FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c
1 /*-
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 4. Neither the name of the University nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
36 */
37
38 /*
39 * System calls related to processes and protection
40 */
41
42 #include <sys/cdefs.h>
43 __FBSDID("$FreeBSD: releng/6.2/sys/kern/kern_prot.c 164286 2006-11-14 20:42:41Z cvs2svn $");
44
45 #include "opt_compat.h"
46 #include "opt_mac.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/acct.h>
51 #include <sys/kdb.h>
52 #include <sys/kernel.h>
53 #include <sys/lock.h>
54 #include <sys/mac.h>
55 #include <sys/malloc.h>
56 #include <sys/mutex.h>
57 #include <sys/sx.h>
58 #include <sys/proc.h>
59 #include <sys/sysproto.h>
60 #include <sys/jail.h>
61 #include <sys/pioctl.h>
62 #include <sys/resourcevar.h>
63 #include <sys/socket.h>
64 #include <sys/socketvar.h>
65 #include <sys/sysctl.h>
66
67 #include <security/audit/audit.h>
68
69 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
70
71 SYSCTL_DECL(_security);
72 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
73 "BSD security policy");
74
75 #ifndef _SYS_SYSPROTO_H_
76 struct getpid_args {
77 int dummy;
78 };
79 #endif
80 /*
81 * MPSAFE
82 */
83 /* ARGSUSED */
84 int
85 getpid(struct thread *td, struct getpid_args *uap)
86 {
87 struct proc *p = td->td_proc;
88
89 td->td_retval[0] = p->p_pid;
90 #if defined(COMPAT_43)
91 PROC_LOCK(p);
92 td->td_retval[1] = p->p_pptr->p_pid;
93 PROC_UNLOCK(p);
94 #endif
95 return (0);
96 }
97
98 #ifndef _SYS_SYSPROTO_H_
99 struct getppid_args {
100 int dummy;
101 };
102 #endif
103 /*
104 * MPSAFE
105 */
106 /* ARGSUSED */
107 int
108 getppid(struct thread *td, struct getppid_args *uap)
109 {
110 struct proc *p = td->td_proc;
111
112 PROC_LOCK(p);
113 td->td_retval[0] = p->p_pptr->p_pid;
114 PROC_UNLOCK(p);
115 return (0);
116 }
117
118 /*
119 * Get process group ID; note that POSIX getpgrp takes no parameter.
120 */
121 #ifndef _SYS_SYSPROTO_H_
122 struct getpgrp_args {
123 int dummy;
124 };
125 #endif
126 /*
127 * MPSAFE
128 */
129 int
130 getpgrp(struct thread *td, struct getpgrp_args *uap)
131 {
132 struct proc *p = td->td_proc;
133
134 PROC_LOCK(p);
135 td->td_retval[0] = p->p_pgrp->pg_id;
136 PROC_UNLOCK(p);
137 return (0);
138 }
139
140 /* Get an arbitary pid's process group id */
141 #ifndef _SYS_SYSPROTO_H_
142 struct getpgid_args {
143 pid_t pid;
144 };
145 #endif
146 /*
147 * MPSAFE
148 */
149 int
150 getpgid(struct thread *td, struct getpgid_args *uap)
151 {
152 struct proc *p;
153 int error;
154
155 if (uap->pid == 0) {
156 p = td->td_proc;
157 PROC_LOCK(p);
158 } else {
159 p = pfind(uap->pid);
160 if (p == NULL)
161 return (ESRCH);
162 error = p_cansee(td, p);
163 if (error) {
164 PROC_UNLOCK(p);
165 return (error);
166 }
167 }
168 td->td_retval[0] = p->p_pgrp->pg_id;
169 PROC_UNLOCK(p);
170 return (0);
171 }
172
173 /*
174 * Get an arbitary pid's session id.
175 */
176 #ifndef _SYS_SYSPROTO_H_
177 struct getsid_args {
178 pid_t pid;
179 };
180 #endif
181 /*
182 * MPSAFE
183 */
184 int
185 getsid(struct thread *td, struct getsid_args *uap)
186 {
187 struct proc *p;
188 int error;
189
190 if (uap->pid == 0) {
191 p = td->td_proc;
192 PROC_LOCK(p);
193 } else {
194 p = pfind(uap->pid);
195 if (p == NULL)
196 return (ESRCH);
197 error = p_cansee(td, p);
198 if (error) {
199 PROC_UNLOCK(p);
200 return (error);
201 }
202 }
203 td->td_retval[0] = p->p_session->s_sid;
204 PROC_UNLOCK(p);
205 return (0);
206 }
207
208 #ifndef _SYS_SYSPROTO_H_
209 struct getuid_args {
210 int dummy;
211 };
212 #endif
213 /*
214 * MPSAFE
215 */
216 /* ARGSUSED */
217 int
218 getuid(struct thread *td, struct getuid_args *uap)
219 {
220
221 td->td_retval[0] = td->td_ucred->cr_ruid;
222 #if defined(COMPAT_43)
223 td->td_retval[1] = td->td_ucred->cr_uid;
224 #endif
225 return (0);
226 }
227
228 #ifndef _SYS_SYSPROTO_H_
229 struct geteuid_args {
230 int dummy;
231 };
232 #endif
233 /*
234 * MPSAFE
235 */
236 /* ARGSUSED */
237 int
238 geteuid(struct thread *td, struct geteuid_args *uap)
239 {
240
241 td->td_retval[0] = td->td_ucred->cr_uid;
242 return (0);
243 }
244
245 #ifndef _SYS_SYSPROTO_H_
246 struct getgid_args {
247 int dummy;
248 };
249 #endif
250 /*
251 * MPSAFE
252 */
253 /* ARGSUSED */
254 int
255 getgid(struct thread *td, struct getgid_args *uap)
256 {
257
258 td->td_retval[0] = td->td_ucred->cr_rgid;
259 #if defined(COMPAT_43)
260 td->td_retval[1] = td->td_ucred->cr_groups[0];
261 #endif
262 return (0);
263 }
264
265 /*
266 * Get effective group ID. The "egid" is groups[0], and could be obtained
267 * via getgroups. This syscall exists because it is somewhat painful to do
268 * correctly in a library function.
269 */
270 #ifndef _SYS_SYSPROTO_H_
271 struct getegid_args {
272 int dummy;
273 };
274 #endif
275 /*
276 * MPSAFE
277 */
278 /* ARGSUSED */
279 int
280 getegid(struct thread *td, struct getegid_args *uap)
281 {
282
283 td->td_retval[0] = td->td_ucred->cr_groups[0];
284 return (0);
285 }
286
287 #ifndef _SYS_SYSPROTO_H_
288 struct getgroups_args {
289 u_int gidsetsize;
290 gid_t *gidset;
291 };
292 #endif
293 /*
294 * MPSAFE
295 */
296 int
297 getgroups(struct thread *td, register struct getgroups_args *uap)
298 {
299 struct ucred *cred;
300 u_int ngrp;
301 int error;
302
303 cred = td->td_ucred;
304 if ((ngrp = uap->gidsetsize) == 0) {
305 td->td_retval[0] = cred->cr_ngroups;
306 return (0);
307 }
308 if (ngrp < cred->cr_ngroups)
309 return (EINVAL);
310 ngrp = cred->cr_ngroups;
311 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
312 if (error == 0)
313 td->td_retval[0] = ngrp;
314 return (error);
315 }
316
317 #ifndef _SYS_SYSPROTO_H_
318 struct setsid_args {
319 int dummy;
320 };
321 #endif
322 /*
323 * MPSAFE
324 */
325 /* ARGSUSED */
326 int
327 setsid(register struct thread *td, struct setsid_args *uap)
328 {
329 struct pgrp *pgrp;
330 int error;
331 struct proc *p = td->td_proc;
332 struct pgrp *newpgrp;
333 struct session *newsess;
334
335 error = 0;
336 pgrp = NULL;
337
338 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
339 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
340
341 sx_xlock(&proctree_lock);
342
343 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
344 if (pgrp != NULL)
345 PGRP_UNLOCK(pgrp);
346 error = EPERM;
347 } else {
348 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
349 td->td_retval[0] = p->p_pid;
350 newpgrp = NULL;
351 newsess = NULL;
352 }
353
354 sx_xunlock(&proctree_lock);
355
356 if (newpgrp != NULL)
357 FREE(newpgrp, M_PGRP);
358 if (newsess != NULL)
359 FREE(newsess, M_SESSION);
360
361 return (error);
362 }
363
364 /*
365 * set process group (setpgid/old setpgrp)
366 *
367 * caller does setpgid(targpid, targpgid)
368 *
369 * pid must be caller or child of caller (ESRCH)
370 * if a child
371 * pid must be in same session (EPERM)
372 * pid can't have done an exec (EACCES)
373 * if pgid != pid
374 * there must exist some pid in same session having pgid (EPERM)
375 * pid must not be session leader (EPERM)
376 */
377 #ifndef _SYS_SYSPROTO_H_
378 struct setpgid_args {
379 int pid; /* target process id */
380 int pgid; /* target pgrp id */
381 };
382 #endif
383 /*
384 * MPSAFE
385 */
386 /* ARGSUSED */
387 int
388 setpgid(struct thread *td, register struct setpgid_args *uap)
389 {
390 struct proc *curp = td->td_proc;
391 register struct proc *targp; /* target process */
392 register struct pgrp *pgrp; /* target pgrp */
393 int error;
394 struct pgrp *newpgrp;
395
396 if (uap->pgid < 0)
397 return (EINVAL);
398
399 error = 0;
400
401 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
402
403 sx_xlock(&proctree_lock);
404 if (uap->pid != 0 && uap->pid != curp->p_pid) {
405 if ((targp = pfind(uap->pid)) == NULL) {
406 error = ESRCH;
407 goto done;
408 }
409 if (!inferior(targp)) {
410 PROC_UNLOCK(targp);
411 error = ESRCH;
412 goto done;
413 }
414 if ((error = p_cansee(td, targp))) {
415 PROC_UNLOCK(targp);
416 goto done;
417 }
418 if (targp->p_pgrp == NULL ||
419 targp->p_session != curp->p_session) {
420 PROC_UNLOCK(targp);
421 error = EPERM;
422 goto done;
423 }
424 if (targp->p_flag & P_EXEC) {
425 PROC_UNLOCK(targp);
426 error = EACCES;
427 goto done;
428 }
429 PROC_UNLOCK(targp);
430 } else
431 targp = curp;
432 if (SESS_LEADER(targp)) {
433 error = EPERM;
434 goto done;
435 }
436 if (uap->pgid == 0)
437 uap->pgid = targp->p_pid;
438 if ((pgrp = pgfind(uap->pgid)) == NULL) {
439 if (uap->pgid == targp->p_pid) {
440 error = enterpgrp(targp, uap->pgid, newpgrp,
441 NULL);
442 if (error == 0)
443 newpgrp = NULL;
444 } else
445 error = EPERM;
446 } else {
447 if (pgrp == targp->p_pgrp) {
448 PGRP_UNLOCK(pgrp);
449 goto done;
450 }
451 if (pgrp->pg_id != targp->p_pid &&
452 pgrp->pg_session != curp->p_session) {
453 PGRP_UNLOCK(pgrp);
454 error = EPERM;
455 goto done;
456 }
457 PGRP_UNLOCK(pgrp);
458 error = enterthispgrp(targp, pgrp);
459 }
460 done:
461 sx_xunlock(&proctree_lock);
462 KASSERT((error == 0) || (newpgrp != NULL),
463 ("setpgid failed and newpgrp is NULL"));
464 if (newpgrp != NULL)
465 FREE(newpgrp, M_PGRP);
466 return (error);
467 }
468
469 /*
470 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
471 * compatible. It says that setting the uid/gid to euid/egid is a special
472 * case of "appropriate privilege". Once the rules are expanded out, this
473 * basically means that setuid(nnn) sets all three id's, in all permitted
474 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
475 * does not set the saved id - this is dangerous for traditional BSD
476 * programs. For this reason, we *really* do not want to set
477 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
478 */
479 #define POSIX_APPENDIX_B_4_2_2
480
481 #ifndef _SYS_SYSPROTO_H_
482 struct setuid_args {
483 uid_t uid;
484 };
485 #endif
486 /*
487 * MPSAFE
488 */
489 /* ARGSUSED */
490 int
491 setuid(struct thread *td, struct setuid_args *uap)
492 {
493 struct proc *p = td->td_proc;
494 struct ucred *newcred, *oldcred;
495 uid_t uid;
496 struct uidinfo *uip;
497 int error;
498
499 uid = uap->uid;
500 AUDIT_ARG(uid, uid);
501 newcred = crget();
502 uip = uifind(uid);
503 PROC_LOCK(p);
504 oldcred = p->p_ucred;
505
506 #ifdef MAC
507 error = mac_check_proc_setuid(p, oldcred, uid);
508 if (error)
509 goto fail;
510 #endif
511
512 /*
513 * See if we have "permission" by POSIX 1003.1 rules.
514 *
515 * Note that setuid(geteuid()) is a special case of
516 * "appropriate privileges" in appendix B.4.2.2. We need
517 * to use this clause to be compatible with traditional BSD
518 * semantics. Basically, it means that "setuid(xx)" sets all
519 * three id's (assuming you have privs).
520 *
521 * Notes on the logic. We do things in three steps.
522 * 1: We determine if the euid is going to change, and do EPERM
523 * right away. We unconditionally change the euid later if this
524 * test is satisfied, simplifying that part of the logic.
525 * 2: We determine if the real and/or saved uids are going to
526 * change. Determined by compile options.
527 * 3: Change euid last. (after tests in #2 for "appropriate privs")
528 */
529 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
530 #ifdef _POSIX_SAVED_IDS
531 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
532 #endif
533 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
534 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
535 #endif
536 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
537 goto fail;
538
539 /*
540 * Copy credentials so other references do not see our changes.
541 */
542 crcopy(newcred, oldcred);
543 #ifdef _POSIX_SAVED_IDS
544 /*
545 * Do we have "appropriate privileges" (are we root or uid == euid)
546 * If so, we are changing the real uid and/or saved uid.
547 */
548 if (
549 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
550 uid == oldcred->cr_uid ||
551 #endif
552 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
553 #endif
554 {
555 /*
556 * Set the real uid and transfer proc count to new user.
557 */
558 if (uid != oldcred->cr_ruid) {
559 change_ruid(newcred, uip);
560 setsugid(p);
561 }
562 /*
563 * Set saved uid
564 *
565 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
566 * the security of seteuid() depends on it. B.4.2.2 says it
567 * is important that we should do this.
568 */
569 if (uid != oldcred->cr_svuid) {
570 change_svuid(newcred, uid);
571 setsugid(p);
572 }
573 }
574
575 /*
576 * In all permitted cases, we are changing the euid.
577 */
578 if (uid != oldcred->cr_uid) {
579 change_euid(newcred, uip);
580 setsugid(p);
581 }
582 p->p_ucred = newcred;
583 PROC_UNLOCK(p);
584 uifree(uip);
585 crfree(oldcred);
586 return (0);
587
588 fail:
589 PROC_UNLOCK(p);
590 uifree(uip);
591 crfree(newcred);
592 return (error);
593 }
594
595 #ifndef _SYS_SYSPROTO_H_
596 struct seteuid_args {
597 uid_t euid;
598 };
599 #endif
600 /*
601 * MPSAFE
602 */
603 /* ARGSUSED */
604 int
605 seteuid(struct thread *td, struct seteuid_args *uap)
606 {
607 struct proc *p = td->td_proc;
608 struct ucred *newcred, *oldcred;
609 uid_t euid;
610 struct uidinfo *euip;
611 int error;
612
613 euid = uap->euid;
614 AUDIT_ARG(euid, euid);
615 newcred = crget();
616 euip = uifind(euid);
617 PROC_LOCK(p);
618 oldcred = p->p_ucred;
619
620 #ifdef MAC
621 error = mac_check_proc_seteuid(p, oldcred, euid);
622 if (error)
623 goto fail;
624 #endif
625
626 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
627 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
628 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
629 goto fail;
630
631 /*
632 * Everything's okay, do it. Copy credentials so other references do
633 * not see our changes.
634 */
635 crcopy(newcred, oldcred);
636 if (oldcred->cr_uid != euid) {
637 change_euid(newcred, euip);
638 setsugid(p);
639 }
640 p->p_ucred = newcred;
641 PROC_UNLOCK(p);
642 uifree(euip);
643 crfree(oldcred);
644 return (0);
645
646 fail:
647 PROC_UNLOCK(p);
648 uifree(euip);
649 crfree(newcred);
650 return (error);
651 }
652
653 #ifndef _SYS_SYSPROTO_H_
654 struct setgid_args {
655 gid_t gid;
656 };
657 #endif
658 /*
659 * MPSAFE
660 */
661 /* ARGSUSED */
662 int
663 setgid(struct thread *td, struct setgid_args *uap)
664 {
665 struct proc *p = td->td_proc;
666 struct ucred *newcred, *oldcred;
667 gid_t gid;
668 int error;
669
670 gid = uap->gid;
671 AUDIT_ARG(gid, gid);
672 newcred = crget();
673 PROC_LOCK(p);
674 oldcred = p->p_ucred;
675
676 #ifdef MAC
677 error = mac_check_proc_setgid(p, oldcred, gid);
678 if (error)
679 goto fail;
680 #endif
681
682 /*
683 * See if we have "permission" by POSIX 1003.1 rules.
684 *
685 * Note that setgid(getegid()) is a special case of
686 * "appropriate privileges" in appendix B.4.2.2. We need
687 * to use this clause to be compatible with traditional BSD
688 * semantics. Basically, it means that "setgid(xx)" sets all
689 * three id's (assuming you have privs).
690 *
691 * For notes on the logic here, see setuid() above.
692 */
693 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
694 #ifdef _POSIX_SAVED_IDS
695 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
696 #endif
697 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
698 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
699 #endif
700 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
701 goto fail;
702
703 crcopy(newcred, oldcred);
704 #ifdef _POSIX_SAVED_IDS
705 /*
706 * Do we have "appropriate privileges" (are we root or gid == egid)
707 * If so, we are changing the real uid and saved gid.
708 */
709 if (
710 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
711 gid == oldcred->cr_groups[0] ||
712 #endif
713 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
714 #endif
715 {
716 /*
717 * Set real gid
718 */
719 if (oldcred->cr_rgid != gid) {
720 change_rgid(newcred, gid);
721 setsugid(p);
722 }
723 /*
724 * Set saved gid
725 *
726 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
727 * the security of setegid() depends on it. B.4.2.2 says it
728 * is important that we should do this.
729 */
730 if (oldcred->cr_svgid != gid) {
731 change_svgid(newcred, gid);
732 setsugid(p);
733 }
734 }
735 /*
736 * In all cases permitted cases, we are changing the egid.
737 * Copy credentials so other references do not see our changes.
738 */
739 if (oldcred->cr_groups[0] != gid) {
740 change_egid(newcred, gid);
741 setsugid(p);
742 }
743 p->p_ucred = newcred;
744 PROC_UNLOCK(p);
745 crfree(oldcred);
746 return (0);
747
748 fail:
749 PROC_UNLOCK(p);
750 crfree(newcred);
751 return (error);
752 }
753
754 #ifndef _SYS_SYSPROTO_H_
755 struct setegid_args {
756 gid_t egid;
757 };
758 #endif
759 /*
760 * MPSAFE
761 */
762 /* ARGSUSED */
763 int
764 setegid(struct thread *td, struct setegid_args *uap)
765 {
766 struct proc *p = td->td_proc;
767 struct ucred *newcred, *oldcred;
768 gid_t egid;
769 int error;
770
771 egid = uap->egid;
772 AUDIT_ARG(egid, egid);
773 newcred = crget();
774 PROC_LOCK(p);
775 oldcred = p->p_ucred;
776
777 #ifdef MAC
778 error = mac_check_proc_setegid(p, oldcred, egid);
779 if (error)
780 goto fail;
781 #endif
782
783 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
784 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
785 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
786 goto fail;
787
788 crcopy(newcred, oldcred);
789 if (oldcred->cr_groups[0] != egid) {
790 change_egid(newcred, egid);
791 setsugid(p);
792 }
793 p->p_ucred = newcred;
794 PROC_UNLOCK(p);
795 crfree(oldcred);
796 return (0);
797
798 fail:
799 PROC_UNLOCK(p);
800 crfree(newcred);
801 return (error);
802 }
803
804 #ifndef _SYS_SYSPROTO_H_
805 struct setgroups_args {
806 u_int gidsetsize;
807 gid_t *gidset;
808 };
809 #endif
810 /*
811 * MPSAFE
812 */
813 /* ARGSUSED */
814 int
815 setgroups(struct thread *td, struct setgroups_args *uap)
816 {
817 struct proc *p = td->td_proc;
818 struct ucred *newcred, *tempcred, *oldcred;
819 u_int ngrp;
820 int error;
821
822 ngrp = uap->gidsetsize;
823 if (ngrp > NGROUPS)
824 return (EINVAL);
825 tempcred = crget();
826 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
827 if (error != 0) {
828 crfree(tempcred);
829 return (error);
830 }
831 AUDIT_ARG(groupset, tempcred->cr_groups, ngrp);
832 newcred = crget();
833 PROC_LOCK(p);
834 oldcred = p->p_ucred;
835
836 #ifdef MAC
837 error = mac_check_proc_setgroups(p, oldcred, ngrp,
838 tempcred->cr_groups);
839 if (error)
840 goto fail;
841 #endif
842
843 error = suser_cred(oldcred, SUSER_ALLOWJAIL);
844 if (error)
845 goto fail;
846
847 /*
848 * XXX A little bit lazy here. We could test if anything has
849 * changed before crcopy() and setting P_SUGID.
850 */
851 crcopy(newcred, oldcred);
852 if (ngrp < 1) {
853 /*
854 * setgroups(0, NULL) is a legitimate way of clearing the
855 * groups vector on non-BSD systems (which generally do not
856 * have the egid in the groups[0]). We risk security holes
857 * when running non-BSD software if we do not do the same.
858 */
859 newcred->cr_ngroups = 1;
860 } else {
861 bcopy(tempcred->cr_groups, newcred->cr_groups,
862 ngrp * sizeof(gid_t));
863 newcred->cr_ngroups = ngrp;
864 }
865 setsugid(p);
866 p->p_ucred = newcred;
867 PROC_UNLOCK(p);
868 crfree(tempcred);
869 crfree(oldcred);
870 return (0);
871
872 fail:
873 PROC_UNLOCK(p);
874 crfree(newcred);
875 crfree(tempcred);
876 return (error);
877 }
878
879 #ifndef _SYS_SYSPROTO_H_
880 struct setreuid_args {
881 uid_t ruid;
882 uid_t euid;
883 };
884 #endif
885 /*
886 * MPSAFE
887 */
888 /* ARGSUSED */
889 int
890 setreuid(register struct thread *td, struct setreuid_args *uap)
891 {
892 struct proc *p = td->td_proc;
893 struct ucred *newcred, *oldcred;
894 uid_t euid, ruid;
895 struct uidinfo *euip, *ruip;
896 int error;
897
898 euid = uap->euid;
899 ruid = uap->ruid;
900 AUDIT_ARG(euid, euid);
901 AUDIT_ARG(ruid, ruid);
902 newcred = crget();
903 euip = uifind(euid);
904 ruip = uifind(ruid);
905 PROC_LOCK(p);
906 oldcred = p->p_ucred;
907
908 #ifdef MAC
909 error = mac_check_proc_setreuid(p, oldcred, ruid, euid);
910 if (error)
911 goto fail;
912 #endif
913
914 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
915 ruid != oldcred->cr_svuid) ||
916 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
917 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
918 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
919 goto fail;
920
921 crcopy(newcred, oldcred);
922 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
923 change_euid(newcred, euip);
924 setsugid(p);
925 }
926 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
927 change_ruid(newcred, ruip);
928 setsugid(p);
929 }
930 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
931 newcred->cr_svuid != newcred->cr_uid) {
932 change_svuid(newcred, newcred->cr_uid);
933 setsugid(p);
934 }
935 p->p_ucred = newcred;
936 PROC_UNLOCK(p);
937 uifree(ruip);
938 uifree(euip);
939 crfree(oldcred);
940 return (0);
941
942 fail:
943 PROC_UNLOCK(p);
944 uifree(ruip);
945 uifree(euip);
946 crfree(newcred);
947 return (error);
948 }
949
950 #ifndef _SYS_SYSPROTO_H_
951 struct setregid_args {
952 gid_t rgid;
953 gid_t egid;
954 };
955 #endif
956 /*
957 * MPSAFE
958 */
959 /* ARGSUSED */
960 int
961 setregid(register struct thread *td, struct setregid_args *uap)
962 {
963 struct proc *p = td->td_proc;
964 struct ucred *newcred, *oldcred;
965 gid_t egid, rgid;
966 int error;
967
968 egid = uap->egid;
969 rgid = uap->rgid;
970 AUDIT_ARG(egid, egid);
971 AUDIT_ARG(rgid, rgid);
972 newcred = crget();
973 PROC_LOCK(p);
974 oldcred = p->p_ucred;
975
976 #ifdef MAC
977 error = mac_check_proc_setregid(p, oldcred, rgid, egid);
978 if (error)
979 goto fail;
980 #endif
981
982 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
983 rgid != oldcred->cr_svgid) ||
984 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
985 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
986 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
987 goto fail;
988
989 crcopy(newcred, oldcred);
990 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
991 change_egid(newcred, egid);
992 setsugid(p);
993 }
994 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
995 change_rgid(newcred, rgid);
996 setsugid(p);
997 }
998 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
999 newcred->cr_svgid != newcred->cr_groups[0]) {
1000 change_svgid(newcred, newcred->cr_groups[0]);
1001 setsugid(p);
1002 }
1003 p->p_ucred = newcred;
1004 PROC_UNLOCK(p);
1005 crfree(oldcred);
1006 return (0);
1007
1008 fail:
1009 PROC_UNLOCK(p);
1010 crfree(newcred);
1011 return (error);
1012 }
1013
1014 /*
1015 * setresuid(ruid, euid, suid) is like setreuid except control over the
1016 * saved uid is explicit.
1017 */
1018
1019 #ifndef _SYS_SYSPROTO_H_
1020 struct setresuid_args {
1021 uid_t ruid;
1022 uid_t euid;
1023 uid_t suid;
1024 };
1025 #endif
1026 /*
1027 * MPSAFE
1028 */
1029 /* ARGSUSED */
1030 int
1031 setresuid(register struct thread *td, struct setresuid_args *uap)
1032 {
1033 struct proc *p = td->td_proc;
1034 struct ucred *newcred, *oldcred;
1035 uid_t euid, ruid, suid;
1036 struct uidinfo *euip, *ruip;
1037 int error;
1038
1039 euid = uap->euid;
1040 ruid = uap->ruid;
1041 suid = uap->suid;
1042 AUDIT_ARG(euid, euid);
1043 AUDIT_ARG(ruid, ruid);
1044 AUDIT_ARG(suid, suid);
1045 newcred = crget();
1046 euip = uifind(euid);
1047 ruip = uifind(ruid);
1048 PROC_LOCK(p);
1049 oldcred = p->p_ucred;
1050
1051 #ifdef MAC
1052 error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid);
1053 if (error)
1054 goto fail;
1055 #endif
1056
1057 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1058 ruid != oldcred->cr_svuid &&
1059 ruid != oldcred->cr_uid) ||
1060 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1061 euid != oldcred->cr_svuid &&
1062 euid != oldcred->cr_uid) ||
1063 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1064 suid != oldcred->cr_svuid &&
1065 suid != oldcred->cr_uid)) &&
1066 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
1067 goto fail;
1068
1069 crcopy(newcred, oldcred);
1070 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1071 change_euid(newcred, euip);
1072 setsugid(p);
1073 }
1074 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1075 change_ruid(newcred, ruip);
1076 setsugid(p);
1077 }
1078 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1079 change_svuid(newcred, suid);
1080 setsugid(p);
1081 }
1082 p->p_ucred = newcred;
1083 PROC_UNLOCK(p);
1084 uifree(ruip);
1085 uifree(euip);
1086 crfree(oldcred);
1087 return (0);
1088
1089 fail:
1090 PROC_UNLOCK(p);
1091 uifree(ruip);
1092 uifree(euip);
1093 crfree(newcred);
1094 return (error);
1095
1096 }
1097
1098 /*
1099 * setresgid(rgid, egid, sgid) is like setregid except control over the
1100 * saved gid is explicit.
1101 */
1102
1103 #ifndef _SYS_SYSPROTO_H_
1104 struct setresgid_args {
1105 gid_t rgid;
1106 gid_t egid;
1107 gid_t sgid;
1108 };
1109 #endif
1110 /*
1111 * MPSAFE
1112 */
1113 /* ARGSUSED */
1114 int
1115 setresgid(register struct thread *td, struct setresgid_args *uap)
1116 {
1117 struct proc *p = td->td_proc;
1118 struct ucred *newcred, *oldcred;
1119 gid_t egid, rgid, sgid;
1120 int error;
1121
1122 egid = uap->egid;
1123 rgid = uap->rgid;
1124 sgid = uap->sgid;
1125 AUDIT_ARG(egid, egid);
1126 AUDIT_ARG(rgid, rgid);
1127 AUDIT_ARG(sgid, sgid);
1128 newcred = crget();
1129 PROC_LOCK(p);
1130 oldcred = p->p_ucred;
1131
1132 #ifdef MAC
1133 error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid);
1134 if (error)
1135 goto fail;
1136 #endif
1137
1138 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1139 rgid != oldcred->cr_svgid &&
1140 rgid != oldcred->cr_groups[0]) ||
1141 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1142 egid != oldcred->cr_svgid &&
1143 egid != oldcred->cr_groups[0]) ||
1144 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1145 sgid != oldcred->cr_svgid &&
1146 sgid != oldcred->cr_groups[0])) &&
1147 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
1148 goto fail;
1149
1150 crcopy(newcred, oldcred);
1151 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1152 change_egid(newcred, egid);
1153 setsugid(p);
1154 }
1155 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1156 change_rgid(newcred, rgid);
1157 setsugid(p);
1158 }
1159 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1160 change_svgid(newcred, sgid);
1161 setsugid(p);
1162 }
1163 p->p_ucred = newcred;
1164 PROC_UNLOCK(p);
1165 crfree(oldcred);
1166 return (0);
1167
1168 fail:
1169 PROC_UNLOCK(p);
1170 crfree(newcred);
1171 return (error);
1172 }
1173
1174 #ifndef _SYS_SYSPROTO_H_
1175 struct getresuid_args {
1176 uid_t *ruid;
1177 uid_t *euid;
1178 uid_t *suid;
1179 };
1180 #endif
1181 /*
1182 * MPSAFE
1183 */
1184 /* ARGSUSED */
1185 int
1186 getresuid(register struct thread *td, struct getresuid_args *uap)
1187 {
1188 struct ucred *cred;
1189 int error1 = 0, error2 = 0, error3 = 0;
1190
1191 cred = td->td_ucred;
1192 if (uap->ruid)
1193 error1 = copyout(&cred->cr_ruid,
1194 uap->ruid, sizeof(cred->cr_ruid));
1195 if (uap->euid)
1196 error2 = copyout(&cred->cr_uid,
1197 uap->euid, sizeof(cred->cr_uid));
1198 if (uap->suid)
1199 error3 = copyout(&cred->cr_svuid,
1200 uap->suid, sizeof(cred->cr_svuid));
1201 return (error1 ? error1 : error2 ? error2 : error3);
1202 }
1203
1204 #ifndef _SYS_SYSPROTO_H_
1205 struct getresgid_args {
1206 gid_t *rgid;
1207 gid_t *egid;
1208 gid_t *sgid;
1209 };
1210 #endif
1211 /*
1212 * MPSAFE
1213 */
1214 /* ARGSUSED */
1215 int
1216 getresgid(register struct thread *td, struct getresgid_args *uap)
1217 {
1218 struct ucred *cred;
1219 int error1 = 0, error2 = 0, error3 = 0;
1220
1221 cred = td->td_ucred;
1222 if (uap->rgid)
1223 error1 = copyout(&cred->cr_rgid,
1224 uap->rgid, sizeof(cred->cr_rgid));
1225 if (uap->egid)
1226 error2 = copyout(&cred->cr_groups[0],
1227 uap->egid, sizeof(cred->cr_groups[0]));
1228 if (uap->sgid)
1229 error3 = copyout(&cred->cr_svgid,
1230 uap->sgid, sizeof(cred->cr_svgid));
1231 return (error1 ? error1 : error2 ? error2 : error3);
1232 }
1233
1234 #ifndef _SYS_SYSPROTO_H_
1235 struct issetugid_args {
1236 int dummy;
1237 };
1238 #endif
1239 /*
1240 * MPSAFE
1241 */
1242 /* ARGSUSED */
1243 int
1244 issetugid(register struct thread *td, struct issetugid_args *uap)
1245 {
1246 struct proc *p = td->td_proc;
1247
1248 /*
1249 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1250 * we use P_SUGID because we consider changing the owners as
1251 * "tainting" as well.
1252 * This is significant for procs that start as root and "become"
1253 * a user without an exec - programs cannot know *everything*
1254 * that libc *might* have put in their data segment.
1255 */
1256 PROC_LOCK(p);
1257 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1258 PROC_UNLOCK(p);
1259 return (0);
1260 }
1261
1262 /*
1263 * MPSAFE
1264 */
1265 int
1266 __setugid(struct thread *td, struct __setugid_args *uap)
1267 {
1268 #ifdef REGRESSION
1269 struct proc *p;
1270
1271 p = td->td_proc;
1272 switch (uap->flag) {
1273 case 0:
1274 PROC_LOCK(p);
1275 p->p_flag &= ~P_SUGID;
1276 PROC_UNLOCK(p);
1277 return (0);
1278 case 1:
1279 PROC_LOCK(p);
1280 p->p_flag |= P_SUGID;
1281 PROC_UNLOCK(p);
1282 return (0);
1283 default:
1284 return (EINVAL);
1285 }
1286 #else /* !REGRESSION */
1287
1288 return (ENOSYS);
1289 #endif /* REGRESSION */
1290 }
1291
1292 /*
1293 * Check if gid is a member of the group set.
1294 *
1295 * MPSAFE (cred must be held)
1296 */
1297 int
1298 groupmember(gid_t gid, struct ucred *cred)
1299 {
1300 register gid_t *gp;
1301 gid_t *egp;
1302
1303 egp = &(cred->cr_groups[cred->cr_ngroups]);
1304 for (gp = cred->cr_groups; gp < egp; gp++)
1305 if (*gp == gid)
1306 return (1);
1307 return (0);
1308 }
1309
1310 /*
1311 * `suser_enabled' (which can be set by the security.suser_enabled
1312 * sysctl) determines whether the system 'super-user' policy is in effect.
1313 * If it is nonzero, an effective uid of 0 connotes special privilege,
1314 * overriding many mandatory and discretionary protections. If it is zero,
1315 * uid 0 is offered no special privilege in the kernel security policy.
1316 * Setting it to zero may seriously impact the functionality of many
1317 * existing userland programs, and should not be done without careful
1318 * consideration of the consequences.
1319 */
1320 int suser_enabled = 1;
1321 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1322 &suser_enabled, 0, "processes with uid 0 have privilege");
1323 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
1324
1325 /*
1326 * Test whether the specified credentials imply "super-user" privilege.
1327 * Return 0 or EPERM.
1328 */
1329 int
1330 suser_cred(struct ucred *cred, int flag)
1331 {
1332
1333 if (!suser_enabled)
1334 return (EPERM);
1335 if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0)
1336 return (EPERM);
1337 if (jailed(cred) && !(flag & SUSER_ALLOWJAIL))
1338 return (EPERM);
1339 return (0);
1340 }
1341
1342 /*
1343 * Shortcut to hide contents of struct td and struct proc from the
1344 * caller, promoting binary compatibility.
1345 */
1346 int
1347 suser(struct thread *td)
1348 {
1349
1350 #ifdef INVARIANTS
1351 if (td != curthread) {
1352 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n",
1353 td, td->td_proc->p_pid, td->td_proc->p_comm,
1354 curthread, curthread->td_proc->p_pid,
1355 curthread->td_proc->p_comm);
1356 #ifdef KDB
1357 kdb_backtrace();
1358 #endif
1359 }
1360 #endif
1361 return (suser_cred(td->td_ucred, 0));
1362 }
1363
1364 /*
1365 * Test the active securelevel against a given level. securelevel_gt()
1366 * implements (securelevel > level). securelevel_ge() implements
1367 * (securelevel >= level). Note that the logic is inverted -- these
1368 * functions return EPERM on "success" and 0 on "failure".
1369 *
1370 * MPSAFE
1371 */
1372 int
1373 securelevel_gt(struct ucred *cr, int level)
1374 {
1375 int active_securelevel;
1376
1377 active_securelevel = securelevel;
1378 KASSERT(cr != NULL, ("securelevel_gt: null cr"));
1379 if (cr->cr_prison != NULL)
1380 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1381 active_securelevel);
1382 return (active_securelevel > level ? EPERM : 0);
1383 }
1384
1385 int
1386 securelevel_ge(struct ucred *cr, int level)
1387 {
1388 int active_securelevel;
1389
1390 active_securelevel = securelevel;
1391 KASSERT(cr != NULL, ("securelevel_ge: null cr"));
1392 if (cr->cr_prison != NULL)
1393 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1394 active_securelevel);
1395 return (active_securelevel >= level ? EPERM : 0);
1396 }
1397
1398 /*
1399 * 'see_other_uids' determines whether or not visibility of processes
1400 * and sockets with credentials holding different real uids is possible
1401 * using a variety of system MIBs.
1402 * XXX: data declarations should be together near the beginning of the file.
1403 */
1404 static int see_other_uids = 1;
1405 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1406 &see_other_uids, 0,
1407 "Unprivileged processes may see subjects/objects with different real uid");
1408
1409 /*-
1410 * Determine if u1 "can see" the subject specified by u2, according to the
1411 * 'see_other_uids' policy.
1412 * Returns: 0 for permitted, ESRCH otherwise
1413 * Locks: none
1414 * References: *u1 and *u2 must not change during the call
1415 * u1 may equal u2, in which case only one reference is required
1416 */
1417 static int
1418 cr_seeotheruids(struct ucred *u1, struct ucred *u2)
1419 {
1420
1421 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1422 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1423 return (ESRCH);
1424 }
1425 return (0);
1426 }
1427
1428 /*
1429 * 'see_other_gids' determines whether or not visibility of processes
1430 * and sockets with credentials holding different real gids is possible
1431 * using a variety of system MIBs.
1432 * XXX: data declarations should be together near the beginning of the file.
1433 */
1434 static int see_other_gids = 1;
1435 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1436 &see_other_gids, 0,
1437 "Unprivileged processes may see subjects/objects with different real gid");
1438
1439 /*
1440 * Determine if u1 can "see" the subject specified by u2, according to the
1441 * 'see_other_gids' policy.
1442 * Returns: 0 for permitted, ESRCH otherwise
1443 * Locks: none
1444 * References: *u1 and *u2 must not change during the call
1445 * u1 may equal u2, in which case only one reference is required
1446 */
1447 static int
1448 cr_seeothergids(struct ucred *u1, struct ucred *u2)
1449 {
1450 int i, match;
1451
1452 if (!see_other_gids) {
1453 match = 0;
1454 for (i = 0; i < u1->cr_ngroups; i++) {
1455 if (groupmember(u1->cr_groups[i], u2))
1456 match = 1;
1457 if (match)
1458 break;
1459 }
1460 if (!match) {
1461 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1462 return (ESRCH);
1463 }
1464 }
1465 return (0);
1466 }
1467
1468 /*-
1469 * Determine if u1 "can see" the subject specified by u2.
1470 * Returns: 0 for permitted, an errno value otherwise
1471 * Locks: none
1472 * References: *u1 and *u2 must not change during the call
1473 * u1 may equal u2, in which case only one reference is required
1474 */
1475 int
1476 cr_cansee(struct ucred *u1, struct ucred *u2)
1477 {
1478 int error;
1479
1480 if ((error = prison_check(u1, u2)))
1481 return (error);
1482 #ifdef MAC
1483 if ((error = mac_check_cred_visible(u1, u2)))
1484 return (error);
1485 #endif
1486 if ((error = cr_seeotheruids(u1, u2)))
1487 return (error);
1488 if ((error = cr_seeothergids(u1, u2)))
1489 return (error);
1490 return (0);
1491 }
1492
1493 /*-
1494 * Determine if td "can see" the subject specified by p.
1495 * Returns: 0 for permitted, an errno value otherwise
1496 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1497 * should be curthread.
1498 * References: td and p must be valid for the lifetime of the call
1499 */
1500 int
1501 p_cansee(struct thread *td, struct proc *p)
1502 {
1503
1504 /* Wrap cr_cansee() for all functionality. */
1505 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1506 PROC_LOCK_ASSERT(p, MA_OWNED);
1507 return (cr_cansee(td->td_ucred, p->p_ucred));
1508 }
1509
1510 /*
1511 * 'conservative_signals' prevents the delivery of a broad class of
1512 * signals by unprivileged processes to processes that have changed their
1513 * credentials since the last invocation of execve(). This can prevent
1514 * the leakage of cached information or retained privileges as a result
1515 * of a common class of signal-related vulnerabilities. However, this
1516 * may interfere with some applications that expect to be able to
1517 * deliver these signals to peer processes after having given up
1518 * privilege.
1519 */
1520 static int conservative_signals = 1;
1521 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1522 &conservative_signals, 0, "Unprivileged processes prevented from "
1523 "sending certain signals to processes whose credentials have changed");
1524 /*-
1525 * Determine whether cred may deliver the specified signal to proc.
1526 * Returns: 0 for permitted, an errno value otherwise.
1527 * Locks: A lock must be held for proc.
1528 * References: cred and proc must be valid for the lifetime of the call.
1529 */
1530 int
1531 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1532 {
1533 int error;
1534
1535 PROC_LOCK_ASSERT(proc, MA_OWNED);
1536 /*
1537 * Jail semantics limit the scope of signalling to proc in the
1538 * same jail as cred, if cred is in jail.
1539 */
1540 error = prison_check(cred, proc->p_ucred);
1541 if (error)
1542 return (error);
1543 #ifdef MAC
1544 if ((error = mac_check_proc_signal(cred, proc, signum)))
1545 return (error);
1546 #endif
1547 if ((error = cr_seeotheruids(cred, proc->p_ucred)))
1548 return (error);
1549 if ((error = cr_seeothergids(cred, proc->p_ucred)))
1550 return (error);
1551
1552 /*
1553 * UNIX signal semantics depend on the status of the P_SUGID
1554 * bit on the target process. If the bit is set, then additional
1555 * restrictions are placed on the set of available signals.
1556 */
1557 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1558 switch (signum) {
1559 case 0:
1560 case SIGKILL:
1561 case SIGINT:
1562 case SIGTERM:
1563 case SIGALRM:
1564 case SIGSTOP:
1565 case SIGTTIN:
1566 case SIGTTOU:
1567 case SIGTSTP:
1568 case SIGHUP:
1569 case SIGUSR1:
1570 case SIGUSR2:
1571 /*
1572 * Generally, permit job and terminal control
1573 * signals.
1574 */
1575 break;
1576 default:
1577 /* Not permitted without privilege. */
1578 error = suser_cred(cred, SUSER_ALLOWJAIL);
1579 if (error)
1580 return (error);
1581 }
1582 }
1583
1584 /*
1585 * Generally, the target credential's ruid or svuid must match the
1586 * subject credential's ruid or euid.
1587 */
1588 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1589 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1590 cred->cr_uid != proc->p_ucred->cr_ruid &&
1591 cred->cr_uid != proc->p_ucred->cr_svuid) {
1592 /* Not permitted without privilege. */
1593 error = suser_cred(cred, SUSER_ALLOWJAIL);
1594 if (error)
1595 return (error);
1596 }
1597
1598 return (0);
1599 }
1600
1601
1602 /*-
1603 * Determine whether td may deliver the specified signal to p.
1604 * Returns: 0 for permitted, an errno value otherwise
1605 * Locks: Sufficient locks to protect various components of td and p
1606 * must be held. td must be curthread, and a lock must be
1607 * held for p.
1608 * References: td and p must be valid for the lifetime of the call
1609 */
1610 int
1611 p_cansignal(struct thread *td, struct proc *p, int signum)
1612 {
1613
1614 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1615 PROC_LOCK_ASSERT(p, MA_OWNED);
1616 if (td->td_proc == p)
1617 return (0);
1618
1619 /*
1620 * UNIX signalling semantics require that processes in the same
1621 * session always be able to deliver SIGCONT to one another,
1622 * overriding the remaining protections.
1623 */
1624 /* XXX: This will require an additional lock of some sort. */
1625 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1626 return (0);
1627 /*
1628 * Some compat layers use SIGTHR and higher signals for
1629 * communication between different kernel threads of the same
1630 * process, so that they expect that it's always possible to
1631 * deliver them, even for suid applications where cr_cansignal() can
1632 * deny such ability for security consideration. It should be
1633 * pretty safe to do since the only way to create two processes
1634 * with the same p_leader is via rfork(2).
1635 */
1636 if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
1637 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
1638 return (0);
1639
1640 return (cr_cansignal(td->td_ucred, p, signum));
1641 }
1642
1643 /*-
1644 * Determine whether td may reschedule p.
1645 * Returns: 0 for permitted, an errno value otherwise
1646 * Locks: Sufficient locks to protect various components of td and p
1647 * must be held. td must be curthread, and a lock must
1648 * be held for p.
1649 * References: td and p must be valid for the lifetime of the call
1650 */
1651 int
1652 p_cansched(struct thread *td, struct proc *p)
1653 {
1654 int error;
1655
1656 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1657 PROC_LOCK_ASSERT(p, MA_OWNED);
1658 if (td->td_proc == p)
1659 return (0);
1660 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1661 return (error);
1662 #ifdef MAC
1663 if ((error = mac_check_proc_sched(td->td_ucred, p)))
1664 return (error);
1665 #endif
1666 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1667 return (error);
1668 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1669 return (error);
1670 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
1671 return (0);
1672 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
1673 return (0);
1674 if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
1675 return (0);
1676
1677 #ifdef CAPABILITIES
1678 if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL))
1679 return (0);
1680 #endif
1681
1682 return (EPERM);
1683 }
1684
1685 /*
1686 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1687 * unprivileged inter-process debugging services, including some procfs
1688 * functionality, ptrace(), and ktrace(). In the past, inter-process
1689 * debugging has been involved in a variety of security problems, and sites
1690 * not requiring the service might choose to disable it when hardening
1691 * systems.
1692 *
1693 * XXX: Should modifying and reading this variable require locking?
1694 * XXX: data declarations should be together near the beginning of the file.
1695 */
1696 static int unprivileged_proc_debug = 1;
1697 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1698 &unprivileged_proc_debug, 0,
1699 "Unprivileged processes may use process debugging facilities");
1700
1701 /*-
1702 * Determine whether td may debug p.
1703 * Returns: 0 for permitted, an errno value otherwise
1704 * Locks: Sufficient locks to protect various components of td and p
1705 * must be held. td must be curthread, and a lock must
1706 * be held for p.
1707 * References: td and p must be valid for the lifetime of the call
1708 */
1709 int
1710 p_candebug(struct thread *td, struct proc *p)
1711 {
1712 int credentialchanged, error, grpsubset, i, uidsubset;
1713
1714 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1715 PROC_LOCK_ASSERT(p, MA_OWNED);
1716 if (!unprivileged_proc_debug) {
1717 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1718 if (error)
1719 return (error);
1720 }
1721 if (td->td_proc == p)
1722 return (0);
1723 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1724 return (error);
1725 #ifdef MAC
1726 if ((error = mac_check_proc_debug(td->td_ucred, p)))
1727 return (error);
1728 #endif
1729 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1730 return (error);
1731 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1732 return (error);
1733
1734 /*
1735 * Is p's group set a subset of td's effective group set? This
1736 * includes p's egid, group access list, rgid, and svgid.
1737 */
1738 grpsubset = 1;
1739 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1740 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1741 grpsubset = 0;
1742 break;
1743 }
1744 }
1745 grpsubset = grpsubset &&
1746 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1747 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1748
1749 /*
1750 * Are the uids present in p's credential equal to td's
1751 * effective uid? This includes p's euid, svuid, and ruid.
1752 */
1753 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1754 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1755 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1756
1757 /*
1758 * Has the credential of the process changed since the last exec()?
1759 */
1760 credentialchanged = (p->p_flag & P_SUGID);
1761
1762 /*
1763 * If p's gids aren't a subset, or the uids aren't a subset,
1764 * or the credential has changed, require appropriate privilege
1765 * for td to debug p. For POSIX.1e capabilities, this will
1766 * require CAP_SYS_PTRACE.
1767 */
1768 if (!grpsubset || !uidsubset || credentialchanged) {
1769 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1770 if (error)
1771 return (error);
1772 }
1773
1774 /* Can't trace init when securelevel > 0. */
1775 if (p == initproc) {
1776 error = securelevel_gt(td->td_ucred, 0);
1777 if (error)
1778 return (error);
1779 }
1780
1781 /*
1782 * Can't trace a process that's currently exec'ing.
1783 * XXX: Note, this is not a security policy decision, it's a
1784 * basic correctness/functionality decision. Therefore, this check
1785 * should be moved to the caller's of p_candebug().
1786 */
1787 if ((p->p_flag & P_INEXEC) != 0)
1788 return (EAGAIN);
1789
1790 return (0);
1791 }
1792
1793 /*-
1794 * Determine whether the subject represented by cred can "see" a socket.
1795 * Returns: 0 for permitted, ENOENT otherwise.
1796 */
1797 int
1798 cr_canseesocket(struct ucred *cred, struct socket *so)
1799 {
1800 int error;
1801
1802 error = prison_check(cred, so->so_cred);
1803 if (error)
1804 return (ENOENT);
1805 #ifdef MAC
1806 SOCK_LOCK(so);
1807 error = mac_check_socket_visible(cred, so);
1808 SOCK_UNLOCK(so);
1809 if (error)
1810 return (error);
1811 #endif
1812 if (cr_seeotheruids(cred, so->so_cred))
1813 return (ENOENT);
1814 if (cr_seeothergids(cred, so->so_cred))
1815 return (ENOENT);
1816
1817 return (0);
1818 }
1819
1820 /*-
1821 * Determine whether td can wait for the exit of p.
1822 * Returns: 0 for permitted, an errno value otherwise
1823 * Locks: Sufficient locks to protect various components of td and p
1824 * must be held. td must be curthread, and a lock must
1825 * be held for p.
1826 * References: td and p must be valid for the lifetime of the call
1827
1828 */
1829 int
1830 p_canwait(struct thread *td, struct proc *p)
1831 {
1832 int error;
1833
1834 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1835 PROC_LOCK_ASSERT(p, MA_OWNED);
1836 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1837 return (error);
1838 #ifdef MAC
1839 if ((error = mac_check_proc_wait(td->td_ucred, p)))
1840 return (error);
1841 #endif
1842 #if 0
1843 /* XXXMAC: This could have odd effects on some shells. */
1844 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1845 return (error);
1846 #endif
1847
1848 return (0);
1849 }
1850
1851 /*
1852 * Allocate a zeroed cred structure.
1853 * MPSAFE
1854 */
1855 struct ucred *
1856 crget(void)
1857 {
1858 register struct ucred *cr;
1859
1860 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1861 cr->cr_ref = 1;
1862 cr->cr_mtxp = mtx_pool_find(mtxpool_sleep, cr);
1863 #ifdef MAC
1864 mac_init_cred(cr);
1865 #endif
1866 return (cr);
1867 }
1868
1869 /*
1870 * Claim another reference to a ucred structure.
1871 * MPSAFE
1872 */
1873 struct ucred *
1874 crhold(struct ucred *cr)
1875 {
1876
1877 mtx_lock(cr->cr_mtxp);
1878 cr->cr_ref++;
1879 mtx_unlock(cr->cr_mtxp);
1880 return (cr);
1881 }
1882
1883 /*
1884 * Free a cred structure.
1885 * Throws away space when ref count gets to 0.
1886 * MPSAFE
1887 */
1888 void
1889 crfree(struct ucred *cr)
1890 {
1891 struct mtx *mtxp = cr->cr_mtxp;
1892
1893 mtx_lock(mtxp);
1894 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1895 if (--cr->cr_ref == 0) {
1896 mtx_unlock(mtxp);
1897 /*
1898 * Some callers of crget(), such as nfs_statfs(),
1899 * allocate a temporary credential, but don't
1900 * allocate a uidinfo structure.
1901 */
1902 if (cr->cr_uidinfo != NULL)
1903 uifree(cr->cr_uidinfo);
1904 if (cr->cr_ruidinfo != NULL)
1905 uifree(cr->cr_ruidinfo);
1906 /*
1907 * Free a prison, if any.
1908 */
1909 if (jailed(cr))
1910 prison_free(cr->cr_prison);
1911 #ifdef MAC
1912 mac_destroy_cred(cr);
1913 #endif
1914 FREE(cr, M_CRED);
1915 } else {
1916 mtx_unlock(mtxp);
1917 }
1918 }
1919
1920 /*
1921 * Check to see if this ucred is shared.
1922 * MPSAFE
1923 */
1924 int
1925 crshared(struct ucred *cr)
1926 {
1927 int shared;
1928
1929 mtx_lock(cr->cr_mtxp);
1930 shared = (cr->cr_ref > 1);
1931 mtx_unlock(cr->cr_mtxp);
1932 return (shared);
1933 }
1934
1935 /*
1936 * Copy a ucred's contents from a template. Does not block.
1937 * MPSAFE
1938 */
1939 void
1940 crcopy(struct ucred *dest, struct ucred *src)
1941 {
1942
1943 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1944 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1945 (unsigned)((caddr_t)&src->cr_endcopy -
1946 (caddr_t)&src->cr_startcopy));
1947 uihold(dest->cr_uidinfo);
1948 uihold(dest->cr_ruidinfo);
1949 if (jailed(dest))
1950 prison_hold(dest->cr_prison);
1951 #ifdef MAC
1952 mac_copy_cred(src, dest);
1953 #endif
1954 }
1955
1956 /*
1957 * Dup cred struct to a new held one.
1958 * MPSAFE
1959 */
1960 struct ucred *
1961 crdup(struct ucred *cr)
1962 {
1963 struct ucred *newcr;
1964
1965 newcr = crget();
1966 crcopy(newcr, cr);
1967 return (newcr);
1968 }
1969
1970 /*
1971 * Fill in a struct xucred based on a struct ucred.
1972 * MPSAFE
1973 */
1974 void
1975 cru2x(struct ucred *cr, struct xucred *xcr)
1976 {
1977
1978 bzero(xcr, sizeof(*xcr));
1979 xcr->cr_version = XUCRED_VERSION;
1980 xcr->cr_uid = cr->cr_uid;
1981 xcr->cr_ngroups = cr->cr_ngroups;
1982 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1983 }
1984
1985 /*
1986 * small routine to swap a thread's current ucred for the correct one
1987 * taken from the process.
1988 * MPSAFE
1989 */
1990 void
1991 cred_update_thread(struct thread *td)
1992 {
1993 struct proc *p;
1994 struct ucred *cred;
1995
1996 p = td->td_proc;
1997 cred = td->td_ucred;
1998 PROC_LOCK(p);
1999 td->td_ucred = crhold(p->p_ucred);
2000 PROC_UNLOCK(p);
2001 if (cred != NULL)
2002 crfree(cred);
2003 }
2004
2005 /*
2006 * Get login name, if available.
2007 */
2008 #ifndef _SYS_SYSPROTO_H_
2009 struct getlogin_args {
2010 char *namebuf;
2011 u_int namelen;
2012 };
2013 #endif
2014 /*
2015 * MPSAFE
2016 */
2017 /* ARGSUSED */
2018 int
2019 getlogin(struct thread *td, struct getlogin_args *uap)
2020 {
2021 int error;
2022 char login[MAXLOGNAME];
2023 struct proc *p = td->td_proc;
2024
2025 if (uap->namelen > MAXLOGNAME)
2026 uap->namelen = MAXLOGNAME;
2027 PROC_LOCK(p);
2028 SESS_LOCK(p->p_session);
2029 bcopy(p->p_session->s_login, login, uap->namelen);
2030 SESS_UNLOCK(p->p_session);
2031 PROC_UNLOCK(p);
2032 error = copyout(login, uap->namebuf, uap->namelen);
2033 return(error);
2034 }
2035
2036 /*
2037 * Set login name.
2038 */
2039 #ifndef _SYS_SYSPROTO_H_
2040 struct setlogin_args {
2041 char *namebuf;
2042 };
2043 #endif
2044 /*
2045 * MPSAFE
2046 */
2047 /* ARGSUSED */
2048 int
2049 setlogin(struct thread *td, struct setlogin_args *uap)
2050 {
2051 struct proc *p = td->td_proc;
2052 int error;
2053 char logintmp[MAXLOGNAME];
2054
2055 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
2056 if (error)
2057 return (error);
2058 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
2059 if (error == ENAMETOOLONG)
2060 error = EINVAL;
2061 else if (!error) {
2062 PROC_LOCK(p);
2063 SESS_LOCK(p->p_session);
2064 (void) memcpy(p->p_session->s_login, logintmp,
2065 sizeof(logintmp));
2066 SESS_UNLOCK(p->p_session);
2067 PROC_UNLOCK(p);
2068 }
2069 return (error);
2070 }
2071
2072 void
2073 setsugid(struct proc *p)
2074 {
2075
2076 PROC_LOCK_ASSERT(p, MA_OWNED);
2077 p->p_flag |= P_SUGID;
2078 if (!(p->p_pfsflags & PF_ISUGID))
2079 p->p_stops = 0;
2080 }
2081
2082 /*-
2083 * Change a process's effective uid.
2084 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
2085 * References: newcred must be an exclusive credential reference for the
2086 * duration of the call.
2087 */
2088 void
2089 change_euid(struct ucred *newcred, struct uidinfo *euip)
2090 {
2091
2092 newcred->cr_uid = euip->ui_uid;
2093 uihold(euip);
2094 uifree(newcred->cr_uidinfo);
2095 newcred->cr_uidinfo = euip;
2096 }
2097
2098 /*-
2099 * Change a process's effective gid.
2100 * Side effects: newcred->cr_gid will be modified.
2101 * References: newcred must be an exclusive credential reference for the
2102 * duration of the call.
2103 */
2104 void
2105 change_egid(struct ucred *newcred, gid_t egid)
2106 {
2107
2108 newcred->cr_groups[0] = egid;
2109 }
2110
2111 /*-
2112 * Change a process's real uid.
2113 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
2114 * will be updated, and the old and new cr_ruidinfo proc
2115 * counts will be updated.
2116 * References: newcred must be an exclusive credential reference for the
2117 * duration of the call.
2118 */
2119 void
2120 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
2121 {
2122
2123 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
2124 newcred->cr_ruid = ruip->ui_uid;
2125 uihold(ruip);
2126 uifree(newcred->cr_ruidinfo);
2127 newcred->cr_ruidinfo = ruip;
2128 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2129 }
2130
2131 /*-
2132 * Change a process's real gid.
2133 * Side effects: newcred->cr_rgid will be updated.
2134 * References: newcred must be an exclusive credential reference for the
2135 * duration of the call.
2136 */
2137 void
2138 change_rgid(struct ucred *newcred, gid_t rgid)
2139 {
2140
2141 newcred->cr_rgid = rgid;
2142 }
2143
2144 /*-
2145 * Change a process's saved uid.
2146 * Side effects: newcred->cr_svuid will be updated.
2147 * References: newcred must be an exclusive credential reference for the
2148 * duration of the call.
2149 */
2150 void
2151 change_svuid(struct ucred *newcred, uid_t svuid)
2152 {
2153
2154 newcred->cr_svuid = svuid;
2155 }
2156
2157 /*-
2158 * Change a process's saved gid.
2159 * Side effects: newcred->cr_svgid will be updated.
2160 * References: newcred must be an exclusive credential reference for the
2161 * duration of the call.
2162 */
2163 void
2164 change_svgid(struct ucred *newcred, gid_t svgid)
2165 {
2166
2167 newcred->cr_svgid = svgid;
2168 }
Cache object: 73f74bee273bfe463b92ff7bd6d8bc15
|