FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c
1 /*-
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 4. Neither the name of the University nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
36 */
37
38 /*
39 * System calls related to processes and protection
40 */
41
42 #include <sys/cdefs.h>
43 __FBSDID("$FreeBSD$");
44
45 #include "opt_compat.h"
46 #include "opt_mac.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/acct.h>
51 #include <sys/kdb.h>
52 #include <sys/kernel.h>
53 #include <sys/lock.h>
54 #include <sys/mac.h>
55 #include <sys/malloc.h>
56 #include <sys/mutex.h>
57 #include <sys/refcount.h>
58 #include <sys/sx.h>
59 #include <sys/proc.h>
60 #include <sys/sysproto.h>
61 #include <sys/jail.h>
62 #include <sys/pioctl.h>
63 #include <sys/resourcevar.h>
64 #include <sys/socket.h>
65 #include <sys/socketvar.h>
66 #include <sys/sysctl.h>
67
68 #include <security/audit/audit.h>
69
70 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
71
72 SYSCTL_DECL(_security);
73 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
74 "BSD security policy");
75
76 #ifndef _SYS_SYSPROTO_H_
77 struct getpid_args {
78 int dummy;
79 };
80 #endif
81 /*
82 * MPSAFE
83 */
84 /* ARGSUSED */
85 int
86 getpid(struct thread *td, struct getpid_args *uap)
87 {
88 struct proc *p = td->td_proc;
89
90 td->td_retval[0] = p->p_pid;
91 #if defined(COMPAT_43)
92 PROC_LOCK(p);
93 td->td_retval[1] = p->p_pptr->p_pid;
94 PROC_UNLOCK(p);
95 #endif
96 return (0);
97 }
98
99 #ifndef _SYS_SYSPROTO_H_
100 struct getppid_args {
101 int dummy;
102 };
103 #endif
104 /*
105 * MPSAFE
106 */
107 /* ARGSUSED */
108 int
109 getppid(struct thread *td, struct getppid_args *uap)
110 {
111 struct proc *p = td->td_proc;
112
113 PROC_LOCK(p);
114 td->td_retval[0] = p->p_pptr->p_pid;
115 PROC_UNLOCK(p);
116 return (0);
117 }
118
119 /*
120 * Get process group ID; note that POSIX getpgrp takes no parameter.
121 */
122 #ifndef _SYS_SYSPROTO_H_
123 struct getpgrp_args {
124 int dummy;
125 };
126 #endif
127 /*
128 * MPSAFE
129 */
130 int
131 getpgrp(struct thread *td, struct getpgrp_args *uap)
132 {
133 struct proc *p = td->td_proc;
134
135 PROC_LOCK(p);
136 td->td_retval[0] = p->p_pgrp->pg_id;
137 PROC_UNLOCK(p);
138 return (0);
139 }
140
141 /* Get an arbitary pid's process group id */
142 #ifndef _SYS_SYSPROTO_H_
143 struct getpgid_args {
144 pid_t pid;
145 };
146 #endif
147 /*
148 * MPSAFE
149 */
150 int
151 getpgid(struct thread *td, struct getpgid_args *uap)
152 {
153 struct proc *p;
154 int error;
155
156 if (uap->pid == 0) {
157 p = td->td_proc;
158 PROC_LOCK(p);
159 } else {
160 p = pfind(uap->pid);
161 if (p == NULL)
162 return (ESRCH);
163 error = p_cansee(td, p);
164 if (error) {
165 PROC_UNLOCK(p);
166 return (error);
167 }
168 }
169 td->td_retval[0] = p->p_pgrp->pg_id;
170 PROC_UNLOCK(p);
171 return (0);
172 }
173
174 /*
175 * Get an arbitary pid's session id.
176 */
177 #ifndef _SYS_SYSPROTO_H_
178 struct getsid_args {
179 pid_t pid;
180 };
181 #endif
182 /*
183 * MPSAFE
184 */
185 int
186 getsid(struct thread *td, struct getsid_args *uap)
187 {
188 struct proc *p;
189 int error;
190
191 if (uap->pid == 0) {
192 p = td->td_proc;
193 PROC_LOCK(p);
194 } else {
195 p = pfind(uap->pid);
196 if (p == NULL)
197 return (ESRCH);
198 error = p_cansee(td, p);
199 if (error) {
200 PROC_UNLOCK(p);
201 return (error);
202 }
203 }
204 td->td_retval[0] = p->p_session->s_sid;
205 PROC_UNLOCK(p);
206 return (0);
207 }
208
209 #ifndef _SYS_SYSPROTO_H_
210 struct getuid_args {
211 int dummy;
212 };
213 #endif
214 /*
215 * MPSAFE
216 */
217 /* ARGSUSED */
218 int
219 getuid(struct thread *td, struct getuid_args *uap)
220 {
221
222 td->td_retval[0] = td->td_ucred->cr_ruid;
223 #if defined(COMPAT_43)
224 td->td_retval[1] = td->td_ucred->cr_uid;
225 #endif
226 return (0);
227 }
228
229 #ifndef _SYS_SYSPROTO_H_
230 struct geteuid_args {
231 int dummy;
232 };
233 #endif
234 /*
235 * MPSAFE
236 */
237 /* ARGSUSED */
238 int
239 geteuid(struct thread *td, struct geteuid_args *uap)
240 {
241
242 td->td_retval[0] = td->td_ucred->cr_uid;
243 return (0);
244 }
245
246 #ifndef _SYS_SYSPROTO_H_
247 struct getgid_args {
248 int dummy;
249 };
250 #endif
251 /*
252 * MPSAFE
253 */
254 /* ARGSUSED */
255 int
256 getgid(struct thread *td, struct getgid_args *uap)
257 {
258
259 td->td_retval[0] = td->td_ucred->cr_rgid;
260 #if defined(COMPAT_43)
261 td->td_retval[1] = td->td_ucred->cr_groups[0];
262 #endif
263 return (0);
264 }
265
266 /*
267 * Get effective group ID. The "egid" is groups[0], and could be obtained
268 * via getgroups. This syscall exists because it is somewhat painful to do
269 * correctly in a library function.
270 */
271 #ifndef _SYS_SYSPROTO_H_
272 struct getegid_args {
273 int dummy;
274 };
275 #endif
276 /*
277 * MPSAFE
278 */
279 /* ARGSUSED */
280 int
281 getegid(struct thread *td, struct getegid_args *uap)
282 {
283
284 td->td_retval[0] = td->td_ucred->cr_groups[0];
285 return (0);
286 }
287
288 #ifndef _SYS_SYSPROTO_H_
289 struct getgroups_args {
290 u_int gidsetsize;
291 gid_t *gidset;
292 };
293 #endif
294 /*
295 * MPSAFE
296 */
297 int
298 getgroups(struct thread *td, register struct getgroups_args *uap)
299 {
300 struct ucred *cred;
301 u_int ngrp;
302 int error;
303
304 cred = td->td_ucred;
305 if ((ngrp = uap->gidsetsize) == 0) {
306 td->td_retval[0] = cred->cr_ngroups;
307 return (0);
308 }
309 if (ngrp < cred->cr_ngroups)
310 return (EINVAL);
311 ngrp = cred->cr_ngroups;
312 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
313 if (error == 0)
314 td->td_retval[0] = ngrp;
315 return (error);
316 }
317
318 #ifndef _SYS_SYSPROTO_H_
319 struct setsid_args {
320 int dummy;
321 };
322 #endif
323 /*
324 * MPSAFE
325 */
326 /* ARGSUSED */
327 int
328 setsid(register struct thread *td, struct setsid_args *uap)
329 {
330 struct pgrp *pgrp;
331 int error;
332 struct proc *p = td->td_proc;
333 struct pgrp *newpgrp;
334 struct session *newsess;
335
336 error = 0;
337 pgrp = NULL;
338
339 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
340 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
341
342 sx_xlock(&proctree_lock);
343
344 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
345 if (pgrp != NULL)
346 PGRP_UNLOCK(pgrp);
347 error = EPERM;
348 } else {
349 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
350 td->td_retval[0] = p->p_pid;
351 newpgrp = NULL;
352 newsess = NULL;
353 }
354
355 sx_xunlock(&proctree_lock);
356
357 if (newpgrp != NULL)
358 FREE(newpgrp, M_PGRP);
359 if (newsess != NULL)
360 FREE(newsess, M_SESSION);
361
362 return (error);
363 }
364
365 /*
366 * set process group (setpgid/old setpgrp)
367 *
368 * caller does setpgid(targpid, targpgid)
369 *
370 * pid must be caller or child of caller (ESRCH)
371 * if a child
372 * pid must be in same session (EPERM)
373 * pid can't have done an exec (EACCES)
374 * if pgid != pid
375 * there must exist some pid in same session having pgid (EPERM)
376 * pid must not be session leader (EPERM)
377 */
378 #ifndef _SYS_SYSPROTO_H_
379 struct setpgid_args {
380 int pid; /* target process id */
381 int pgid; /* target pgrp id */
382 };
383 #endif
384 /*
385 * MPSAFE
386 */
387 /* ARGSUSED */
388 int
389 setpgid(struct thread *td, register struct setpgid_args *uap)
390 {
391 struct proc *curp = td->td_proc;
392 register struct proc *targp; /* target process */
393 register struct pgrp *pgrp; /* target pgrp */
394 int error;
395 struct pgrp *newpgrp;
396
397 if (uap->pgid < 0)
398 return (EINVAL);
399
400 error = 0;
401
402 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
403
404 sx_xlock(&proctree_lock);
405 if (uap->pid != 0 && uap->pid != curp->p_pid) {
406 if ((targp = pfind(uap->pid)) == NULL) {
407 error = ESRCH;
408 goto done;
409 }
410 if (!inferior(targp)) {
411 PROC_UNLOCK(targp);
412 error = ESRCH;
413 goto done;
414 }
415 if ((error = p_cansee(td, targp))) {
416 PROC_UNLOCK(targp);
417 goto done;
418 }
419 if (targp->p_pgrp == NULL ||
420 targp->p_session != curp->p_session) {
421 PROC_UNLOCK(targp);
422 error = EPERM;
423 goto done;
424 }
425 if (targp->p_flag & P_EXEC) {
426 PROC_UNLOCK(targp);
427 error = EACCES;
428 goto done;
429 }
430 PROC_UNLOCK(targp);
431 } else
432 targp = curp;
433 if (SESS_LEADER(targp)) {
434 error = EPERM;
435 goto done;
436 }
437 if (uap->pgid == 0)
438 uap->pgid = targp->p_pid;
439 if ((pgrp = pgfind(uap->pgid)) == NULL) {
440 if (uap->pgid == targp->p_pid) {
441 error = enterpgrp(targp, uap->pgid, newpgrp,
442 NULL);
443 if (error == 0)
444 newpgrp = NULL;
445 } else
446 error = EPERM;
447 } else {
448 if (pgrp == targp->p_pgrp) {
449 PGRP_UNLOCK(pgrp);
450 goto done;
451 }
452 if (pgrp->pg_id != targp->p_pid &&
453 pgrp->pg_session != curp->p_session) {
454 PGRP_UNLOCK(pgrp);
455 error = EPERM;
456 goto done;
457 }
458 PGRP_UNLOCK(pgrp);
459 error = enterthispgrp(targp, pgrp);
460 }
461 done:
462 sx_xunlock(&proctree_lock);
463 KASSERT((error == 0) || (newpgrp != NULL),
464 ("setpgid failed and newpgrp is NULL"));
465 if (newpgrp != NULL)
466 FREE(newpgrp, M_PGRP);
467 return (error);
468 }
469
470 /*
471 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
472 * compatible. It says that setting the uid/gid to euid/egid is a special
473 * case of "appropriate privilege". Once the rules are expanded out, this
474 * basically means that setuid(nnn) sets all three id's, in all permitted
475 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
476 * does not set the saved id - this is dangerous for traditional BSD
477 * programs. For this reason, we *really* do not want to set
478 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
479 */
480 #define POSIX_APPENDIX_B_4_2_2
481
482 #ifndef _SYS_SYSPROTO_H_
483 struct setuid_args {
484 uid_t uid;
485 };
486 #endif
487 /*
488 * MPSAFE
489 */
490 /* ARGSUSED */
491 int
492 setuid(struct thread *td, struct setuid_args *uap)
493 {
494 struct proc *p = td->td_proc;
495 struct ucred *newcred, *oldcred;
496 uid_t uid;
497 struct uidinfo *uip;
498 int error;
499
500 uid = uap->uid;
501 AUDIT_ARG(uid, uid);
502 newcred = crget();
503 uip = uifind(uid);
504 PROC_LOCK(p);
505 oldcred = p->p_ucred;
506
507 #ifdef MAC
508 error = mac_check_proc_setuid(p, oldcred, uid);
509 if (error)
510 goto fail;
511 #endif
512
513 /*
514 * See if we have "permission" by POSIX 1003.1 rules.
515 *
516 * Note that setuid(geteuid()) is a special case of
517 * "appropriate privileges" in appendix B.4.2.2. We need
518 * to use this clause to be compatible with traditional BSD
519 * semantics. Basically, it means that "setuid(xx)" sets all
520 * three id's (assuming you have privs).
521 *
522 * Notes on the logic. We do things in three steps.
523 * 1: We determine if the euid is going to change, and do EPERM
524 * right away. We unconditionally change the euid later if this
525 * test is satisfied, simplifying that part of the logic.
526 * 2: We determine if the real and/or saved uids are going to
527 * change. Determined by compile options.
528 * 3: Change euid last. (after tests in #2 for "appropriate privs")
529 */
530 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
531 #ifdef _POSIX_SAVED_IDS
532 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
533 #endif
534 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
535 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
536 #endif
537 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
538 goto fail;
539
540 /*
541 * Copy credentials so other references do not see our changes.
542 */
543 crcopy(newcred, oldcred);
544 #ifdef _POSIX_SAVED_IDS
545 /*
546 * Do we have "appropriate privileges" (are we root or uid == euid)
547 * If so, we are changing the real uid and/or saved uid.
548 */
549 if (
550 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
551 uid == oldcred->cr_uid ||
552 #endif
553 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
554 #endif
555 {
556 /*
557 * Set the real uid and transfer proc count to new user.
558 */
559 if (uid != oldcred->cr_ruid) {
560 change_ruid(newcred, uip);
561 setsugid(p);
562 }
563 /*
564 * Set saved uid
565 *
566 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
567 * the security of seteuid() depends on it. B.4.2.2 says it
568 * is important that we should do this.
569 */
570 if (uid != oldcred->cr_svuid) {
571 change_svuid(newcred, uid);
572 setsugid(p);
573 }
574 }
575
576 /*
577 * In all permitted cases, we are changing the euid.
578 */
579 if (uid != oldcred->cr_uid) {
580 change_euid(newcred, uip);
581 setsugid(p);
582 }
583 p->p_ucred = newcred;
584 PROC_UNLOCK(p);
585 uifree(uip);
586 crfree(oldcred);
587 return (0);
588
589 fail:
590 PROC_UNLOCK(p);
591 uifree(uip);
592 crfree(newcred);
593 return (error);
594 }
595
596 #ifndef _SYS_SYSPROTO_H_
597 struct seteuid_args {
598 uid_t euid;
599 };
600 #endif
601 /*
602 * MPSAFE
603 */
604 /* ARGSUSED */
605 int
606 seteuid(struct thread *td, struct seteuid_args *uap)
607 {
608 struct proc *p = td->td_proc;
609 struct ucred *newcred, *oldcred;
610 uid_t euid;
611 struct uidinfo *euip;
612 int error;
613
614 euid = uap->euid;
615 AUDIT_ARG(euid, euid);
616 newcred = crget();
617 euip = uifind(euid);
618 PROC_LOCK(p);
619 oldcred = p->p_ucred;
620
621 #ifdef MAC
622 error = mac_check_proc_seteuid(p, oldcred, euid);
623 if (error)
624 goto fail;
625 #endif
626
627 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
628 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
629 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
630 goto fail;
631
632 /*
633 * Everything's okay, do it. Copy credentials so other references do
634 * not see our changes.
635 */
636 crcopy(newcred, oldcred);
637 if (oldcred->cr_uid != euid) {
638 change_euid(newcred, euip);
639 setsugid(p);
640 }
641 p->p_ucred = newcred;
642 PROC_UNLOCK(p);
643 uifree(euip);
644 crfree(oldcred);
645 return (0);
646
647 fail:
648 PROC_UNLOCK(p);
649 uifree(euip);
650 crfree(newcred);
651 return (error);
652 }
653
654 #ifndef _SYS_SYSPROTO_H_
655 struct setgid_args {
656 gid_t gid;
657 };
658 #endif
659 /*
660 * MPSAFE
661 */
662 /* ARGSUSED */
663 int
664 setgid(struct thread *td, struct setgid_args *uap)
665 {
666 struct proc *p = td->td_proc;
667 struct ucred *newcred, *oldcred;
668 gid_t gid;
669 int error;
670
671 gid = uap->gid;
672 AUDIT_ARG(gid, gid);
673 newcred = crget();
674 PROC_LOCK(p);
675 oldcred = p->p_ucred;
676
677 #ifdef MAC
678 error = mac_check_proc_setgid(p, oldcred, gid);
679 if (error)
680 goto fail;
681 #endif
682
683 /*
684 * See if we have "permission" by POSIX 1003.1 rules.
685 *
686 * Note that setgid(getegid()) is a special case of
687 * "appropriate privileges" in appendix B.4.2.2. We need
688 * to use this clause to be compatible with traditional BSD
689 * semantics. Basically, it means that "setgid(xx)" sets all
690 * three id's (assuming you have privs).
691 *
692 * For notes on the logic here, see setuid() above.
693 */
694 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
695 #ifdef _POSIX_SAVED_IDS
696 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
697 #endif
698 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
699 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
700 #endif
701 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
702 goto fail;
703
704 crcopy(newcred, oldcred);
705 #ifdef _POSIX_SAVED_IDS
706 /*
707 * Do we have "appropriate privileges" (are we root or gid == egid)
708 * If so, we are changing the real uid and saved gid.
709 */
710 if (
711 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
712 gid == oldcred->cr_groups[0] ||
713 #endif
714 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
715 #endif
716 {
717 /*
718 * Set real gid
719 */
720 if (oldcred->cr_rgid != gid) {
721 change_rgid(newcred, gid);
722 setsugid(p);
723 }
724 /*
725 * Set saved gid
726 *
727 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
728 * the security of setegid() depends on it. B.4.2.2 says it
729 * is important that we should do this.
730 */
731 if (oldcred->cr_svgid != gid) {
732 change_svgid(newcred, gid);
733 setsugid(p);
734 }
735 }
736 /*
737 * In all cases permitted cases, we are changing the egid.
738 * Copy credentials so other references do not see our changes.
739 */
740 if (oldcred->cr_groups[0] != gid) {
741 change_egid(newcred, gid);
742 setsugid(p);
743 }
744 p->p_ucred = newcred;
745 PROC_UNLOCK(p);
746 crfree(oldcred);
747 return (0);
748
749 fail:
750 PROC_UNLOCK(p);
751 crfree(newcred);
752 return (error);
753 }
754
755 #ifndef _SYS_SYSPROTO_H_
756 struct setegid_args {
757 gid_t egid;
758 };
759 #endif
760 /*
761 * MPSAFE
762 */
763 /* ARGSUSED */
764 int
765 setegid(struct thread *td, struct setegid_args *uap)
766 {
767 struct proc *p = td->td_proc;
768 struct ucred *newcred, *oldcred;
769 gid_t egid;
770 int error;
771
772 egid = uap->egid;
773 AUDIT_ARG(egid, egid);
774 newcred = crget();
775 PROC_LOCK(p);
776 oldcred = p->p_ucred;
777
778 #ifdef MAC
779 error = mac_check_proc_setegid(p, oldcred, egid);
780 if (error)
781 goto fail;
782 #endif
783
784 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
785 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
786 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
787 goto fail;
788
789 crcopy(newcred, oldcred);
790 if (oldcred->cr_groups[0] != egid) {
791 change_egid(newcred, egid);
792 setsugid(p);
793 }
794 p->p_ucred = newcred;
795 PROC_UNLOCK(p);
796 crfree(oldcred);
797 return (0);
798
799 fail:
800 PROC_UNLOCK(p);
801 crfree(newcred);
802 return (error);
803 }
804
805 #ifndef _SYS_SYSPROTO_H_
806 struct setgroups_args {
807 u_int gidsetsize;
808 gid_t *gidset;
809 };
810 #endif
811 /*
812 * MPSAFE
813 */
814 /* ARGSUSED */
815 int
816 setgroups(struct thread *td, struct setgroups_args *uap)
817 {
818 struct proc *p = td->td_proc;
819 struct ucred *newcred, *tempcred, *oldcred;
820 u_int ngrp;
821 int error;
822
823 ngrp = uap->gidsetsize;
824 if (ngrp > NGROUPS)
825 return (EINVAL);
826 tempcred = crget();
827 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
828 if (error != 0) {
829 crfree(tempcred);
830 return (error);
831 }
832 AUDIT_ARG(groupset, tempcred->cr_groups, ngrp);
833 newcred = crget();
834 PROC_LOCK(p);
835 oldcred = p->p_ucred;
836
837 #ifdef MAC
838 error = mac_check_proc_setgroups(p, oldcred, ngrp,
839 tempcred->cr_groups);
840 if (error)
841 goto fail;
842 #endif
843
844 error = suser_cred(oldcred, SUSER_ALLOWJAIL);
845 if (error)
846 goto fail;
847
848 /*
849 * XXX A little bit lazy here. We could test if anything has
850 * changed before crcopy() and setting P_SUGID.
851 */
852 crcopy(newcred, oldcred);
853 if (ngrp < 1) {
854 /*
855 * setgroups(0, NULL) is a legitimate way of clearing the
856 * groups vector on non-BSD systems (which generally do not
857 * have the egid in the groups[0]). We risk security holes
858 * when running non-BSD software if we do not do the same.
859 */
860 newcred->cr_ngroups = 1;
861 } else {
862 bcopy(tempcred->cr_groups, newcred->cr_groups,
863 ngrp * sizeof(gid_t));
864 newcred->cr_ngroups = ngrp;
865 }
866 setsugid(p);
867 p->p_ucred = newcred;
868 PROC_UNLOCK(p);
869 crfree(tempcred);
870 crfree(oldcred);
871 return (0);
872
873 fail:
874 PROC_UNLOCK(p);
875 crfree(newcred);
876 crfree(tempcred);
877 return (error);
878 }
879
880 #ifndef _SYS_SYSPROTO_H_
881 struct setreuid_args {
882 uid_t ruid;
883 uid_t euid;
884 };
885 #endif
886 /*
887 * MPSAFE
888 */
889 /* ARGSUSED */
890 int
891 setreuid(register struct thread *td, struct setreuid_args *uap)
892 {
893 struct proc *p = td->td_proc;
894 struct ucred *newcred, *oldcred;
895 uid_t euid, ruid;
896 struct uidinfo *euip, *ruip;
897 int error;
898
899 euid = uap->euid;
900 ruid = uap->ruid;
901 AUDIT_ARG(euid, euid);
902 AUDIT_ARG(ruid, ruid);
903 newcred = crget();
904 euip = uifind(euid);
905 ruip = uifind(ruid);
906 PROC_LOCK(p);
907 oldcred = p->p_ucred;
908
909 #ifdef MAC
910 error = mac_check_proc_setreuid(p, oldcred, ruid, euid);
911 if (error)
912 goto fail;
913 #endif
914
915 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
916 ruid != oldcred->cr_svuid) ||
917 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
918 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
919 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
920 goto fail;
921
922 crcopy(newcred, oldcred);
923 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
924 change_euid(newcred, euip);
925 setsugid(p);
926 }
927 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
928 change_ruid(newcred, ruip);
929 setsugid(p);
930 }
931 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
932 newcred->cr_svuid != newcred->cr_uid) {
933 change_svuid(newcred, newcred->cr_uid);
934 setsugid(p);
935 }
936 p->p_ucred = newcred;
937 PROC_UNLOCK(p);
938 uifree(ruip);
939 uifree(euip);
940 crfree(oldcred);
941 return (0);
942
943 fail:
944 PROC_UNLOCK(p);
945 uifree(ruip);
946 uifree(euip);
947 crfree(newcred);
948 return (error);
949 }
950
951 #ifndef _SYS_SYSPROTO_H_
952 struct setregid_args {
953 gid_t rgid;
954 gid_t egid;
955 };
956 #endif
957 /*
958 * MPSAFE
959 */
960 /* ARGSUSED */
961 int
962 setregid(register struct thread *td, struct setregid_args *uap)
963 {
964 struct proc *p = td->td_proc;
965 struct ucred *newcred, *oldcred;
966 gid_t egid, rgid;
967 int error;
968
969 egid = uap->egid;
970 rgid = uap->rgid;
971 AUDIT_ARG(egid, egid);
972 AUDIT_ARG(rgid, rgid);
973 newcred = crget();
974 PROC_LOCK(p);
975 oldcred = p->p_ucred;
976
977 #ifdef MAC
978 error = mac_check_proc_setregid(p, oldcred, rgid, egid);
979 if (error)
980 goto fail;
981 #endif
982
983 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
984 rgid != oldcred->cr_svgid) ||
985 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
986 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
987 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
988 goto fail;
989
990 crcopy(newcred, oldcred);
991 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
992 change_egid(newcred, egid);
993 setsugid(p);
994 }
995 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
996 change_rgid(newcred, rgid);
997 setsugid(p);
998 }
999 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
1000 newcred->cr_svgid != newcred->cr_groups[0]) {
1001 change_svgid(newcred, newcred->cr_groups[0]);
1002 setsugid(p);
1003 }
1004 p->p_ucred = newcred;
1005 PROC_UNLOCK(p);
1006 crfree(oldcred);
1007 return (0);
1008
1009 fail:
1010 PROC_UNLOCK(p);
1011 crfree(newcred);
1012 return (error);
1013 }
1014
1015 /*
1016 * setresuid(ruid, euid, suid) is like setreuid except control over the
1017 * saved uid is explicit.
1018 */
1019
1020 #ifndef _SYS_SYSPROTO_H_
1021 struct setresuid_args {
1022 uid_t ruid;
1023 uid_t euid;
1024 uid_t suid;
1025 };
1026 #endif
1027 /*
1028 * MPSAFE
1029 */
1030 /* ARGSUSED */
1031 int
1032 setresuid(register struct thread *td, struct setresuid_args *uap)
1033 {
1034 struct proc *p = td->td_proc;
1035 struct ucred *newcred, *oldcred;
1036 uid_t euid, ruid, suid;
1037 struct uidinfo *euip, *ruip;
1038 int error;
1039
1040 euid = uap->euid;
1041 ruid = uap->ruid;
1042 suid = uap->suid;
1043 AUDIT_ARG(euid, euid);
1044 AUDIT_ARG(ruid, ruid);
1045 AUDIT_ARG(suid, suid);
1046 newcred = crget();
1047 euip = uifind(euid);
1048 ruip = uifind(ruid);
1049 PROC_LOCK(p);
1050 oldcred = p->p_ucred;
1051
1052 #ifdef MAC
1053 error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid);
1054 if (error)
1055 goto fail;
1056 #endif
1057
1058 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1059 ruid != oldcred->cr_svuid &&
1060 ruid != oldcred->cr_uid) ||
1061 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1062 euid != oldcred->cr_svuid &&
1063 euid != oldcred->cr_uid) ||
1064 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1065 suid != oldcred->cr_svuid &&
1066 suid != oldcred->cr_uid)) &&
1067 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
1068 goto fail;
1069
1070 crcopy(newcred, oldcred);
1071 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1072 change_euid(newcred, euip);
1073 setsugid(p);
1074 }
1075 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1076 change_ruid(newcred, ruip);
1077 setsugid(p);
1078 }
1079 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1080 change_svuid(newcred, suid);
1081 setsugid(p);
1082 }
1083 p->p_ucred = newcred;
1084 PROC_UNLOCK(p);
1085 uifree(ruip);
1086 uifree(euip);
1087 crfree(oldcred);
1088 return (0);
1089
1090 fail:
1091 PROC_UNLOCK(p);
1092 uifree(ruip);
1093 uifree(euip);
1094 crfree(newcred);
1095 return (error);
1096
1097 }
1098
1099 /*
1100 * setresgid(rgid, egid, sgid) is like setregid except control over the
1101 * saved gid is explicit.
1102 */
1103
1104 #ifndef _SYS_SYSPROTO_H_
1105 struct setresgid_args {
1106 gid_t rgid;
1107 gid_t egid;
1108 gid_t sgid;
1109 };
1110 #endif
1111 /*
1112 * MPSAFE
1113 */
1114 /* ARGSUSED */
1115 int
1116 setresgid(register struct thread *td, struct setresgid_args *uap)
1117 {
1118 struct proc *p = td->td_proc;
1119 struct ucred *newcred, *oldcred;
1120 gid_t egid, rgid, sgid;
1121 int error;
1122
1123 egid = uap->egid;
1124 rgid = uap->rgid;
1125 sgid = uap->sgid;
1126 AUDIT_ARG(egid, egid);
1127 AUDIT_ARG(rgid, rgid);
1128 AUDIT_ARG(sgid, sgid);
1129 newcred = crget();
1130 PROC_LOCK(p);
1131 oldcred = p->p_ucred;
1132
1133 #ifdef MAC
1134 error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid);
1135 if (error)
1136 goto fail;
1137 #endif
1138
1139 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1140 rgid != oldcred->cr_svgid &&
1141 rgid != oldcred->cr_groups[0]) ||
1142 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1143 egid != oldcred->cr_svgid &&
1144 egid != oldcred->cr_groups[0]) ||
1145 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1146 sgid != oldcred->cr_svgid &&
1147 sgid != oldcred->cr_groups[0])) &&
1148 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
1149 goto fail;
1150
1151 crcopy(newcred, oldcred);
1152 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1153 change_egid(newcred, egid);
1154 setsugid(p);
1155 }
1156 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1157 change_rgid(newcred, rgid);
1158 setsugid(p);
1159 }
1160 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1161 change_svgid(newcred, sgid);
1162 setsugid(p);
1163 }
1164 p->p_ucred = newcred;
1165 PROC_UNLOCK(p);
1166 crfree(oldcred);
1167 return (0);
1168
1169 fail:
1170 PROC_UNLOCK(p);
1171 crfree(newcred);
1172 return (error);
1173 }
1174
1175 #ifndef _SYS_SYSPROTO_H_
1176 struct getresuid_args {
1177 uid_t *ruid;
1178 uid_t *euid;
1179 uid_t *suid;
1180 };
1181 #endif
1182 /*
1183 * MPSAFE
1184 */
1185 /* ARGSUSED */
1186 int
1187 getresuid(register struct thread *td, struct getresuid_args *uap)
1188 {
1189 struct ucred *cred;
1190 int error1 = 0, error2 = 0, error3 = 0;
1191
1192 cred = td->td_ucred;
1193 if (uap->ruid)
1194 error1 = copyout(&cred->cr_ruid,
1195 uap->ruid, sizeof(cred->cr_ruid));
1196 if (uap->euid)
1197 error2 = copyout(&cred->cr_uid,
1198 uap->euid, sizeof(cred->cr_uid));
1199 if (uap->suid)
1200 error3 = copyout(&cred->cr_svuid,
1201 uap->suid, sizeof(cred->cr_svuid));
1202 return (error1 ? error1 : error2 ? error2 : error3);
1203 }
1204
1205 #ifndef _SYS_SYSPROTO_H_
1206 struct getresgid_args {
1207 gid_t *rgid;
1208 gid_t *egid;
1209 gid_t *sgid;
1210 };
1211 #endif
1212 /*
1213 * MPSAFE
1214 */
1215 /* ARGSUSED */
1216 int
1217 getresgid(register struct thread *td, struct getresgid_args *uap)
1218 {
1219 struct ucred *cred;
1220 int error1 = 0, error2 = 0, error3 = 0;
1221
1222 cred = td->td_ucred;
1223 if (uap->rgid)
1224 error1 = copyout(&cred->cr_rgid,
1225 uap->rgid, sizeof(cred->cr_rgid));
1226 if (uap->egid)
1227 error2 = copyout(&cred->cr_groups[0],
1228 uap->egid, sizeof(cred->cr_groups[0]));
1229 if (uap->sgid)
1230 error3 = copyout(&cred->cr_svgid,
1231 uap->sgid, sizeof(cred->cr_svgid));
1232 return (error1 ? error1 : error2 ? error2 : error3);
1233 }
1234
1235 #ifndef _SYS_SYSPROTO_H_
1236 struct issetugid_args {
1237 int dummy;
1238 };
1239 #endif
1240 /*
1241 * MPSAFE
1242 */
1243 /* ARGSUSED */
1244 int
1245 issetugid(register struct thread *td, struct issetugid_args *uap)
1246 {
1247 struct proc *p = td->td_proc;
1248
1249 /*
1250 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1251 * we use P_SUGID because we consider changing the owners as
1252 * "tainting" as well.
1253 * This is significant for procs that start as root and "become"
1254 * a user without an exec - programs cannot know *everything*
1255 * that libc *might* have put in their data segment.
1256 */
1257 PROC_LOCK(p);
1258 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1259 PROC_UNLOCK(p);
1260 return (0);
1261 }
1262
1263 /*
1264 * MPSAFE
1265 */
1266 int
1267 __setugid(struct thread *td, struct __setugid_args *uap)
1268 {
1269 #ifdef REGRESSION
1270 struct proc *p;
1271
1272 p = td->td_proc;
1273 switch (uap->flag) {
1274 case 0:
1275 PROC_LOCK(p);
1276 p->p_flag &= ~P_SUGID;
1277 PROC_UNLOCK(p);
1278 return (0);
1279 case 1:
1280 PROC_LOCK(p);
1281 p->p_flag |= P_SUGID;
1282 PROC_UNLOCK(p);
1283 return (0);
1284 default:
1285 return (EINVAL);
1286 }
1287 #else /* !REGRESSION */
1288
1289 return (ENOSYS);
1290 #endif /* REGRESSION */
1291 }
1292
1293 /*
1294 * Check if gid is a member of the group set.
1295 *
1296 * MPSAFE (cred must be held)
1297 */
1298 int
1299 groupmember(gid_t gid, struct ucred *cred)
1300 {
1301 register gid_t *gp;
1302 gid_t *egp;
1303
1304 egp = &(cred->cr_groups[cred->cr_ngroups]);
1305 for (gp = cred->cr_groups; gp < egp; gp++)
1306 if (*gp == gid)
1307 return (1);
1308 return (0);
1309 }
1310
1311 /*
1312 * `suser_enabled' (which can be set by the security.suser_enabled
1313 * sysctl) determines whether the system 'super-user' policy is in effect.
1314 * If it is nonzero, an effective uid of 0 connotes special privilege,
1315 * overriding many mandatory and discretionary protections. If it is zero,
1316 * uid 0 is offered no special privilege in the kernel security policy.
1317 * Setting it to zero may seriously impact the functionality of many
1318 * existing userland programs, and should not be done without careful
1319 * consideration of the consequences.
1320 */
1321 int suser_enabled = 1;
1322 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1323 &suser_enabled, 0, "processes with uid 0 have privilege");
1324 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
1325
1326 /*
1327 * Test whether the specified credentials imply "super-user" privilege.
1328 * Return 0 or EPERM.
1329 */
1330 int
1331 suser_cred(struct ucred *cred, int flag)
1332 {
1333
1334 if (!suser_enabled)
1335 return (EPERM);
1336 if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0)
1337 return (EPERM);
1338 if (jailed(cred) && !(flag & SUSER_ALLOWJAIL))
1339 return (EPERM);
1340 return (0);
1341 }
1342
1343 /*
1344 * Shortcut to hide contents of struct td and struct proc from the
1345 * caller, promoting binary compatibility.
1346 */
1347 int
1348 suser(struct thread *td)
1349 {
1350
1351 #ifdef INVARIANTS
1352 if (td != curthread) {
1353 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n",
1354 td, td->td_proc->p_pid, td->td_proc->p_comm,
1355 curthread, curthread->td_proc->p_pid,
1356 curthread->td_proc->p_comm);
1357 #ifdef KDB
1358 kdb_backtrace();
1359 #endif
1360 }
1361 #endif
1362 return (suser_cred(td->td_ucred, 0));
1363 }
1364
1365 /*
1366 * Test the active securelevel against a given level. securelevel_gt()
1367 * implements (securelevel > level). securelevel_ge() implements
1368 * (securelevel >= level). Note that the logic is inverted -- these
1369 * functions return EPERM on "success" and 0 on "failure".
1370 *
1371 * MPSAFE
1372 */
1373 int
1374 securelevel_gt(struct ucred *cr, int level)
1375 {
1376 int active_securelevel;
1377
1378 active_securelevel = securelevel;
1379 KASSERT(cr != NULL, ("securelevel_gt: null cr"));
1380 if (cr->cr_prison != NULL)
1381 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1382 active_securelevel);
1383 return (active_securelevel > level ? EPERM : 0);
1384 }
1385
1386 int
1387 securelevel_ge(struct ucred *cr, int level)
1388 {
1389 int active_securelevel;
1390
1391 active_securelevel = securelevel;
1392 KASSERT(cr != NULL, ("securelevel_ge: null cr"));
1393 if (cr->cr_prison != NULL)
1394 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1395 active_securelevel);
1396 return (active_securelevel >= level ? EPERM : 0);
1397 }
1398
1399 /*
1400 * 'see_other_uids' determines whether or not visibility of processes
1401 * and sockets with credentials holding different real uids is possible
1402 * using a variety of system MIBs.
1403 * XXX: data declarations should be together near the beginning of the file.
1404 */
1405 static int see_other_uids = 1;
1406 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1407 &see_other_uids, 0,
1408 "Unprivileged processes may see subjects/objects with different real uid");
1409
1410 /*-
1411 * Determine if u1 "can see" the subject specified by u2, according to the
1412 * 'see_other_uids' policy.
1413 * Returns: 0 for permitted, ESRCH otherwise
1414 * Locks: none
1415 * References: *u1 and *u2 must not change during the call
1416 * u1 may equal u2, in which case only one reference is required
1417 */
1418 static int
1419 cr_seeotheruids(struct ucred *u1, struct ucred *u2)
1420 {
1421
1422 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1423 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1424 return (ESRCH);
1425 }
1426 return (0);
1427 }
1428
1429 /*
1430 * 'see_other_gids' determines whether or not visibility of processes
1431 * and sockets with credentials holding different real gids is possible
1432 * using a variety of system MIBs.
1433 * XXX: data declarations should be together near the beginning of the file.
1434 */
1435 static int see_other_gids = 1;
1436 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1437 &see_other_gids, 0,
1438 "Unprivileged processes may see subjects/objects with different real gid");
1439
1440 /*
1441 * Determine if u1 can "see" the subject specified by u2, according to the
1442 * 'see_other_gids' policy.
1443 * Returns: 0 for permitted, ESRCH otherwise
1444 * Locks: none
1445 * References: *u1 and *u2 must not change during the call
1446 * u1 may equal u2, in which case only one reference is required
1447 */
1448 static int
1449 cr_seeothergids(struct ucred *u1, struct ucred *u2)
1450 {
1451 int i, match;
1452
1453 if (!see_other_gids) {
1454 match = 0;
1455 for (i = 0; i < u1->cr_ngroups; i++) {
1456 if (groupmember(u1->cr_groups[i], u2))
1457 match = 1;
1458 if (match)
1459 break;
1460 }
1461 if (!match) {
1462 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1463 return (ESRCH);
1464 }
1465 }
1466 return (0);
1467 }
1468
1469 /*-
1470 * Determine if u1 "can see" the subject specified by u2.
1471 * Returns: 0 for permitted, an errno value otherwise
1472 * Locks: none
1473 * References: *u1 and *u2 must not change during the call
1474 * u1 may equal u2, in which case only one reference is required
1475 */
1476 int
1477 cr_cansee(struct ucred *u1, struct ucred *u2)
1478 {
1479 int error;
1480
1481 if ((error = prison_check(u1, u2)))
1482 return (error);
1483 #ifdef MAC
1484 if ((error = mac_check_cred_visible(u1, u2)))
1485 return (error);
1486 #endif
1487 if ((error = cr_seeotheruids(u1, u2)))
1488 return (error);
1489 if ((error = cr_seeothergids(u1, u2)))
1490 return (error);
1491 return (0);
1492 }
1493
1494 /*-
1495 * Determine if td "can see" the subject specified by p.
1496 * Returns: 0 for permitted, an errno value otherwise
1497 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1498 * should be curthread.
1499 * References: td and p must be valid for the lifetime of the call
1500 */
1501 int
1502 p_cansee(struct thread *td, struct proc *p)
1503 {
1504
1505 /* Wrap cr_cansee() for all functionality. */
1506 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1507 PROC_LOCK_ASSERT(p, MA_OWNED);
1508 return (cr_cansee(td->td_ucred, p->p_ucred));
1509 }
1510
1511 /*
1512 * 'conservative_signals' prevents the delivery of a broad class of
1513 * signals by unprivileged processes to processes that have changed their
1514 * credentials since the last invocation of execve(). This can prevent
1515 * the leakage of cached information or retained privileges as a result
1516 * of a common class of signal-related vulnerabilities. However, this
1517 * may interfere with some applications that expect to be able to
1518 * deliver these signals to peer processes after having given up
1519 * privilege.
1520 */
1521 static int conservative_signals = 1;
1522 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1523 &conservative_signals, 0, "Unprivileged processes prevented from "
1524 "sending certain signals to processes whose credentials have changed");
1525 /*-
1526 * Determine whether cred may deliver the specified signal to proc.
1527 * Returns: 0 for permitted, an errno value otherwise.
1528 * Locks: A lock must be held for proc.
1529 * References: cred and proc must be valid for the lifetime of the call.
1530 */
1531 int
1532 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1533 {
1534 int error;
1535
1536 PROC_LOCK_ASSERT(proc, MA_OWNED);
1537 /*
1538 * Jail semantics limit the scope of signalling to proc in the
1539 * same jail as cred, if cred is in jail.
1540 */
1541 error = prison_check(cred, proc->p_ucred);
1542 if (error)
1543 return (error);
1544 #ifdef MAC
1545 if ((error = mac_check_proc_signal(cred, proc, signum)))
1546 return (error);
1547 #endif
1548 if ((error = cr_seeotheruids(cred, proc->p_ucred)))
1549 return (error);
1550 if ((error = cr_seeothergids(cred, proc->p_ucred)))
1551 return (error);
1552
1553 /*
1554 * UNIX signal semantics depend on the status of the P_SUGID
1555 * bit on the target process. If the bit is set, then additional
1556 * restrictions are placed on the set of available signals.
1557 */
1558 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1559 switch (signum) {
1560 case 0:
1561 case SIGKILL:
1562 case SIGINT:
1563 case SIGTERM:
1564 case SIGALRM:
1565 case SIGSTOP:
1566 case SIGTTIN:
1567 case SIGTTOU:
1568 case SIGTSTP:
1569 case SIGHUP:
1570 case SIGUSR1:
1571 case SIGUSR2:
1572 /*
1573 * Generally, permit job and terminal control
1574 * signals.
1575 */
1576 break;
1577 default:
1578 /* Not permitted without privilege. */
1579 error = suser_cred(cred, SUSER_ALLOWJAIL);
1580 if (error)
1581 return (error);
1582 }
1583 }
1584
1585 /*
1586 * Generally, the target credential's ruid or svuid must match the
1587 * subject credential's ruid or euid.
1588 */
1589 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1590 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1591 cred->cr_uid != proc->p_ucred->cr_ruid &&
1592 cred->cr_uid != proc->p_ucred->cr_svuid) {
1593 /* Not permitted without privilege. */
1594 error = suser_cred(cred, SUSER_ALLOWJAIL);
1595 if (error)
1596 return (error);
1597 }
1598
1599 return (0);
1600 }
1601
1602
1603 /*-
1604 * Determine whether td may deliver the specified signal to p.
1605 * Returns: 0 for permitted, an errno value otherwise
1606 * Locks: Sufficient locks to protect various components of td and p
1607 * must be held. td must be curthread, and a lock must be
1608 * held for p.
1609 * References: td and p must be valid for the lifetime of the call
1610 */
1611 int
1612 p_cansignal(struct thread *td, struct proc *p, int signum)
1613 {
1614
1615 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1616 PROC_LOCK_ASSERT(p, MA_OWNED);
1617 if (td->td_proc == p)
1618 return (0);
1619
1620 /*
1621 * UNIX signalling semantics require that processes in the same
1622 * session always be able to deliver SIGCONT to one another,
1623 * overriding the remaining protections.
1624 */
1625 /* XXX: This will require an additional lock of some sort. */
1626 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1627 return (0);
1628 /*
1629 * Some compat layers use SIGTHR and higher signals for
1630 * communication between different kernel threads of the same
1631 * process, so that they expect that it's always possible to
1632 * deliver them, even for suid applications where cr_cansignal() can
1633 * deny such ability for security consideration. It should be
1634 * pretty safe to do since the only way to create two processes
1635 * with the same p_leader is via rfork(2).
1636 */
1637 if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
1638 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
1639 return (0);
1640
1641 return (cr_cansignal(td->td_ucred, p, signum));
1642 }
1643
1644 /*-
1645 * Determine whether td may reschedule p.
1646 * Returns: 0 for permitted, an errno value otherwise
1647 * Locks: Sufficient locks to protect various components of td and p
1648 * must be held. td must be curthread, and a lock must
1649 * be held for p.
1650 * References: td and p must be valid for the lifetime of the call
1651 */
1652 int
1653 p_cansched(struct thread *td, struct proc *p)
1654 {
1655 int error;
1656
1657 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1658 PROC_LOCK_ASSERT(p, MA_OWNED);
1659 if (td->td_proc == p)
1660 return (0);
1661 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1662 return (error);
1663 #ifdef MAC
1664 if ((error = mac_check_proc_sched(td->td_ucred, p)))
1665 return (error);
1666 #endif
1667 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1668 return (error);
1669 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1670 return (error);
1671 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
1672 return (0);
1673 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
1674 return (0);
1675 if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
1676 return (0);
1677
1678 #ifdef CAPABILITIES
1679 if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL))
1680 return (0);
1681 #endif
1682
1683 return (EPERM);
1684 }
1685
1686 /*
1687 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1688 * unprivileged inter-process debugging services, including some procfs
1689 * functionality, ptrace(), and ktrace(). In the past, inter-process
1690 * debugging has been involved in a variety of security problems, and sites
1691 * not requiring the service might choose to disable it when hardening
1692 * systems.
1693 *
1694 * XXX: Should modifying and reading this variable require locking?
1695 * XXX: data declarations should be together near the beginning of the file.
1696 */
1697 static int unprivileged_proc_debug = 1;
1698 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1699 &unprivileged_proc_debug, 0,
1700 "Unprivileged processes may use process debugging facilities");
1701
1702 /*-
1703 * Determine whether td may debug p.
1704 * Returns: 0 for permitted, an errno value otherwise
1705 * Locks: Sufficient locks to protect various components of td and p
1706 * must be held. td must be curthread, and a lock must
1707 * be held for p.
1708 * References: td and p must be valid for the lifetime of the call
1709 */
1710 int
1711 p_candebug(struct thread *td, struct proc *p)
1712 {
1713 int credentialchanged, error, grpsubset, i, uidsubset;
1714
1715 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1716 PROC_LOCK_ASSERT(p, MA_OWNED);
1717 if (!unprivileged_proc_debug) {
1718 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1719 if (error)
1720 return (error);
1721 }
1722 if (td->td_proc == p)
1723 return (0);
1724 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1725 return (error);
1726 #ifdef MAC
1727 if ((error = mac_check_proc_debug(td->td_ucred, p)))
1728 return (error);
1729 #endif
1730 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1731 return (error);
1732 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1733 return (error);
1734
1735 /*
1736 * Is p's group set a subset of td's effective group set? This
1737 * includes p's egid, group access list, rgid, and svgid.
1738 */
1739 grpsubset = 1;
1740 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1741 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1742 grpsubset = 0;
1743 break;
1744 }
1745 }
1746 grpsubset = grpsubset &&
1747 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1748 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1749
1750 /*
1751 * Are the uids present in p's credential equal to td's
1752 * effective uid? This includes p's euid, svuid, and ruid.
1753 */
1754 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1755 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1756 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1757
1758 /*
1759 * Has the credential of the process changed since the last exec()?
1760 */
1761 credentialchanged = (p->p_flag & P_SUGID);
1762
1763 /*
1764 * If p's gids aren't a subset, or the uids aren't a subset,
1765 * or the credential has changed, require appropriate privilege
1766 * for td to debug p. For POSIX.1e capabilities, this will
1767 * require CAP_SYS_PTRACE.
1768 */
1769 if (!grpsubset || !uidsubset || credentialchanged) {
1770 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1771 if (error)
1772 return (error);
1773 }
1774
1775 /* Can't trace init when securelevel > 0. */
1776 if (p == initproc) {
1777 error = securelevel_gt(td->td_ucred, 0);
1778 if (error)
1779 return (error);
1780 }
1781
1782 /*
1783 * Can't trace a process that's currently exec'ing.
1784 * XXX: Note, this is not a security policy decision, it's a
1785 * basic correctness/functionality decision. Therefore, this check
1786 * should be moved to the caller's of p_candebug().
1787 */
1788 if ((p->p_flag & P_INEXEC) != 0)
1789 return (EAGAIN);
1790
1791 return (0);
1792 }
1793
1794 /*-
1795 * Determine whether the subject represented by cred can "see" a socket.
1796 * Returns: 0 for permitted, ENOENT otherwise.
1797 */
1798 int
1799 cr_canseesocket(struct ucred *cred, struct socket *so)
1800 {
1801 int error;
1802
1803 error = prison_check(cred, so->so_cred);
1804 if (error)
1805 return (ENOENT);
1806 #ifdef MAC
1807 SOCK_LOCK(so);
1808 error = mac_check_socket_visible(cred, so);
1809 SOCK_UNLOCK(so);
1810 if (error)
1811 return (error);
1812 #endif
1813 if (cr_seeotheruids(cred, so->so_cred))
1814 return (ENOENT);
1815 if (cr_seeothergids(cred, so->so_cred))
1816 return (ENOENT);
1817
1818 return (0);
1819 }
1820
1821 /*-
1822 * Determine whether td can wait for the exit of p.
1823 * Returns: 0 for permitted, an errno value otherwise
1824 * Locks: Sufficient locks to protect various components of td and p
1825 * must be held. td must be curthread, and a lock must
1826 * be held for p.
1827 * References: td and p must be valid for the lifetime of the call
1828
1829 */
1830 int
1831 p_canwait(struct thread *td, struct proc *p)
1832 {
1833 int error;
1834
1835 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1836 PROC_LOCK_ASSERT(p, MA_OWNED);
1837 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1838 return (error);
1839 #ifdef MAC
1840 if ((error = mac_check_proc_wait(td->td_ucred, p)))
1841 return (error);
1842 #endif
1843 #if 0
1844 /* XXXMAC: This could have odd effects on some shells. */
1845 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1846 return (error);
1847 #endif
1848
1849 return (0);
1850 }
1851
1852 /*
1853 * Allocate a zeroed cred structure.
1854 * MPSAFE
1855 */
1856 struct ucred *
1857 crget(void)
1858 {
1859 register struct ucred *cr;
1860
1861 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1862 refcount_init(&cr->cr_ref, 1);
1863 #ifdef MAC
1864 mac_init_cred(cr);
1865 #endif
1866 return (cr);
1867 }
1868
1869 /*
1870 * Claim another reference to a ucred structure.
1871 * MPSAFE
1872 */
1873 struct ucred *
1874 crhold(struct ucred *cr)
1875 {
1876
1877 refcount_acquire(&cr->cr_ref);
1878 return (cr);
1879 }
1880
1881 /*
1882 * Free a cred structure.
1883 * Throws away space when ref count gets to 0.
1884 * MPSAFE
1885 */
1886 void
1887 crfree(struct ucred *cr)
1888 {
1889
1890 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1891 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred"));
1892 if (refcount_release(&cr->cr_ref)) {
1893 /*
1894 * Some callers of crget(), such as nfs_statfs(),
1895 * allocate a temporary credential, but don't
1896 * allocate a uidinfo structure.
1897 */
1898 if (cr->cr_uidinfo != NULL)
1899 uifree(cr->cr_uidinfo);
1900 if (cr->cr_ruidinfo != NULL)
1901 uifree(cr->cr_ruidinfo);
1902 /*
1903 * Free a prison, if any.
1904 */
1905 if (jailed(cr))
1906 prison_free(cr->cr_prison);
1907 #ifdef MAC
1908 mac_destroy_cred(cr);
1909 #endif
1910 FREE(cr, M_CRED);
1911 }
1912 }
1913
1914 /*
1915 * Check to see if this ucred is shared.
1916 * MPSAFE
1917 */
1918 int
1919 crshared(struct ucred *cr)
1920 {
1921
1922 return (cr->cr_ref > 1);
1923 }
1924
1925 /*
1926 * Copy a ucred's contents from a template. Does not block.
1927 * MPSAFE
1928 */
1929 void
1930 crcopy(struct ucred *dest, struct ucred *src)
1931 {
1932
1933 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1934 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1935 (unsigned)((caddr_t)&src->cr_endcopy -
1936 (caddr_t)&src->cr_startcopy));
1937 uihold(dest->cr_uidinfo);
1938 uihold(dest->cr_ruidinfo);
1939 if (jailed(dest))
1940 prison_hold(dest->cr_prison);
1941 #ifdef MAC
1942 mac_copy_cred(src, dest);
1943 #endif
1944 }
1945
1946 /*
1947 * Dup cred struct to a new held one.
1948 * MPSAFE
1949 */
1950 struct ucred *
1951 crdup(struct ucred *cr)
1952 {
1953 struct ucred *newcr;
1954
1955 newcr = crget();
1956 crcopy(newcr, cr);
1957 return (newcr);
1958 }
1959
1960 /*
1961 * Fill in a struct xucred based on a struct ucred.
1962 * MPSAFE
1963 */
1964 void
1965 cru2x(struct ucred *cr, struct xucred *xcr)
1966 {
1967
1968 bzero(xcr, sizeof(*xcr));
1969 xcr->cr_version = XUCRED_VERSION;
1970 xcr->cr_uid = cr->cr_uid;
1971 xcr->cr_ngroups = cr->cr_ngroups;
1972 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1973 }
1974
1975 /*
1976 * small routine to swap a thread's current ucred for the correct one
1977 * taken from the process.
1978 * MPSAFE
1979 */
1980 void
1981 cred_update_thread(struct thread *td)
1982 {
1983 struct proc *p;
1984 struct ucred *cred;
1985
1986 p = td->td_proc;
1987 cred = td->td_ucred;
1988 PROC_LOCK(p);
1989 td->td_ucred = crhold(p->p_ucred);
1990 PROC_UNLOCK(p);
1991 if (cred != NULL)
1992 crfree(cred);
1993 }
1994
1995 /*
1996 * Get login name, if available.
1997 */
1998 #ifndef _SYS_SYSPROTO_H_
1999 struct getlogin_args {
2000 char *namebuf;
2001 u_int namelen;
2002 };
2003 #endif
2004 /*
2005 * MPSAFE
2006 */
2007 /* ARGSUSED */
2008 int
2009 getlogin(struct thread *td, struct getlogin_args *uap)
2010 {
2011 int error;
2012 char login[MAXLOGNAME];
2013 struct proc *p = td->td_proc;
2014
2015 if (uap->namelen > MAXLOGNAME)
2016 uap->namelen = MAXLOGNAME;
2017 PROC_LOCK(p);
2018 SESS_LOCK(p->p_session);
2019 bcopy(p->p_session->s_login, login, uap->namelen);
2020 SESS_UNLOCK(p->p_session);
2021 PROC_UNLOCK(p);
2022 error = copyout(login, uap->namebuf, uap->namelen);
2023 return(error);
2024 }
2025
2026 /*
2027 * Set login name.
2028 */
2029 #ifndef _SYS_SYSPROTO_H_
2030 struct setlogin_args {
2031 char *namebuf;
2032 };
2033 #endif
2034 /*
2035 * MPSAFE
2036 */
2037 /* ARGSUSED */
2038 int
2039 setlogin(struct thread *td, struct setlogin_args *uap)
2040 {
2041 struct proc *p = td->td_proc;
2042 int error;
2043 char logintmp[MAXLOGNAME];
2044
2045 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
2046 if (error)
2047 return (error);
2048 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
2049 if (error == ENAMETOOLONG)
2050 error = EINVAL;
2051 else if (!error) {
2052 PROC_LOCK(p);
2053 SESS_LOCK(p->p_session);
2054 (void) memcpy(p->p_session->s_login, logintmp,
2055 sizeof(logintmp));
2056 SESS_UNLOCK(p->p_session);
2057 PROC_UNLOCK(p);
2058 }
2059 return (error);
2060 }
2061
2062 void
2063 setsugid(struct proc *p)
2064 {
2065
2066 PROC_LOCK_ASSERT(p, MA_OWNED);
2067 p->p_flag |= P_SUGID;
2068 if (!(p->p_pfsflags & PF_ISUGID))
2069 p->p_stops = 0;
2070 }
2071
2072 /*-
2073 * Change a process's effective uid.
2074 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
2075 * References: newcred must be an exclusive credential reference for the
2076 * duration of the call.
2077 */
2078 void
2079 change_euid(struct ucred *newcred, struct uidinfo *euip)
2080 {
2081
2082 newcred->cr_uid = euip->ui_uid;
2083 uihold(euip);
2084 uifree(newcred->cr_uidinfo);
2085 newcred->cr_uidinfo = euip;
2086 }
2087
2088 /*-
2089 * Change a process's effective gid.
2090 * Side effects: newcred->cr_gid will be modified.
2091 * References: newcred must be an exclusive credential reference for the
2092 * duration of the call.
2093 */
2094 void
2095 change_egid(struct ucred *newcred, gid_t egid)
2096 {
2097
2098 newcred->cr_groups[0] = egid;
2099 }
2100
2101 /*-
2102 * Change a process's real uid.
2103 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
2104 * will be updated, and the old and new cr_ruidinfo proc
2105 * counts will be updated.
2106 * References: newcred must be an exclusive credential reference for the
2107 * duration of the call.
2108 */
2109 void
2110 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
2111 {
2112
2113 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
2114 newcred->cr_ruid = ruip->ui_uid;
2115 uihold(ruip);
2116 uifree(newcred->cr_ruidinfo);
2117 newcred->cr_ruidinfo = ruip;
2118 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2119 }
2120
2121 /*-
2122 * Change a process's real gid.
2123 * Side effects: newcred->cr_rgid will be updated.
2124 * References: newcred must be an exclusive credential reference for the
2125 * duration of the call.
2126 */
2127 void
2128 change_rgid(struct ucred *newcred, gid_t rgid)
2129 {
2130
2131 newcred->cr_rgid = rgid;
2132 }
2133
2134 /*-
2135 * Change a process's saved uid.
2136 * Side effects: newcred->cr_svuid will be updated.
2137 * References: newcred must be an exclusive credential reference for the
2138 * duration of the call.
2139 */
2140 void
2141 change_svuid(struct ucred *newcred, uid_t svuid)
2142 {
2143
2144 newcred->cr_svuid = svuid;
2145 }
2146
2147 /*-
2148 * Change a process's saved gid.
2149 * Side effects: newcred->cr_svgid will be updated.
2150 * References: newcred must be an exclusive credential reference for the
2151 * duration of the call.
2152 */
2153 void
2154 change_svgid(struct ucred *newcred, gid_t svgid)
2155 {
2156
2157 newcred->cr_svgid = svgid;
2158 }
Cache object: 8972d6ae526068b9db348128b547ac4f
|