The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c

Version: -  FREEBSD  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-2  -  FREEBSD-11-1  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-4  -  FREEBSD-10-3  -  FREEBSD-10-2  -  FREEBSD-10-1  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-3  -  FREEBSD-9-2  -  FREEBSD-9-1  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-4  -  FREEBSD-8-3  -  FREEBSD-8-2  -  FREEBSD-8-1  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-4  -  FREEBSD-7-3  -  FREEBSD-7-2  -  FREEBSD-7-1  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-4  -  FREEBSD-6-3  -  FREEBSD-6-2  -  FREEBSD-6-1  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-5  -  FREEBSD-5-4  -  FREEBSD-5-3  -  FREEBSD-5-2  -  FREEBSD-5-1  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
    3  *      The Regents of the University of California.  All rights reserved.
    4  * (c) UNIX System Laboratories, Inc.
    5  * All or some portions of this file are derived from material licensed
    6  * to the University of California by American Telephone and Telegraph
    7  * Co. or Unix System Laboratories, Inc. and are reproduced herein with
    8  * the permission of UNIX System Laboratories, Inc.
    9  * Copyright (c) 2000-2001 Robert N. M. Watson.  All rights reserved.
   10  *
   11  * Redistribution and use in source and binary forms, with or without
   12  * modification, are permitted provided that the following conditions
   13  * are met:
   14  * 1. Redistributions of source code must retain the above copyright
   15  *    notice, this list of conditions and the following disclaimer.
   16  * 2. Redistributions in binary form must reproduce the above copyright
   17  *    notice, this list of conditions and the following disclaimer in the
   18  *    documentation and/or other materials provided with the distribution.
   19  * 4. Neither the name of the University nor the names of its contributors
   20  *    may be used to endorse or promote products derived from this software
   21  *    without specific prior written permission.
   22  *
   23  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
   24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
   27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   33  * SUCH DAMAGE.
   34  *
   35  *      @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
   36  */
   37 
   38 /*
   39  * System calls related to processes and protection
   40  */
   41 
   42 #include <sys/cdefs.h>
   43 __FBSDID("$FreeBSD$");
   44 
   45 #include "opt_compat.h"
   46 #include "opt_mac.h"
   47 
   48 #include <sys/param.h>
   49 #include <sys/systm.h>
   50 #include <sys/acct.h>
   51 #include <sys/kdb.h>
   52 #include <sys/kernel.h>
   53 #include <sys/lock.h>
   54 #include <sys/mac.h>
   55 #include <sys/malloc.h>
   56 #include <sys/mutex.h>
   57 #include <sys/refcount.h>
   58 #include <sys/sx.h>
   59 #include <sys/proc.h>
   60 #include <sys/sysproto.h>
   61 #include <sys/jail.h>
   62 #include <sys/pioctl.h>
   63 #include <sys/resourcevar.h>
   64 #include <sys/socket.h>
   65 #include <sys/socketvar.h>
   66 #include <sys/sysctl.h>
   67 
   68 #include <security/audit/audit.h>
   69 
   70 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
   71 
   72 SYSCTL_DECL(_security);
   73 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
   74     "BSD security policy");
   75 
   76 #ifndef _SYS_SYSPROTO_H_
   77 struct getpid_args {
   78         int     dummy;
   79 };
   80 #endif
   81 /*
   82  * MPSAFE
   83  */
   84 /* ARGSUSED */
   85 int
   86 getpid(struct thread *td, struct getpid_args *uap)
   87 {
   88         struct proc *p = td->td_proc;
   89 
   90         td->td_retval[0] = p->p_pid;
   91 #if defined(COMPAT_43)
   92         PROC_LOCK(p);
   93         td->td_retval[1] = p->p_pptr->p_pid;
   94         PROC_UNLOCK(p);
   95 #endif
   96         return (0);
   97 }
   98 
   99 #ifndef _SYS_SYSPROTO_H_
  100 struct getppid_args {
  101         int     dummy;
  102 };
  103 #endif
  104 /*
  105  * MPSAFE
  106  */
  107 /* ARGSUSED */
  108 int
  109 getppid(struct thread *td, struct getppid_args *uap)
  110 {
  111         struct proc *p = td->td_proc;
  112 
  113         PROC_LOCK(p);
  114         td->td_retval[0] = p->p_pptr->p_pid;
  115         PROC_UNLOCK(p);
  116         return (0);
  117 }
  118 
  119 /*
  120  * Get process group ID; note that POSIX getpgrp takes no parameter.
  121  */
  122 #ifndef _SYS_SYSPROTO_H_
  123 struct getpgrp_args {
  124         int     dummy;
  125 };
  126 #endif
  127 /*
  128  * MPSAFE
  129  */
  130 int
  131 getpgrp(struct thread *td, struct getpgrp_args *uap)
  132 {
  133         struct proc *p = td->td_proc;
  134 
  135         PROC_LOCK(p);
  136         td->td_retval[0] = p->p_pgrp->pg_id;
  137         PROC_UNLOCK(p);
  138         return (0);
  139 }
  140 
  141 /* Get an arbitary pid's process group id */
  142 #ifndef _SYS_SYSPROTO_H_
  143 struct getpgid_args {
  144         pid_t   pid;
  145 };
  146 #endif
  147 /*
  148  * MPSAFE
  149  */
  150 int
  151 getpgid(struct thread *td, struct getpgid_args *uap)
  152 {
  153         struct proc *p;
  154         int error;
  155 
  156         if (uap->pid == 0) {
  157                 p = td->td_proc;
  158                 PROC_LOCK(p);
  159         } else {
  160                 p = pfind(uap->pid);
  161                 if (p == NULL)
  162                         return (ESRCH);
  163                 error = p_cansee(td, p);
  164                 if (error) {
  165                         PROC_UNLOCK(p);
  166                         return (error);
  167                 }
  168         }
  169         td->td_retval[0] = p->p_pgrp->pg_id;
  170         PROC_UNLOCK(p);
  171         return (0);
  172 }
  173 
  174 /*
  175  * Get an arbitary pid's session id.
  176  */
  177 #ifndef _SYS_SYSPROTO_H_
  178 struct getsid_args {
  179         pid_t   pid;
  180 };
  181 #endif
  182 /*
  183  * MPSAFE
  184  */
  185 int
  186 getsid(struct thread *td, struct getsid_args *uap)
  187 {
  188         struct proc *p;
  189         int error;
  190 
  191         if (uap->pid == 0) {
  192                 p = td->td_proc;
  193                 PROC_LOCK(p);
  194         } else {
  195                 p = pfind(uap->pid);
  196                 if (p == NULL)
  197                         return (ESRCH);
  198                 error = p_cansee(td, p);
  199                 if (error) {
  200                         PROC_UNLOCK(p);
  201                         return (error);
  202                 }
  203         }
  204         td->td_retval[0] = p->p_session->s_sid;
  205         PROC_UNLOCK(p);
  206         return (0);
  207 }
  208 
  209 #ifndef _SYS_SYSPROTO_H_
  210 struct getuid_args {
  211         int     dummy;
  212 };
  213 #endif
  214 /*
  215  * MPSAFE
  216  */
  217 /* ARGSUSED */
  218 int
  219 getuid(struct thread *td, struct getuid_args *uap)
  220 {
  221 
  222         td->td_retval[0] = td->td_ucred->cr_ruid;
  223 #if defined(COMPAT_43)
  224         td->td_retval[1] = td->td_ucred->cr_uid;
  225 #endif
  226         return (0);
  227 }
  228 
  229 #ifndef _SYS_SYSPROTO_H_
  230 struct geteuid_args {
  231         int     dummy;
  232 };
  233 #endif
  234 /*
  235  * MPSAFE
  236  */
  237 /* ARGSUSED */
  238 int
  239 geteuid(struct thread *td, struct geteuid_args *uap)
  240 {
  241 
  242         td->td_retval[0] = td->td_ucred->cr_uid;
  243         return (0);
  244 }
  245 
  246 #ifndef _SYS_SYSPROTO_H_
  247 struct getgid_args {
  248         int     dummy;
  249 };
  250 #endif
  251 /*
  252  * MPSAFE
  253  */
  254 /* ARGSUSED */
  255 int
  256 getgid(struct thread *td, struct getgid_args *uap)
  257 {
  258 
  259         td->td_retval[0] = td->td_ucred->cr_rgid;
  260 #if defined(COMPAT_43)
  261         td->td_retval[1] = td->td_ucred->cr_groups[0];
  262 #endif
  263         return (0);
  264 }
  265 
  266 /*
  267  * Get effective group ID.  The "egid" is groups[0], and could be obtained
  268  * via getgroups.  This syscall exists because it is somewhat painful to do
  269  * correctly in a library function.
  270  */
  271 #ifndef _SYS_SYSPROTO_H_
  272 struct getegid_args {
  273         int     dummy;
  274 };
  275 #endif
  276 /*
  277  * MPSAFE
  278  */
  279 /* ARGSUSED */
  280 int
  281 getegid(struct thread *td, struct getegid_args *uap)
  282 {
  283 
  284         td->td_retval[0] = td->td_ucred->cr_groups[0];
  285         return (0);
  286 }
  287 
  288 #ifndef _SYS_SYSPROTO_H_
  289 struct getgroups_args {
  290         u_int   gidsetsize;
  291         gid_t   *gidset;
  292 };
  293 #endif
  294 /*
  295  * MPSAFE
  296  */
  297 int
  298 getgroups(struct thread *td, register struct getgroups_args *uap)
  299 {
  300         struct ucred *cred;
  301         u_int ngrp;
  302         int error;
  303 
  304         cred = td->td_ucred;
  305         if ((ngrp = uap->gidsetsize) == 0) {
  306                 td->td_retval[0] = cred->cr_ngroups;
  307                 return (0);
  308         }
  309         if (ngrp < cred->cr_ngroups)
  310                 return (EINVAL);
  311         ngrp = cred->cr_ngroups;
  312         error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
  313         if (error == 0)
  314                 td->td_retval[0] = ngrp;
  315         return (error);
  316 }
  317 
  318 #ifndef _SYS_SYSPROTO_H_
  319 struct setsid_args {
  320         int     dummy;
  321 };
  322 #endif
  323 /*
  324  * MPSAFE
  325  */
  326 /* ARGSUSED */
  327 int
  328 setsid(register struct thread *td, struct setsid_args *uap)
  329 {
  330         struct pgrp *pgrp;
  331         int error;
  332         struct proc *p = td->td_proc;
  333         struct pgrp *newpgrp;
  334         struct session *newsess;
  335 
  336         error = 0;
  337         pgrp = NULL;
  338 
  339         MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
  340         MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
  341 
  342         sx_xlock(&proctree_lock);
  343 
  344         if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
  345                 if (pgrp != NULL)
  346                         PGRP_UNLOCK(pgrp);
  347                 error = EPERM;
  348         } else {
  349                 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
  350                 td->td_retval[0] = p->p_pid;
  351                 newpgrp = NULL;
  352                 newsess = NULL;
  353         }
  354 
  355         sx_xunlock(&proctree_lock);
  356 
  357         if (newpgrp != NULL)
  358                 FREE(newpgrp, M_PGRP);
  359         if (newsess != NULL)
  360                 FREE(newsess, M_SESSION);
  361 
  362         return (error);
  363 }
  364 
  365 /*
  366  * set process group (setpgid/old setpgrp)
  367  *
  368  * caller does setpgid(targpid, targpgid)
  369  *
  370  * pid must be caller or child of caller (ESRCH)
  371  * if a child
  372  *      pid must be in same session (EPERM)
  373  *      pid can't have done an exec (EACCES)
  374  * if pgid != pid
  375  *      there must exist some pid in same session having pgid (EPERM)
  376  * pid must not be session leader (EPERM)
  377  */
  378 #ifndef _SYS_SYSPROTO_H_
  379 struct setpgid_args {
  380         int     pid;            /* target process id */
  381         int     pgid;           /* target pgrp id */
  382 };
  383 #endif
  384 /*
  385  * MPSAFE
  386  */
  387 /* ARGSUSED */
  388 int
  389 setpgid(struct thread *td, register struct setpgid_args *uap)
  390 {
  391         struct proc *curp = td->td_proc;
  392         register struct proc *targp;    /* target process */
  393         register struct pgrp *pgrp;     /* target pgrp */
  394         int error;
  395         struct pgrp *newpgrp;
  396 
  397         if (uap->pgid < 0)
  398                 return (EINVAL);
  399 
  400         error = 0;
  401 
  402         MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
  403 
  404         sx_xlock(&proctree_lock);
  405         if (uap->pid != 0 && uap->pid != curp->p_pid) {
  406                 if ((targp = pfind(uap->pid)) == NULL) {
  407                         error = ESRCH;
  408                         goto done;
  409                 }
  410                 if (!inferior(targp)) {
  411                         PROC_UNLOCK(targp);
  412                         error = ESRCH;
  413                         goto done;
  414                 }
  415                 if ((error = p_cansee(td, targp))) {
  416                         PROC_UNLOCK(targp);
  417                         goto done;
  418                 }
  419                 if (targp->p_pgrp == NULL ||
  420                     targp->p_session != curp->p_session) {
  421                         PROC_UNLOCK(targp);
  422                         error = EPERM;
  423                         goto done;
  424                 }
  425                 if (targp->p_flag & P_EXEC) {
  426                         PROC_UNLOCK(targp);
  427                         error = EACCES;
  428                         goto done;
  429                 }
  430                 PROC_UNLOCK(targp);
  431         } else
  432                 targp = curp;
  433         if (SESS_LEADER(targp)) {
  434                 error = EPERM;
  435                 goto done;
  436         }
  437         if (uap->pgid == 0)
  438                 uap->pgid = targp->p_pid;
  439         if ((pgrp = pgfind(uap->pgid)) == NULL) {
  440                 if (uap->pgid == targp->p_pid) {
  441                         error = enterpgrp(targp, uap->pgid, newpgrp,
  442                             NULL);
  443                         if (error == 0)
  444                                 newpgrp = NULL;
  445                 } else
  446                         error = EPERM;
  447         } else {
  448                 if (pgrp == targp->p_pgrp) {
  449                         PGRP_UNLOCK(pgrp);
  450                         goto done;
  451                 }
  452                 if (pgrp->pg_id != targp->p_pid &&
  453                     pgrp->pg_session != curp->p_session) {
  454                         PGRP_UNLOCK(pgrp);
  455                         error = EPERM;
  456                         goto done;
  457                 }
  458                 PGRP_UNLOCK(pgrp);
  459                 error = enterthispgrp(targp, pgrp);
  460         }
  461 done:
  462         sx_xunlock(&proctree_lock);
  463         KASSERT((error == 0) || (newpgrp != NULL),
  464             ("setpgid failed and newpgrp is NULL"));
  465         if (newpgrp != NULL)
  466                 FREE(newpgrp, M_PGRP);
  467         return (error);
  468 }
  469 
  470 /*
  471  * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
  472  * compatible.  It says that setting the uid/gid to euid/egid is a special
  473  * case of "appropriate privilege".  Once the rules are expanded out, this
  474  * basically means that setuid(nnn) sets all three id's, in all permitted
  475  * cases unless _POSIX_SAVED_IDS is enabled.  In that case, setuid(getuid())
  476  * does not set the saved id - this is dangerous for traditional BSD
  477  * programs.  For this reason, we *really* do not want to set
  478  * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
  479  */
  480 #define POSIX_APPENDIX_B_4_2_2
  481 
  482 #ifndef _SYS_SYSPROTO_H_
  483 struct setuid_args {
  484         uid_t   uid;
  485 };
  486 #endif
  487 /*
  488  * MPSAFE
  489  */
  490 /* ARGSUSED */
  491 int
  492 setuid(struct thread *td, struct setuid_args *uap)
  493 {
  494         struct proc *p = td->td_proc;
  495         struct ucred *newcred, *oldcred;
  496         uid_t uid;
  497         struct uidinfo *uip;
  498         int error;
  499 
  500         uid = uap->uid;
  501         AUDIT_ARG(uid, uid);
  502         newcred = crget();
  503         uip = uifind(uid);
  504         PROC_LOCK(p);
  505         oldcred = p->p_ucred;
  506 
  507 #ifdef MAC
  508         error = mac_check_proc_setuid(p, oldcred, uid);
  509         if (error)
  510                 goto fail;
  511 #endif
  512 
  513         /*
  514          * See if we have "permission" by POSIX 1003.1 rules.
  515          *
  516          * Note that setuid(geteuid()) is a special case of
  517          * "appropriate privileges" in appendix B.4.2.2.  We need
  518          * to use this clause to be compatible with traditional BSD
  519          * semantics.  Basically, it means that "setuid(xx)" sets all
  520          * three id's (assuming you have privs).
  521          *
  522          * Notes on the logic.  We do things in three steps.
  523          * 1: We determine if the euid is going to change, and do EPERM
  524          *    right away.  We unconditionally change the euid later if this
  525          *    test is satisfied, simplifying that part of the logic.
  526          * 2: We determine if the real and/or saved uids are going to
  527          *    change.  Determined by compile options.
  528          * 3: Change euid last. (after tests in #2 for "appropriate privs")
  529          */
  530         if (uid != oldcred->cr_ruid &&          /* allow setuid(getuid()) */
  531 #ifdef _POSIX_SAVED_IDS
  532             uid != oldcred->cr_svuid &&         /* allow setuid(saved gid) */
  533 #endif
  534 #ifdef POSIX_APPENDIX_B_4_2_2   /* Use BSD-compat clause from B.4.2.2 */
  535             uid != oldcred->cr_uid &&           /* allow setuid(geteuid()) */
  536 #endif
  537             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  538                 goto fail;
  539 
  540         /*
  541          * Copy credentials so other references do not see our changes.
  542          */
  543         crcopy(newcred, oldcred);
  544 #ifdef _POSIX_SAVED_IDS
  545         /*
  546          * Do we have "appropriate privileges" (are we root or uid == euid)
  547          * If so, we are changing the real uid and/or saved uid.
  548          */
  549         if (
  550 #ifdef POSIX_APPENDIX_B_4_2_2   /* Use the clause from B.4.2.2 */
  551             uid == oldcred->cr_uid ||
  552 #endif
  553             suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
  554 #endif
  555         {
  556                 /*
  557                  * Set the real uid and transfer proc count to new user.
  558                  */
  559                 if (uid != oldcred->cr_ruid) {
  560                         change_ruid(newcred, uip);
  561                         setsugid(p);
  562                 }
  563                 /*
  564                  * Set saved uid
  565                  *
  566                  * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
  567                  * the security of seteuid() depends on it.  B.4.2.2 says it
  568                  * is important that we should do this.
  569                  */
  570                 if (uid != oldcred->cr_svuid) {
  571                         change_svuid(newcred, uid);
  572                         setsugid(p);
  573                 }
  574         }
  575 
  576         /*
  577          * In all permitted cases, we are changing the euid.
  578          */
  579         if (uid != oldcred->cr_uid) {
  580                 change_euid(newcred, uip);
  581                 setsugid(p);
  582         }
  583         p->p_ucred = newcred;
  584         PROC_UNLOCK(p);
  585         uifree(uip);
  586         crfree(oldcred);
  587         return (0);
  588 
  589 fail:
  590         PROC_UNLOCK(p);
  591         uifree(uip);
  592         crfree(newcred);
  593         return (error);
  594 }
  595 
  596 #ifndef _SYS_SYSPROTO_H_
  597 struct seteuid_args {
  598         uid_t   euid;
  599 };
  600 #endif
  601 /*
  602  * MPSAFE
  603  */
  604 /* ARGSUSED */
  605 int
  606 seteuid(struct thread *td, struct seteuid_args *uap)
  607 {
  608         struct proc *p = td->td_proc;
  609         struct ucred *newcred, *oldcred;
  610         uid_t euid;
  611         struct uidinfo *euip;
  612         int error;
  613 
  614         euid = uap->euid;
  615         AUDIT_ARG(euid, euid);
  616         newcred = crget();
  617         euip = uifind(euid);
  618         PROC_LOCK(p);
  619         oldcred = p->p_ucred;
  620 
  621 #ifdef MAC
  622         error = mac_check_proc_seteuid(p, oldcred, euid);
  623         if (error)
  624                 goto fail;
  625 #endif
  626 
  627         if (euid != oldcred->cr_ruid &&         /* allow seteuid(getuid()) */
  628             euid != oldcred->cr_svuid &&        /* allow seteuid(saved uid) */
  629             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  630                 goto fail;
  631 
  632         /*
  633          * Everything's okay, do it.  Copy credentials so other references do
  634          * not see our changes.
  635          */
  636         crcopy(newcred, oldcred);
  637         if (oldcred->cr_uid != euid) {
  638                 change_euid(newcred, euip);
  639                 setsugid(p);
  640         }
  641         p->p_ucred = newcred;
  642         PROC_UNLOCK(p);
  643         uifree(euip);
  644         crfree(oldcred);
  645         return (0);
  646 
  647 fail:
  648         PROC_UNLOCK(p);
  649         uifree(euip);
  650         crfree(newcred);
  651         return (error);
  652 }
  653 
  654 #ifndef _SYS_SYSPROTO_H_
  655 struct setgid_args {
  656         gid_t   gid;
  657 };
  658 #endif
  659 /*
  660  * MPSAFE
  661  */
  662 /* ARGSUSED */
  663 int
  664 setgid(struct thread *td, struct setgid_args *uap)
  665 {
  666         struct proc *p = td->td_proc;
  667         struct ucred *newcred, *oldcred;
  668         gid_t gid;
  669         int error;
  670 
  671         gid = uap->gid;
  672         AUDIT_ARG(gid, gid);
  673         newcred = crget();
  674         PROC_LOCK(p);
  675         oldcred = p->p_ucred;
  676 
  677 #ifdef MAC
  678         error = mac_check_proc_setgid(p, oldcred, gid);
  679         if (error)
  680                 goto fail;
  681 #endif
  682 
  683         /*
  684          * See if we have "permission" by POSIX 1003.1 rules.
  685          *
  686          * Note that setgid(getegid()) is a special case of
  687          * "appropriate privileges" in appendix B.4.2.2.  We need
  688          * to use this clause to be compatible with traditional BSD
  689          * semantics.  Basically, it means that "setgid(xx)" sets all
  690          * three id's (assuming you have privs).
  691          *
  692          * For notes on the logic here, see setuid() above.
  693          */
  694         if (gid != oldcred->cr_rgid &&          /* allow setgid(getgid()) */
  695 #ifdef _POSIX_SAVED_IDS
  696             gid != oldcred->cr_svgid &&         /* allow setgid(saved gid) */
  697 #endif
  698 #ifdef POSIX_APPENDIX_B_4_2_2   /* Use BSD-compat clause from B.4.2.2 */
  699             gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
  700 #endif
  701             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  702                 goto fail;
  703 
  704         crcopy(newcred, oldcred);
  705 #ifdef _POSIX_SAVED_IDS
  706         /*
  707          * Do we have "appropriate privileges" (are we root or gid == egid)
  708          * If so, we are changing the real uid and saved gid.
  709          */
  710         if (
  711 #ifdef POSIX_APPENDIX_B_4_2_2   /* use the clause from B.4.2.2 */
  712             gid == oldcred->cr_groups[0] ||
  713 #endif
  714             suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
  715 #endif
  716         {
  717                 /*
  718                  * Set real gid
  719                  */
  720                 if (oldcred->cr_rgid != gid) {
  721                         change_rgid(newcred, gid);
  722                         setsugid(p);
  723                 }
  724                 /*
  725                  * Set saved gid
  726                  *
  727                  * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
  728                  * the security of setegid() depends on it.  B.4.2.2 says it
  729                  * is important that we should do this.
  730                  */
  731                 if (oldcred->cr_svgid != gid) {
  732                         change_svgid(newcred, gid);
  733                         setsugid(p);
  734                 }
  735         }
  736         /*
  737          * In all cases permitted cases, we are changing the egid.
  738          * Copy credentials so other references do not see our changes.
  739          */
  740         if (oldcred->cr_groups[0] != gid) {
  741                 change_egid(newcred, gid);
  742                 setsugid(p);
  743         }
  744         p->p_ucred = newcred;
  745         PROC_UNLOCK(p);
  746         crfree(oldcred);
  747         return (0);
  748 
  749 fail:
  750         PROC_UNLOCK(p);
  751         crfree(newcred);
  752         return (error);
  753 }
  754 
  755 #ifndef _SYS_SYSPROTO_H_
  756 struct setegid_args {
  757         gid_t   egid;
  758 };
  759 #endif
  760 /*
  761  * MPSAFE
  762  */
  763 /* ARGSUSED */
  764 int
  765 setegid(struct thread *td, struct setegid_args *uap)
  766 {
  767         struct proc *p = td->td_proc;
  768         struct ucred *newcred, *oldcred;
  769         gid_t egid;
  770         int error;
  771 
  772         egid = uap->egid;
  773         AUDIT_ARG(egid, egid);
  774         newcred = crget();
  775         PROC_LOCK(p);
  776         oldcred = p->p_ucred;
  777 
  778 #ifdef MAC
  779         error = mac_check_proc_setegid(p, oldcred, egid);
  780         if (error)
  781                 goto fail;
  782 #endif
  783 
  784         if (egid != oldcred->cr_rgid &&         /* allow setegid(getgid()) */
  785             egid != oldcred->cr_svgid &&        /* allow setegid(saved gid) */
  786             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  787                 goto fail;
  788 
  789         crcopy(newcred, oldcred);
  790         if (oldcred->cr_groups[0] != egid) {
  791                 change_egid(newcred, egid);
  792                 setsugid(p);
  793         }
  794         p->p_ucred = newcred;
  795         PROC_UNLOCK(p);
  796         crfree(oldcred);
  797         return (0);
  798 
  799 fail:
  800         PROC_UNLOCK(p);
  801         crfree(newcred);
  802         return (error);
  803 }
  804 
  805 #ifndef _SYS_SYSPROTO_H_
  806 struct setgroups_args {
  807         u_int   gidsetsize;
  808         gid_t   *gidset;
  809 };
  810 #endif
  811 /*
  812  * MPSAFE
  813  */
  814 /* ARGSUSED */
  815 int
  816 setgroups(struct thread *td, struct setgroups_args *uap)
  817 {
  818         struct proc *p = td->td_proc;
  819         struct ucred *newcred, *tempcred, *oldcred;
  820         u_int ngrp;
  821         int error;
  822 
  823         ngrp = uap->gidsetsize;
  824         if (ngrp > NGROUPS)
  825                 return (EINVAL);
  826         tempcred = crget();
  827         error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
  828         if (error != 0) {
  829                 crfree(tempcred);
  830                 return (error);
  831         }
  832         AUDIT_ARG(groupset, tempcred->cr_groups, ngrp);
  833         newcred = crget();
  834         PROC_LOCK(p);
  835         oldcred = p->p_ucred;
  836 
  837 #ifdef MAC
  838         error = mac_check_proc_setgroups(p, oldcred, ngrp,
  839             tempcred->cr_groups);
  840         if (error)
  841                 goto fail;
  842 #endif
  843 
  844         error = suser_cred(oldcred, SUSER_ALLOWJAIL);
  845         if (error)
  846                 goto fail;
  847 
  848         /*
  849          * XXX A little bit lazy here.  We could test if anything has
  850          * changed before crcopy() and setting P_SUGID.
  851          */
  852         crcopy(newcred, oldcred);
  853         if (ngrp < 1) {
  854                 /*
  855                  * setgroups(0, NULL) is a legitimate way of clearing the
  856                  * groups vector on non-BSD systems (which generally do not
  857                  * have the egid in the groups[0]).  We risk security holes
  858                  * when running non-BSD software if we do not do the same.
  859                  */
  860                 newcred->cr_ngroups = 1;
  861         } else {
  862                 bcopy(tempcred->cr_groups, newcred->cr_groups,
  863                     ngrp * sizeof(gid_t));
  864                 newcred->cr_ngroups = ngrp;
  865         }
  866         setsugid(p);
  867         p->p_ucred = newcred;
  868         PROC_UNLOCK(p);
  869         crfree(tempcred);
  870         crfree(oldcred);
  871         return (0);
  872 
  873 fail:
  874         PROC_UNLOCK(p);
  875         crfree(newcred);
  876         crfree(tempcred);
  877         return (error);
  878 }
  879 
  880 #ifndef _SYS_SYSPROTO_H_
  881 struct setreuid_args {
  882         uid_t   ruid;
  883         uid_t   euid;
  884 };
  885 #endif
  886 /*
  887  * MPSAFE
  888  */
  889 /* ARGSUSED */
  890 int
  891 setreuid(register struct thread *td, struct setreuid_args *uap)
  892 {
  893         struct proc *p = td->td_proc;
  894         struct ucred *newcred, *oldcred;
  895         uid_t euid, ruid;
  896         struct uidinfo *euip, *ruip;
  897         int error;
  898 
  899         euid = uap->euid;
  900         ruid = uap->ruid;
  901         AUDIT_ARG(euid, euid);
  902         AUDIT_ARG(ruid, ruid);
  903         newcred = crget();
  904         euip = uifind(euid);
  905         ruip = uifind(ruid);
  906         PROC_LOCK(p);
  907         oldcred = p->p_ucred;
  908 
  909 #ifdef MAC
  910         error = mac_check_proc_setreuid(p, oldcred, ruid, euid);
  911         if (error)
  912                 goto fail;
  913 #endif
  914 
  915         if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
  916               ruid != oldcred->cr_svuid) ||
  917              (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
  918               euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
  919             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  920                 goto fail;
  921 
  922         crcopy(newcred, oldcred);
  923         if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
  924                 change_euid(newcred, euip);
  925                 setsugid(p);
  926         }
  927         if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
  928                 change_ruid(newcred, ruip);
  929                 setsugid(p);
  930         }
  931         if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
  932             newcred->cr_svuid != newcred->cr_uid) {
  933                 change_svuid(newcred, newcred->cr_uid);
  934                 setsugid(p);
  935         }
  936         p->p_ucred = newcred;
  937         PROC_UNLOCK(p);
  938         uifree(ruip);
  939         uifree(euip);
  940         crfree(oldcred);
  941         return (0);
  942 
  943 fail:
  944         PROC_UNLOCK(p);
  945         uifree(ruip);
  946         uifree(euip);
  947         crfree(newcred);
  948         return (error);
  949 }
  950 
  951 #ifndef _SYS_SYSPROTO_H_
  952 struct setregid_args {
  953         gid_t   rgid;
  954         gid_t   egid;
  955 };
  956 #endif
  957 /*
  958  * MPSAFE
  959  */
  960 /* ARGSUSED */
  961 int
  962 setregid(register struct thread *td, struct setregid_args *uap)
  963 {
  964         struct proc *p = td->td_proc;
  965         struct ucred *newcred, *oldcred;
  966         gid_t egid, rgid;
  967         int error;
  968 
  969         egid = uap->egid;
  970         rgid = uap->rgid;
  971         AUDIT_ARG(egid, egid);
  972         AUDIT_ARG(rgid, rgid);
  973         newcred = crget();
  974         PROC_LOCK(p);
  975         oldcred = p->p_ucred;
  976 
  977 #ifdef MAC
  978         error = mac_check_proc_setregid(p, oldcred, rgid, egid);
  979         if (error)
  980                 goto fail;
  981 #endif
  982 
  983         if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
  984             rgid != oldcred->cr_svgid) ||
  985              (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
  986              egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
  987             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
  988                 goto fail;
  989 
  990         crcopy(newcred, oldcred);
  991         if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
  992                 change_egid(newcred, egid);
  993                 setsugid(p);
  994         }
  995         if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
  996                 change_rgid(newcred, rgid);
  997                 setsugid(p);
  998         }
  999         if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
 1000             newcred->cr_svgid != newcred->cr_groups[0]) {
 1001                 change_svgid(newcred, newcred->cr_groups[0]);
 1002                 setsugid(p);
 1003         }
 1004         p->p_ucred = newcred;
 1005         PROC_UNLOCK(p);
 1006         crfree(oldcred);
 1007         return (0);
 1008 
 1009 fail:
 1010         PROC_UNLOCK(p);
 1011         crfree(newcred);
 1012         return (error);
 1013 }
 1014 
 1015 /*
 1016  * setresuid(ruid, euid, suid) is like setreuid except control over the
 1017  * saved uid is explicit.
 1018  */
 1019 
 1020 #ifndef _SYS_SYSPROTO_H_
 1021 struct setresuid_args {
 1022         uid_t   ruid;
 1023         uid_t   euid;
 1024         uid_t   suid;
 1025 };
 1026 #endif
 1027 /*
 1028  * MPSAFE
 1029  */
 1030 /* ARGSUSED */
 1031 int
 1032 setresuid(register struct thread *td, struct setresuid_args *uap)
 1033 {
 1034         struct proc *p = td->td_proc;
 1035         struct ucred *newcred, *oldcred;
 1036         uid_t euid, ruid, suid;
 1037         struct uidinfo *euip, *ruip;
 1038         int error;
 1039 
 1040         euid = uap->euid;
 1041         ruid = uap->ruid;
 1042         suid = uap->suid;
 1043         AUDIT_ARG(euid, euid);
 1044         AUDIT_ARG(ruid, ruid);
 1045         AUDIT_ARG(suid, suid);
 1046         newcred = crget();
 1047         euip = uifind(euid);
 1048         ruip = uifind(ruid);
 1049         PROC_LOCK(p);
 1050         oldcred = p->p_ucred;
 1051 
 1052 #ifdef MAC
 1053         error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid);
 1054         if (error)
 1055                 goto fail;
 1056 #endif
 1057 
 1058         if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
 1059              ruid != oldcred->cr_svuid &&
 1060               ruid != oldcred->cr_uid) ||
 1061              (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
 1062             euid != oldcred->cr_svuid &&
 1063               euid != oldcred->cr_uid) ||
 1064              (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
 1065             suid != oldcred->cr_svuid &&
 1066               suid != oldcred->cr_uid)) &&
 1067             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
 1068                 goto fail;
 1069 
 1070         crcopy(newcred, oldcred);
 1071         if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
 1072                 change_euid(newcred, euip);
 1073                 setsugid(p);
 1074         }
 1075         if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
 1076                 change_ruid(newcred, ruip);
 1077                 setsugid(p);
 1078         }
 1079         if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
 1080                 change_svuid(newcred, suid);
 1081                 setsugid(p);
 1082         }
 1083         p->p_ucred = newcred;
 1084         PROC_UNLOCK(p);
 1085         uifree(ruip);
 1086         uifree(euip);
 1087         crfree(oldcred);
 1088         return (0);
 1089 
 1090 fail:
 1091         PROC_UNLOCK(p);
 1092         uifree(ruip);
 1093         uifree(euip);
 1094         crfree(newcred);
 1095         return (error);
 1096 
 1097 }
 1098 
 1099 /*
 1100  * setresgid(rgid, egid, sgid) is like setregid except control over the
 1101  * saved gid is explicit.
 1102  */
 1103 
 1104 #ifndef _SYS_SYSPROTO_H_
 1105 struct setresgid_args {
 1106         gid_t   rgid;
 1107         gid_t   egid;
 1108         gid_t   sgid;
 1109 };
 1110 #endif
 1111 /*
 1112  * MPSAFE
 1113  */
 1114 /* ARGSUSED */
 1115 int
 1116 setresgid(register struct thread *td, struct setresgid_args *uap)
 1117 {
 1118         struct proc *p = td->td_proc;
 1119         struct ucred *newcred, *oldcred;
 1120         gid_t egid, rgid, sgid;
 1121         int error;
 1122 
 1123         egid = uap->egid;
 1124         rgid = uap->rgid;
 1125         sgid = uap->sgid;
 1126         AUDIT_ARG(egid, egid);
 1127         AUDIT_ARG(rgid, rgid);
 1128         AUDIT_ARG(sgid, sgid);
 1129         newcred = crget();
 1130         PROC_LOCK(p);
 1131         oldcred = p->p_ucred;
 1132 
 1133 #ifdef MAC
 1134         error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid);
 1135         if (error)
 1136                 goto fail;
 1137 #endif
 1138 
 1139         if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
 1140               rgid != oldcred->cr_svgid &&
 1141               rgid != oldcred->cr_groups[0]) ||
 1142              (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
 1143               egid != oldcred->cr_svgid &&
 1144               egid != oldcred->cr_groups[0]) ||
 1145              (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
 1146               sgid != oldcred->cr_svgid &&
 1147               sgid != oldcred->cr_groups[0])) &&
 1148             (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
 1149                 goto fail;
 1150 
 1151         crcopy(newcred, oldcred);
 1152         if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
 1153                 change_egid(newcred, egid);
 1154                 setsugid(p);
 1155         }
 1156         if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
 1157                 change_rgid(newcred, rgid);
 1158                 setsugid(p);
 1159         }
 1160         if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
 1161                 change_svgid(newcred, sgid);
 1162                 setsugid(p);
 1163         }
 1164         p->p_ucred = newcred;
 1165         PROC_UNLOCK(p);
 1166         crfree(oldcred);
 1167         return (0);
 1168 
 1169 fail:
 1170         PROC_UNLOCK(p);
 1171         crfree(newcred);
 1172         return (error);
 1173 }
 1174 
 1175 #ifndef _SYS_SYSPROTO_H_
 1176 struct getresuid_args {
 1177         uid_t   *ruid;
 1178         uid_t   *euid;
 1179         uid_t   *suid;
 1180 };
 1181 #endif
 1182 /*
 1183  * MPSAFE
 1184  */
 1185 /* ARGSUSED */
 1186 int
 1187 getresuid(register struct thread *td, struct getresuid_args *uap)
 1188 {
 1189         struct ucred *cred;
 1190         int error1 = 0, error2 = 0, error3 = 0;
 1191 
 1192         cred = td->td_ucred;
 1193         if (uap->ruid)
 1194                 error1 = copyout(&cred->cr_ruid,
 1195                     uap->ruid, sizeof(cred->cr_ruid));
 1196         if (uap->euid)
 1197                 error2 = copyout(&cred->cr_uid,
 1198                     uap->euid, sizeof(cred->cr_uid));
 1199         if (uap->suid)
 1200                 error3 = copyout(&cred->cr_svuid,
 1201                     uap->suid, sizeof(cred->cr_svuid));
 1202         return (error1 ? error1 : error2 ? error2 : error3);
 1203 }
 1204 
 1205 #ifndef _SYS_SYSPROTO_H_
 1206 struct getresgid_args {
 1207         gid_t   *rgid;
 1208         gid_t   *egid;
 1209         gid_t   *sgid;
 1210 };
 1211 #endif
 1212 /*
 1213  * MPSAFE
 1214  */
 1215 /* ARGSUSED */
 1216 int
 1217 getresgid(register struct thread *td, struct getresgid_args *uap)
 1218 {
 1219         struct ucred *cred;
 1220         int error1 = 0, error2 = 0, error3 = 0;
 1221 
 1222         cred = td->td_ucred;
 1223         if (uap->rgid)
 1224                 error1 = copyout(&cred->cr_rgid,
 1225                     uap->rgid, sizeof(cred->cr_rgid));
 1226         if (uap->egid)
 1227                 error2 = copyout(&cred->cr_groups[0],
 1228                     uap->egid, sizeof(cred->cr_groups[0]));
 1229         if (uap->sgid)
 1230                 error3 = copyout(&cred->cr_svgid,
 1231                     uap->sgid, sizeof(cred->cr_svgid));
 1232         return (error1 ? error1 : error2 ? error2 : error3);
 1233 }
 1234 
 1235 #ifndef _SYS_SYSPROTO_H_
 1236 struct issetugid_args {
 1237         int dummy;
 1238 };
 1239 #endif
 1240 /*
 1241  * MPSAFE
 1242  */
 1243 /* ARGSUSED */
 1244 int
 1245 issetugid(register struct thread *td, struct issetugid_args *uap)
 1246 {
 1247         struct proc *p = td->td_proc;
 1248 
 1249         /*
 1250          * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
 1251          * we use P_SUGID because we consider changing the owners as
 1252          * "tainting" as well.
 1253          * This is significant for procs that start as root and "become"
 1254          * a user without an exec - programs cannot know *everything*
 1255          * that libc *might* have put in their data segment.
 1256          */
 1257         PROC_LOCK(p);
 1258         td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
 1259         PROC_UNLOCK(p);
 1260         return (0);
 1261 }
 1262 
 1263 /*
 1264  * MPSAFE
 1265  */
 1266 int
 1267 __setugid(struct thread *td, struct __setugid_args *uap)
 1268 {
 1269 #ifdef REGRESSION
 1270         struct proc *p;
 1271 
 1272         p = td->td_proc;
 1273         switch (uap->flag) {
 1274         case 0:
 1275                 PROC_LOCK(p);
 1276                 p->p_flag &= ~P_SUGID;
 1277                 PROC_UNLOCK(p);
 1278                 return (0);
 1279         case 1:
 1280                 PROC_LOCK(p);
 1281                 p->p_flag |= P_SUGID;
 1282                 PROC_UNLOCK(p);
 1283                 return (0);
 1284         default:
 1285                 return (EINVAL);
 1286         }
 1287 #else /* !REGRESSION */
 1288 
 1289         return (ENOSYS);
 1290 #endif /* REGRESSION */
 1291 }
 1292 
 1293 /*
 1294  * Check if gid is a member of the group set.
 1295  *
 1296  * MPSAFE (cred must be held)
 1297  */
 1298 int
 1299 groupmember(gid_t gid, struct ucred *cred)
 1300 {
 1301         register gid_t *gp;
 1302         gid_t *egp;
 1303 
 1304         egp = &(cred->cr_groups[cred->cr_ngroups]);
 1305         for (gp = cred->cr_groups; gp < egp; gp++)
 1306                 if (*gp == gid)
 1307                         return (1);
 1308         return (0);
 1309 }
 1310 
 1311 /*
 1312  * `suser_enabled' (which can be set by the security.suser_enabled
 1313  * sysctl) determines whether the system 'super-user' policy is in effect.
 1314  * If it is nonzero, an effective uid of 0 connotes special privilege,
 1315  * overriding many mandatory and discretionary protections.  If it is zero,
 1316  * uid 0 is offered no special privilege in the kernel security policy.
 1317  * Setting it to zero may seriously impact the functionality of many
 1318  * existing userland programs, and should not be done without careful
 1319  * consideration of the consequences.
 1320  */
 1321 int     suser_enabled = 1;
 1322 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
 1323     &suser_enabled, 0, "processes with uid 0 have privilege");
 1324 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
 1325 
 1326 /*
 1327  * Test whether the specified credentials imply "super-user" privilege.
 1328  * Return 0 or EPERM.
 1329  */
 1330 int
 1331 suser_cred(struct ucred *cred, int flag)
 1332 {
 1333 
 1334         if (!suser_enabled)
 1335                 return (EPERM);
 1336         if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0)
 1337                 return (EPERM);
 1338         if (jailed(cred) && !(flag & SUSER_ALLOWJAIL))
 1339                 return (EPERM);
 1340         return (0);
 1341 }
 1342 
 1343 /*
 1344  * Shortcut to hide contents of struct td and struct proc from the
 1345  * caller, promoting binary compatibility.
 1346  */
 1347 int
 1348 suser(struct thread *td)
 1349 {
 1350 
 1351 #ifdef INVARIANTS
 1352         if (td != curthread) {
 1353                 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n",
 1354                     td, td->td_proc->p_pid, td->td_proc->p_comm,
 1355                     curthread, curthread->td_proc->p_pid,
 1356                     curthread->td_proc->p_comm);
 1357 #ifdef KDB
 1358                 kdb_backtrace();
 1359 #endif
 1360         }
 1361 #endif
 1362         return (suser_cred(td->td_ucred, 0));
 1363 }
 1364 
 1365 /*
 1366  * Test the active securelevel against a given level.  securelevel_gt()
 1367  * implements (securelevel > level).  securelevel_ge() implements
 1368  * (securelevel >= level).  Note that the logic is inverted -- these
 1369  * functions return EPERM on "success" and 0 on "failure".
 1370  *
 1371  * MPSAFE
 1372  */
 1373 int
 1374 securelevel_gt(struct ucred *cr, int level)
 1375 {
 1376         int active_securelevel;
 1377 
 1378         active_securelevel = securelevel;
 1379         KASSERT(cr != NULL, ("securelevel_gt: null cr"));
 1380         if (cr->cr_prison != NULL)
 1381                 active_securelevel = imax(cr->cr_prison->pr_securelevel,
 1382                     active_securelevel);
 1383         return (active_securelevel > level ? EPERM : 0);
 1384 }
 1385 
 1386 int
 1387 securelevel_ge(struct ucred *cr, int level)
 1388 {
 1389         int active_securelevel;
 1390 
 1391         active_securelevel = securelevel;
 1392         KASSERT(cr != NULL, ("securelevel_ge: null cr"));
 1393         if (cr->cr_prison != NULL)
 1394                 active_securelevel = imax(cr->cr_prison->pr_securelevel,
 1395                     active_securelevel);
 1396         return (active_securelevel >= level ? EPERM : 0);
 1397 }
 1398 
 1399 /*
 1400  * 'see_other_uids' determines whether or not visibility of processes
 1401  * and sockets with credentials holding different real uids is possible
 1402  * using a variety of system MIBs.
 1403  * XXX: data declarations should be together near the beginning of the file.
 1404  */
 1405 static int      see_other_uids = 1;
 1406 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
 1407     &see_other_uids, 0,
 1408     "Unprivileged processes may see subjects/objects with different real uid");
 1409 
 1410 /*-
 1411  * Determine if u1 "can see" the subject specified by u2, according to the
 1412  * 'see_other_uids' policy.
 1413  * Returns: 0 for permitted, ESRCH otherwise
 1414  * Locks: none
 1415  * References: *u1 and *u2 must not change during the call
 1416  *             u1 may equal u2, in which case only one reference is required
 1417  */
 1418 static int
 1419 cr_seeotheruids(struct ucred *u1, struct ucred *u2)
 1420 {
 1421 
 1422         if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
 1423                 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
 1424                         return (ESRCH);
 1425         }
 1426         return (0);
 1427 }
 1428 
 1429 /*
 1430  * 'see_other_gids' determines whether or not visibility of processes
 1431  * and sockets with credentials holding different real gids is possible
 1432  * using a variety of system MIBs.
 1433  * XXX: data declarations should be together near the beginning of the file.
 1434  */
 1435 static int      see_other_gids = 1;
 1436 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
 1437     &see_other_gids, 0,
 1438     "Unprivileged processes may see subjects/objects with different real gid");
 1439 
 1440 /*
 1441  * Determine if u1 can "see" the subject specified by u2, according to the
 1442  * 'see_other_gids' policy.
 1443  * Returns: 0 for permitted, ESRCH otherwise
 1444  * Locks: none
 1445  * References: *u1 and *u2 must not change during the call
 1446  *             u1 may equal u2, in which case only one reference is required
 1447  */
 1448 static int
 1449 cr_seeothergids(struct ucred *u1, struct ucred *u2)
 1450 {
 1451         int i, match;
 1452         
 1453         if (!see_other_gids) {
 1454                 match = 0;
 1455                 for (i = 0; i < u1->cr_ngroups; i++) {
 1456                         if (groupmember(u1->cr_groups[i], u2))
 1457                                 match = 1;
 1458                         if (match)
 1459                                 break;
 1460                 }
 1461                 if (!match) {
 1462                         if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
 1463                                 return (ESRCH);
 1464                 }
 1465         }
 1466         return (0);
 1467 }
 1468 
 1469 /*-
 1470  * Determine if u1 "can see" the subject specified by u2.
 1471  * Returns: 0 for permitted, an errno value otherwise
 1472  * Locks: none
 1473  * References: *u1 and *u2 must not change during the call
 1474  *             u1 may equal u2, in which case only one reference is required
 1475  */
 1476 int
 1477 cr_cansee(struct ucred *u1, struct ucred *u2)
 1478 {
 1479         int error;
 1480 
 1481         if ((error = prison_check(u1, u2)))
 1482                 return (error);
 1483 #ifdef MAC
 1484         if ((error = mac_check_cred_visible(u1, u2)))
 1485                 return (error);
 1486 #endif
 1487         if ((error = cr_seeotheruids(u1, u2)))
 1488                 return (error);
 1489         if ((error = cr_seeothergids(u1, u2)))
 1490                 return (error);
 1491         return (0);
 1492 }
 1493 
 1494 /*-
 1495  * Determine if td "can see" the subject specified by p.
 1496  * Returns: 0 for permitted, an errno value otherwise
 1497  * Locks: Sufficient locks to protect p->p_ucred must be held.  td really
 1498  *        should be curthread.
 1499  * References: td and p must be valid for the lifetime of the call
 1500  */
 1501 int
 1502 p_cansee(struct thread *td, struct proc *p)
 1503 {
 1504 
 1505         /* Wrap cr_cansee() for all functionality. */
 1506         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1507         PROC_LOCK_ASSERT(p, MA_OWNED);
 1508         return (cr_cansee(td->td_ucred, p->p_ucred));
 1509 }
 1510 
 1511 /*
 1512  * 'conservative_signals' prevents the delivery of a broad class of
 1513  * signals by unprivileged processes to processes that have changed their
 1514  * credentials since the last invocation of execve().  This can prevent
 1515  * the leakage of cached information or retained privileges as a result
 1516  * of a common class of signal-related vulnerabilities.  However, this
 1517  * may interfere with some applications that expect to be able to
 1518  * deliver these signals to peer processes after having given up
 1519  * privilege.
 1520  */
 1521 static int      conservative_signals = 1;
 1522 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
 1523     &conservative_signals, 0, "Unprivileged processes prevented from "
 1524     "sending certain signals to processes whose credentials have changed");
 1525 /*-
 1526  * Determine whether cred may deliver the specified signal to proc.
 1527  * Returns: 0 for permitted, an errno value otherwise.
 1528  * Locks: A lock must be held for proc.
 1529  * References: cred and proc must be valid for the lifetime of the call.
 1530  */
 1531 int
 1532 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
 1533 {
 1534         int error;
 1535 
 1536         PROC_LOCK_ASSERT(proc, MA_OWNED);
 1537         /*
 1538          * Jail semantics limit the scope of signalling to proc in the
 1539          * same jail as cred, if cred is in jail.
 1540          */
 1541         error = prison_check(cred, proc->p_ucred);
 1542         if (error)
 1543                 return (error);
 1544 #ifdef MAC
 1545         if ((error = mac_check_proc_signal(cred, proc, signum)))
 1546                 return (error);
 1547 #endif
 1548         if ((error = cr_seeotheruids(cred, proc->p_ucred)))
 1549                 return (error);
 1550         if ((error = cr_seeothergids(cred, proc->p_ucred)))
 1551                 return (error);
 1552 
 1553         /*
 1554          * UNIX signal semantics depend on the status of the P_SUGID
 1555          * bit on the target process.  If the bit is set, then additional
 1556          * restrictions are placed on the set of available signals.
 1557          */
 1558         if (conservative_signals && (proc->p_flag & P_SUGID)) {
 1559                 switch (signum) {
 1560                 case 0:
 1561                 case SIGKILL:
 1562                 case SIGINT:
 1563                 case SIGTERM:
 1564                 case SIGALRM:
 1565                 case SIGSTOP:
 1566                 case SIGTTIN:
 1567                 case SIGTTOU:
 1568                 case SIGTSTP:
 1569                 case SIGHUP:
 1570                 case SIGUSR1:
 1571                 case SIGUSR2:
 1572                         /*
 1573                          * Generally, permit job and terminal control
 1574                          * signals.
 1575                          */
 1576                         break;
 1577                 default:
 1578                         /* Not permitted without privilege. */
 1579                         error = suser_cred(cred, SUSER_ALLOWJAIL);
 1580                         if (error)
 1581                                 return (error);
 1582                 }
 1583         }
 1584 
 1585         /*
 1586          * Generally, the target credential's ruid or svuid must match the
 1587          * subject credential's ruid or euid.
 1588          */
 1589         if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
 1590             cred->cr_ruid != proc->p_ucred->cr_svuid &&
 1591             cred->cr_uid != proc->p_ucred->cr_ruid &&
 1592             cred->cr_uid != proc->p_ucred->cr_svuid) {
 1593                 /* Not permitted without privilege. */
 1594                 error = suser_cred(cred, SUSER_ALLOWJAIL);
 1595                 if (error)
 1596                         return (error);
 1597         }
 1598 
 1599         return (0);
 1600 }
 1601 
 1602 
 1603 /*-
 1604  * Determine whether td may deliver the specified signal to p.
 1605  * Returns: 0 for permitted, an errno value otherwise
 1606  * Locks: Sufficient locks to protect various components of td and p
 1607  *        must be held.  td must be curthread, and a lock must be
 1608  *        held for p.
 1609  * References: td and p must be valid for the lifetime of the call
 1610  */
 1611 int
 1612 p_cansignal(struct thread *td, struct proc *p, int signum)
 1613 {
 1614 
 1615         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1616         PROC_LOCK_ASSERT(p, MA_OWNED);
 1617         if (td->td_proc == p)
 1618                 return (0);
 1619 
 1620         /*
 1621          * UNIX signalling semantics require that processes in the same
 1622          * session always be able to deliver SIGCONT to one another,
 1623          * overriding the remaining protections.
 1624          */
 1625         /* XXX: This will require an additional lock of some sort. */
 1626         if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
 1627                 return (0);
 1628         /*
 1629          * Some compat layers use SIGTHR and higher signals for
 1630          * communication between different kernel threads of the same
 1631          * process, so that they expect that it's always possible to
 1632          * deliver them, even for suid applications where cr_cansignal() can
 1633          * deny such ability for security consideration.  It should be
 1634          * pretty safe to do since the only way to create two processes
 1635          * with the same p_leader is via rfork(2).
 1636          */
 1637         if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
 1638             signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
 1639                 return (0);
 1640 
 1641         return (cr_cansignal(td->td_ucred, p, signum));
 1642 }
 1643 
 1644 /*-
 1645  * Determine whether td may reschedule p.
 1646  * Returns: 0 for permitted, an errno value otherwise
 1647  * Locks: Sufficient locks to protect various components of td and p
 1648  *        must be held.  td must be curthread, and a lock must
 1649  *        be held for p.
 1650  * References: td and p must be valid for the lifetime of the call
 1651  */
 1652 int
 1653 p_cansched(struct thread *td, struct proc *p)
 1654 {
 1655         int error;
 1656 
 1657         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1658         PROC_LOCK_ASSERT(p, MA_OWNED);
 1659         if (td->td_proc == p)
 1660                 return (0);
 1661         if ((error = prison_check(td->td_ucred, p->p_ucred)))
 1662                 return (error);
 1663 #ifdef MAC
 1664         if ((error = mac_check_proc_sched(td->td_ucred, p)))
 1665                 return (error);
 1666 #endif
 1667         if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
 1668                 return (error);
 1669         if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
 1670                 return (error);
 1671         if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
 1672                 return (0);
 1673         if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
 1674                 return (0);
 1675         if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
 1676                 return (0);
 1677 
 1678 #ifdef CAPABILITIES
 1679         if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL))
 1680                 return (0);
 1681 #endif
 1682 
 1683         return (EPERM);
 1684 }
 1685 
 1686 /*
 1687  * The 'unprivileged_proc_debug' flag may be used to disable a variety of
 1688  * unprivileged inter-process debugging services, including some procfs
 1689  * functionality, ptrace(), and ktrace().  In the past, inter-process
 1690  * debugging has been involved in a variety of security problems, and sites
 1691  * not requiring the service might choose to disable it when hardening
 1692  * systems.
 1693  *
 1694  * XXX: Should modifying and reading this variable require locking?
 1695  * XXX: data declarations should be together near the beginning of the file.
 1696  */
 1697 static int      unprivileged_proc_debug = 1;
 1698 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
 1699     &unprivileged_proc_debug, 0,
 1700     "Unprivileged processes may use process debugging facilities");
 1701 
 1702 /*-
 1703  * Determine whether td may debug p.
 1704  * Returns: 0 for permitted, an errno value otherwise
 1705  * Locks: Sufficient locks to protect various components of td and p
 1706  *        must be held.  td must be curthread, and a lock must
 1707  *        be held for p.
 1708  * References: td and p must be valid for the lifetime of the call
 1709  */
 1710 int
 1711 p_candebug(struct thread *td, struct proc *p)
 1712 {
 1713         int credentialchanged, error, grpsubset, i, uidsubset;
 1714 
 1715         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1716         PROC_LOCK_ASSERT(p, MA_OWNED);
 1717         if (!unprivileged_proc_debug) {
 1718                 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
 1719                 if (error)
 1720                         return (error);
 1721         }
 1722         if (td->td_proc == p)
 1723                 return (0);
 1724         if ((error = prison_check(td->td_ucred, p->p_ucred)))
 1725                 return (error);
 1726 #ifdef MAC
 1727         if ((error = mac_check_proc_debug(td->td_ucred, p)))
 1728                 return (error);
 1729 #endif
 1730         if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
 1731                 return (error);
 1732         if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
 1733                 return (error);
 1734 
 1735         /*
 1736          * Is p's group set a subset of td's effective group set?  This
 1737          * includes p's egid, group access list, rgid, and svgid.
 1738          */
 1739         grpsubset = 1;
 1740         for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
 1741                 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
 1742                         grpsubset = 0;
 1743                         break;
 1744                 }
 1745         }
 1746         grpsubset = grpsubset &&
 1747             groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
 1748             groupmember(p->p_ucred->cr_svgid, td->td_ucred);
 1749 
 1750         /*
 1751          * Are the uids present in p's credential equal to td's
 1752          * effective uid?  This includes p's euid, svuid, and ruid.
 1753          */
 1754         uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
 1755             td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
 1756             td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
 1757 
 1758         /*
 1759          * Has the credential of the process changed since the last exec()?
 1760          */
 1761         credentialchanged = (p->p_flag & P_SUGID);
 1762 
 1763         /*
 1764          * If p's gids aren't a subset, or the uids aren't a subset,
 1765          * or the credential has changed, require appropriate privilege
 1766          * for td to debug p.  For POSIX.1e capabilities, this will
 1767          * require CAP_SYS_PTRACE.
 1768          */
 1769         if (!grpsubset || !uidsubset || credentialchanged) {
 1770                 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
 1771                 if (error)
 1772                         return (error);
 1773         }
 1774 
 1775         /* Can't trace init when securelevel > 0. */
 1776         if (p == initproc) {
 1777                 error = securelevel_gt(td->td_ucred, 0);
 1778                 if (error)
 1779                         return (error);
 1780         }
 1781 
 1782         /*
 1783          * Can't trace a process that's currently exec'ing.
 1784          * XXX: Note, this is not a security policy decision, it's a
 1785          * basic correctness/functionality decision.  Therefore, this check
 1786          * should be moved to the caller's of p_candebug().
 1787          */
 1788         if ((p->p_flag & P_INEXEC) != 0)
 1789                 return (EAGAIN);
 1790 
 1791         return (0);
 1792 }
 1793 
 1794 /*-
 1795  * Determine whether the subject represented by cred can "see" a socket.
 1796  * Returns: 0 for permitted, ENOENT otherwise.
 1797  */
 1798 int
 1799 cr_canseesocket(struct ucred *cred, struct socket *so)
 1800 {
 1801         int error;
 1802 
 1803         error = prison_check(cred, so->so_cred);
 1804         if (error)
 1805                 return (ENOENT);
 1806 #ifdef MAC
 1807         SOCK_LOCK(so);
 1808         error = mac_check_socket_visible(cred, so);
 1809         SOCK_UNLOCK(so);
 1810         if (error)
 1811                 return (error);
 1812 #endif
 1813         if (cr_seeotheruids(cred, so->so_cred))
 1814                 return (ENOENT);
 1815         if (cr_seeothergids(cred, so->so_cred))
 1816                 return (ENOENT);
 1817 
 1818         return (0);
 1819 }
 1820 
 1821 /*-
 1822  * Determine whether td can wait for the exit of p.
 1823  * Returns: 0 for permitted, an errno value otherwise
 1824  * Locks: Sufficient locks to protect various components of td and p
 1825  *        must be held.  td must be curthread, and a lock must
 1826  *        be held for p.
 1827  * References: td and p must be valid for the lifetime of the call
 1828 
 1829  */
 1830 int
 1831 p_canwait(struct thread *td, struct proc *p)
 1832 {
 1833         int error;
 1834 
 1835         KASSERT(td == curthread, ("%s: td not curthread", __func__));
 1836         PROC_LOCK_ASSERT(p, MA_OWNED);
 1837         if ((error = prison_check(td->td_ucred, p->p_ucred)))
 1838                 return (error);
 1839 #ifdef MAC
 1840         if ((error = mac_check_proc_wait(td->td_ucred, p)))
 1841                 return (error);
 1842 #endif
 1843 #if 0
 1844         /* XXXMAC: This could have odd effects on some shells. */
 1845         if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
 1846                 return (error);
 1847 #endif
 1848 
 1849         return (0);
 1850 }
 1851 
 1852 /*
 1853  * Allocate a zeroed cred structure.
 1854  * MPSAFE
 1855  */
 1856 struct ucred *
 1857 crget(void)
 1858 {
 1859         register struct ucred *cr;
 1860 
 1861         MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
 1862         refcount_init(&cr->cr_ref, 1);
 1863 #ifdef MAC
 1864         mac_init_cred(cr);
 1865 #endif
 1866         return (cr);
 1867 }
 1868 
 1869 /*
 1870  * Claim another reference to a ucred structure.
 1871  * MPSAFE
 1872  */
 1873 struct ucred *
 1874 crhold(struct ucred *cr)
 1875 {
 1876 
 1877         refcount_acquire(&cr->cr_ref);
 1878         return (cr);
 1879 }
 1880 
 1881 /*
 1882  * Free a cred structure.
 1883  * Throws away space when ref count gets to 0.
 1884  * MPSAFE
 1885  */
 1886 void
 1887 crfree(struct ucred *cr)
 1888 {
 1889 
 1890         KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
 1891         KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred"));
 1892         if (refcount_release(&cr->cr_ref)) {
 1893                 /*
 1894                  * Some callers of crget(), such as nfs_statfs(),
 1895                  * allocate a temporary credential, but don't
 1896                  * allocate a uidinfo structure.
 1897                  */
 1898                 if (cr->cr_uidinfo != NULL)
 1899                         uifree(cr->cr_uidinfo);
 1900                 if (cr->cr_ruidinfo != NULL)
 1901                         uifree(cr->cr_ruidinfo);
 1902                 /*
 1903                  * Free a prison, if any.
 1904                  */
 1905                 if (jailed(cr))
 1906                         prison_free(cr->cr_prison);
 1907 #ifdef MAC
 1908                 mac_destroy_cred(cr);
 1909 #endif
 1910                 FREE(cr, M_CRED);
 1911         }
 1912 }
 1913 
 1914 /*
 1915  * Check to see if this ucred is shared.
 1916  * MPSAFE
 1917  */
 1918 int
 1919 crshared(struct ucred *cr)
 1920 {
 1921 
 1922         return (cr->cr_ref > 1);
 1923 }
 1924 
 1925 /*
 1926  * Copy a ucred's contents from a template.  Does not block.
 1927  * MPSAFE
 1928  */
 1929 void
 1930 crcopy(struct ucred *dest, struct ucred *src)
 1931 {
 1932 
 1933         KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
 1934         bcopy(&src->cr_startcopy, &dest->cr_startcopy,
 1935             (unsigned)((caddr_t)&src->cr_endcopy -
 1936                 (caddr_t)&src->cr_startcopy));
 1937         uihold(dest->cr_uidinfo);
 1938         uihold(dest->cr_ruidinfo);
 1939         if (jailed(dest))
 1940                 prison_hold(dest->cr_prison);
 1941 #ifdef MAC
 1942         mac_copy_cred(src, dest);
 1943 #endif
 1944 }
 1945 
 1946 /*
 1947  * Dup cred struct to a new held one.
 1948  * MPSAFE
 1949  */
 1950 struct ucred *
 1951 crdup(struct ucred *cr)
 1952 {
 1953         struct ucred *newcr;
 1954 
 1955         newcr = crget();
 1956         crcopy(newcr, cr);
 1957         return (newcr);
 1958 }
 1959 
 1960 /*
 1961  * Fill in a struct xucred based on a struct ucred.
 1962  * MPSAFE
 1963  */
 1964 void
 1965 cru2x(struct ucred *cr, struct xucred *xcr)
 1966 {
 1967 
 1968         bzero(xcr, sizeof(*xcr));
 1969         xcr->cr_version = XUCRED_VERSION;
 1970         xcr->cr_uid = cr->cr_uid;
 1971         xcr->cr_ngroups = cr->cr_ngroups;
 1972         bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
 1973 }
 1974 
 1975 /*
 1976  * small routine to swap a thread's current ucred for the correct one
 1977  * taken from the process.
 1978  * MPSAFE
 1979  */
 1980 void
 1981 cred_update_thread(struct thread *td)
 1982 {
 1983         struct proc *p;
 1984         struct ucred *cred;
 1985 
 1986         p = td->td_proc;
 1987         cred = td->td_ucred;
 1988         PROC_LOCK(p);
 1989         td->td_ucred = crhold(p->p_ucred);
 1990         PROC_UNLOCK(p);
 1991         if (cred != NULL)
 1992                 crfree(cred);
 1993 }
 1994 
 1995 /*
 1996  * Get login name, if available.
 1997  */
 1998 #ifndef _SYS_SYSPROTO_H_
 1999 struct getlogin_args {
 2000         char    *namebuf;
 2001         u_int   namelen;
 2002 };
 2003 #endif
 2004 /*
 2005  * MPSAFE
 2006  */
 2007 /* ARGSUSED */
 2008 int
 2009 getlogin(struct thread *td, struct getlogin_args *uap)
 2010 {
 2011         int error;
 2012         char login[MAXLOGNAME];
 2013         struct proc *p = td->td_proc;
 2014 
 2015         if (uap->namelen > MAXLOGNAME)
 2016                 uap->namelen = MAXLOGNAME;
 2017         PROC_LOCK(p);
 2018         SESS_LOCK(p->p_session);
 2019         bcopy(p->p_session->s_login, login, uap->namelen);
 2020         SESS_UNLOCK(p->p_session);
 2021         PROC_UNLOCK(p);
 2022         error = copyout(login, uap->namebuf, uap->namelen);
 2023         return(error);
 2024 }
 2025 
 2026 /*
 2027  * Set login name.
 2028  */
 2029 #ifndef _SYS_SYSPROTO_H_
 2030 struct setlogin_args {
 2031         char    *namebuf;
 2032 };
 2033 #endif
 2034 /*
 2035  * MPSAFE
 2036  */
 2037 /* ARGSUSED */
 2038 int
 2039 setlogin(struct thread *td, struct setlogin_args *uap)
 2040 {
 2041         struct proc *p = td->td_proc;
 2042         int error;
 2043         char logintmp[MAXLOGNAME];
 2044 
 2045         error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
 2046         if (error)
 2047                 return (error);
 2048         error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
 2049         if (error == ENAMETOOLONG)
 2050                 error = EINVAL;
 2051         else if (!error) {
 2052                 PROC_LOCK(p);
 2053                 SESS_LOCK(p->p_session);
 2054                 (void) memcpy(p->p_session->s_login, logintmp,
 2055                     sizeof(logintmp));
 2056                 SESS_UNLOCK(p->p_session);
 2057                 PROC_UNLOCK(p);
 2058         }
 2059         return (error);
 2060 }
 2061 
 2062 void
 2063 setsugid(struct proc *p)
 2064 {
 2065 
 2066         PROC_LOCK_ASSERT(p, MA_OWNED);
 2067         p->p_flag |= P_SUGID;
 2068         if (!(p->p_pfsflags & PF_ISUGID))
 2069                 p->p_stops = 0;
 2070 }
 2071 
 2072 /*-
 2073  * Change a process's effective uid.
 2074  * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
 2075  * References: newcred must be an exclusive credential reference for the
 2076  *             duration of the call.
 2077  */
 2078 void
 2079 change_euid(struct ucred *newcred, struct uidinfo *euip)
 2080 {
 2081 
 2082         newcred->cr_uid = euip->ui_uid;
 2083         uihold(euip);
 2084         uifree(newcred->cr_uidinfo);
 2085         newcred->cr_uidinfo = euip;
 2086 }
 2087 
 2088 /*-
 2089  * Change a process's effective gid.
 2090  * Side effects: newcred->cr_gid will be modified.
 2091  * References: newcred must be an exclusive credential reference for the
 2092  *             duration of the call.
 2093  */
 2094 void
 2095 change_egid(struct ucred *newcred, gid_t egid)
 2096 {
 2097 
 2098         newcred->cr_groups[0] = egid;
 2099 }
 2100 
 2101 /*-
 2102  * Change a process's real uid.
 2103  * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
 2104  *               will be updated, and the old and new cr_ruidinfo proc
 2105  *               counts will be updated.
 2106  * References: newcred must be an exclusive credential reference for the
 2107  *             duration of the call.
 2108  */
 2109 void
 2110 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
 2111 {
 2112 
 2113         (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
 2114         newcred->cr_ruid = ruip->ui_uid;
 2115         uihold(ruip);
 2116         uifree(newcred->cr_ruidinfo);
 2117         newcred->cr_ruidinfo = ruip;
 2118         (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
 2119 }
 2120 
 2121 /*-
 2122  * Change a process's real gid.
 2123  * Side effects: newcred->cr_rgid will be updated.
 2124  * References: newcred must be an exclusive credential reference for the
 2125  *             duration of the call.
 2126  */
 2127 void
 2128 change_rgid(struct ucred *newcred, gid_t rgid)
 2129 {
 2130 
 2131         newcred->cr_rgid = rgid;
 2132 }
 2133 
 2134 /*-
 2135  * Change a process's saved uid.
 2136  * Side effects: newcred->cr_svuid will be updated.
 2137  * References: newcred must be an exclusive credential reference for the
 2138  *             duration of the call.
 2139  */
 2140 void
 2141 change_svuid(struct ucred *newcred, uid_t svuid)
 2142 {
 2143 
 2144         newcred->cr_svuid = svuid;
 2145 }
 2146 
 2147 /*-
 2148  * Change a process's saved gid.
 2149  * Side effects: newcred->cr_svgid will be updated.
 2150  * References: newcred must be an exclusive credential reference for the
 2151  *             duration of the call.
 2152  */
 2153 void
 2154 change_svgid(struct ucred *newcred, gid_t svgid)
 2155 {
 2156 
 2157         newcred->cr_svgid = svgid;
 2158 }

Cache object: 8972d6ae526068b9db348128b547ac4f


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.