_uid = cr->cr_uid;
 1964         xcr->cr_ngroups = cr->cr_ngroups;
 1965         bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
 1966 }
 1967 
 1968 /*
 1969  * small routine to swap a thread's current ucred for the correct one
 1970  * taken from the process.
 1971  * MPSAFE
 1972  */
 1973 void
 1974 cred_update_thread(struct thread *td)
 1975 {
 1976         struct proc *p;
 1977         struct ucred *cred;
 1978 
 1979         p = td->td_proc;
 1980         cred = td->td_ucred;
 1981         PROC_LOCK(p);
 1982         td->td_ucred = crhold(p->p_ucred);
 1983         PROC_UNLOCK(p);
 1984         if (cred != NULL)
 1985                 crfree(cred);
 1986 }
 1987 
 1988 /*
 1989  * Get login name, if available.
 1990  */
 1991 #ifndef _SYS_SYSPROTO_H_
 1992 struct getlogin_args {
 1993         char    *namebuf;
 1994         u_int   namelen;
 1995 };
 1996 #endif
 1997 /*
 1998  * MPSAFE
 1999  */
 2000 /* ARGSUSED */
 2001 int
 2002 getlogin(struct thread *td, struct getlogin_args *uap)
 2003 {
 2004         int error;
 2005         char login[MAXLOGNAME];
 2006         struct proc *p = td->td_proc;
 2007 
 2008         if (uap->namelen > MAXLOGNAME)
 2009                 uap->namelen = MAXLOGNAME;
 2010         PROC_LOCK(p);
 2011         SESS_LOCK(p->p_session);
 2012         bcopy(p->p_session->s_login, login, uap->namelen);
 2013         SESS_UNLOCK(p->p_session);
 2014         PROC_UNLOCK(p);
 2015         error = copyout(login, uap->namebuf, uap->namelen);
 2016         return(error);
 2017 }
 2018 
 2019 /*
 2020  * Set login name.
 2021  */
 2022 #ifndef _SYS_SYSPROTO_H_
 2023 struct setlogin_args {
 2024         char    *namebuf;
 2025 };
 2026 #endif
 2027 /*
 2028  * MPSAFE
 2029  */
 2030 /* ARGSUSED */
 2031 int
 2032 setlogin(struct thread *td, struct setlogin_args *uap)
 2033 {
 2034         struct proc *p = td->td_proc;
 2035         int error;
 2036         char logintmp[MAXLOGNAME];
 2037 
 2038         error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
 2039         if (error)
 2040                 return (error);
 2041         error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
 2042         if (error == ENAMETOOLONG)
 2043                 error = EINVAL;
 2044         else if (!error) {
 2045                 PROC_LOCK(p);
 2046                 SESS_LOCK(p->p_session);
 2047                 (void) memcpy(p->p_session->s_login, logintmp,
 2048                     sizeof(logintmp));
 2049                 SESS_UNLOCK(p->p_session);
 2050                 PROC_UNLOCK(p);
 2051         }
 2052         return (error);
 2053 }
 2054 
 2055 void
 2056 setsugid(struct proc *p)
 2057 {
 2058 
 2059         PROC_LOCK_ASSERT(p, MA_OWNED);
 2060         p->p_flag |= P_SUGID;
 2061         if (!(p->p_pfsflags & PF_ISUGID))
 2062                 p->p_stops = 0;
 2063 }
 2064 
 2065 /*-
 2066  * Change a process's effective uid.
 2067  * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
 2068  * References: newcred must be an exclusive credential reference for the
 2069  *             duration of the call.
 2070  */
 2071 void
 2072 change_euid(struct ucred *newcred, struct uidinfo *euip)
 2073 {
 2074 
 2075         newcred->cr_uid = euip->ui_uid;
 2076         uihold(euip);
 2077         uifree(newcred->cr_uidinfo);
 2078         newcred->cr_uidinfo = euip;
 2079 }
 2080 
 2081 /*-
 2082  * Change a process's effective gid.
 2083  * Side effects: newcred->cr_gid will be modified.
 2084  * References: newcred must be an exclusive credential reference for the
 2085  *             duration of the call.
 2086  */
 2087 void
 2088 change_egid(struct ucred *newcred, gid_t egid)
 2089 {
 2090 
 2091         newcred->cr_groups[0] = egid;
 2092 }
 2093 
 2094 /*-
 2095  * Change a process's real uid.
 2096  * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
 2097  *               will be updated, and the old and new cr_ruidinfo proc
 2098  *               counts will be updated.
 2099  * References: newcred must be an exclusive credential reference for the
 2100  *             duration of the call.
 2101  */
 2102 void
 2103 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
 2104 {
 2105 
 2106         (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
 2107         newcred->cr_ruid = ruip->ui_uid;
 2108         uihold(ruip);
 2109         uifree(newcred->cr_ruidinfo);
 2110         newcred->cr_ruidinfo = ruip;
 2111         (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
 2112 }
 2113 
 2114 /*-
 2115  * Change a process's real gid.
 2116  * Side effects: newcred->cr_rgid will be updated.
 2117  * References: newcred must be an exclusive credential reference for the
 2118  *             duration of the call.
 2119  */
 2120 void
 2121 change_rgid(struct ucred *newcred, gid_t rgid)
 2122 {
 2123 
 2124         newcred->cr_rgid = rgid;
 2125 }
 2126 
 2127 /*-
 2128  * Change a process's saved uid.
 2129  * Side effects: newcred->cr_svuid will be updated.
 2130  * References: newcred must be an exclusive credential reference for the
 2131  *             duration of the call.
 2132  */
 2133 void
 2134 change_svuid(struct ucred *newcred, uid_t svuid)
 2135 {
 2136 
 2137         newcred->cr_svuid = svuid;
 2138 }
 2139 
 2140 /*-
 2141  * Change a process's saved gid.
 2142  * Side effects: newcred->cr_svgid will be updated.
 2143  * References: newcred must be an exclusive credential reference for the
 2144  *             duration of the call.
 2145  */
 2146 void
 2147 change_svgid(struct ucred *newcred, gid_t svgid)
 2148 {
 2149 
 2150         newcred->cr_svgid = svgid;
 2151 }

Cache object: 17e5bbb81bf466cfc65f739a9e064822


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.