FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c
1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
5 * The Regents of the University of California.
6 * (c) UNIX System Laboratories, Inc.
7 * Copyright (c) 2000-2001 Robert N. M. Watson.
8 * All rights reserved.
9 *
10 * All or some portions of this file are derived from material licensed
11 * to the University of California by American Telephone and Telegraph
12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
13 * the permission of UNIX System Laboratories, Inc.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. Neither the name of the University nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 *
39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
40 */
41
42 /*
43 * System calls related to processes and protection
44 */
45
46 #include <sys/cdefs.h>
47 __FBSDID("$FreeBSD$");
48
49 #include "opt_inet.h"
50 #include "opt_inet6.h"
51
52 #include <sys/param.h>
53 #include <sys/systm.h>
54 #include <sys/acct.h>
55 #include <sys/kdb.h>
56 #include <sys/kernel.h>
57 #include <sys/lock.h>
58 #include <sys/loginclass.h>
59 #include <sys/malloc.h>
60 #include <sys/mutex.h>
61 #include <sys/refcount.h>
62 #include <sys/sx.h>
63 #include <sys/priv.h>
64 #include <sys/proc.h>
65 #include <sys/sysent.h>
66 #include <sys/sysproto.h>
67 #include <sys/jail.h>
68 #include <sys/racct.h>
69 #include <sys/rctl.h>
70 #include <sys/resourcevar.h>
71 #include <sys/socket.h>
72 #include <sys/socketvar.h>
73 #include <sys/syscallsubr.h>
74 #include <sys/sysctl.h>
75
76 #ifdef REGRESSION
77 FEATURE(regression,
78 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)");
79 #endif
80
81 #include <security/audit/audit.h>
82 #include <security/mac/mac_framework.h>
83
84 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
85
86 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
87 "BSD security policy");
88
89 static void crfree_final(struct ucred *cr);
90 static void crsetgroups_locked(struct ucred *cr, int ngrp,
91 gid_t *groups);
92
93 #ifndef _SYS_SYSPROTO_H_
94 struct getpid_args {
95 int dummy;
96 };
97 #endif
98 /* ARGSUSED */
99 int
100 sys_getpid(struct thread *td, struct getpid_args *uap)
101 {
102 struct proc *p = td->td_proc;
103
104 td->td_retval[0] = p->p_pid;
105 #if defined(COMPAT_43)
106 if (SV_PROC_FLAG(p, SV_AOUT))
107 td->td_retval[1] = kern_getppid(td);
108 #endif
109 return (0);
110 }
111
112 #ifndef _SYS_SYSPROTO_H_
113 struct getppid_args {
114 int dummy;
115 };
116 #endif
117 /* ARGSUSED */
118 int
119 sys_getppid(struct thread *td, struct getppid_args *uap)
120 {
121
122 td->td_retval[0] = kern_getppid(td);
123 return (0);
124 }
125
126 int
127 kern_getppid(struct thread *td)
128 {
129 struct proc *p = td->td_proc;
130
131 return (p->p_oppid);
132 }
133
134 /*
135 * Get process group ID; note that POSIX getpgrp takes no parameter.
136 */
137 #ifndef _SYS_SYSPROTO_H_
138 struct getpgrp_args {
139 int dummy;
140 };
141 #endif
142 int
143 sys_getpgrp(struct thread *td, struct getpgrp_args *uap)
144 {
145 struct proc *p = td->td_proc;
146
147 PROC_LOCK(p);
148 td->td_retval[0] = p->p_pgrp->pg_id;
149 PROC_UNLOCK(p);
150 return (0);
151 }
152
153 /* Get an arbitrary pid's process group id */
154 #ifndef _SYS_SYSPROTO_H_
155 struct getpgid_args {
156 pid_t pid;
157 };
158 #endif
159 int
160 sys_getpgid(struct thread *td, struct getpgid_args *uap)
161 {
162 struct proc *p;
163 int error;
164
165 if (uap->pid == 0) {
166 p = td->td_proc;
167 PROC_LOCK(p);
168 } else {
169 p = pfind(uap->pid);
170 if (p == NULL)
171 return (ESRCH);
172 error = p_cansee(td, p);
173 if (error) {
174 PROC_UNLOCK(p);
175 return (error);
176 }
177 }
178 td->td_retval[0] = p->p_pgrp->pg_id;
179 PROC_UNLOCK(p);
180 return (0);
181 }
182
183 /*
184 * Get an arbitrary pid's session id.
185 */
186 #ifndef _SYS_SYSPROTO_H_
187 struct getsid_args {
188 pid_t pid;
189 };
190 #endif
191 int
192 sys_getsid(struct thread *td, struct getsid_args *uap)
193 {
194
195 return (kern_getsid(td, uap->pid));
196 }
197
198 int
199 kern_getsid(struct thread *td, pid_t pid)
200 {
201 struct proc *p;
202 int error;
203
204 if (pid == 0) {
205 p = td->td_proc;
206 PROC_LOCK(p);
207 } else {
208 p = pfind(pid);
209 if (p == NULL)
210 return (ESRCH);
211 error = p_cansee(td, p);
212 if (error) {
213 PROC_UNLOCK(p);
214 return (error);
215 }
216 }
217 td->td_retval[0] = p->p_session->s_sid;
218 PROC_UNLOCK(p);
219 return (0);
220 }
221
222 #ifndef _SYS_SYSPROTO_H_
223 struct getuid_args {
224 int dummy;
225 };
226 #endif
227 /* ARGSUSED */
228 int
229 sys_getuid(struct thread *td, struct getuid_args *uap)
230 {
231
232 td->td_retval[0] = td->td_ucred->cr_ruid;
233 #if defined(COMPAT_43)
234 td->td_retval[1] = td->td_ucred->cr_uid;
235 #endif
236 return (0);
237 }
238
239 #ifndef _SYS_SYSPROTO_H_
240 struct geteuid_args {
241 int dummy;
242 };
243 #endif
244 /* ARGSUSED */
245 int
246 sys_geteuid(struct thread *td, struct geteuid_args *uap)
247 {
248
249 td->td_retval[0] = td->td_ucred->cr_uid;
250 return (0);
251 }
252
253 #ifndef _SYS_SYSPROTO_H_
254 struct getgid_args {
255 int dummy;
256 };
257 #endif
258 /* ARGSUSED */
259 int
260 sys_getgid(struct thread *td, struct getgid_args *uap)
261 {
262
263 td->td_retval[0] = td->td_ucred->cr_rgid;
264 #if defined(COMPAT_43)
265 td->td_retval[1] = td->td_ucred->cr_groups[0];
266 #endif
267 return (0);
268 }
269
270 /*
271 * Get effective group ID. The "egid" is groups[0], and could be obtained
272 * via getgroups. This syscall exists because it is somewhat painful to do
273 * correctly in a library function.
274 */
275 #ifndef _SYS_SYSPROTO_H_
276 struct getegid_args {
277 int dummy;
278 };
279 #endif
280 /* ARGSUSED */
281 int
282 sys_getegid(struct thread *td, struct getegid_args *uap)
283 {
284
285 td->td_retval[0] = td->td_ucred->cr_groups[0];
286 return (0);
287 }
288
289 #ifndef _SYS_SYSPROTO_H_
290 struct getgroups_args {
291 int gidsetsize;
292 gid_t *gidset;
293 };
294 #endif
295 int
296 sys_getgroups(struct thread *td, struct getgroups_args *uap)
297 {
298 struct ucred *cred;
299 int ngrp, error;
300
301 cred = td->td_ucred;
302 ngrp = cred->cr_ngroups;
303
304 if (uap->gidsetsize == 0) {
305 error = 0;
306 goto out;
307 }
308 if (uap->gidsetsize < ngrp)
309 return (EINVAL);
310
311 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
312 out:
313 td->td_retval[0] = ngrp;
314 return (error);
315 }
316
317 #ifndef _SYS_SYSPROTO_H_
318 struct setsid_args {
319 int dummy;
320 };
321 #endif
322 /* ARGSUSED */
323 int
324 sys_setsid(struct thread *td, struct setsid_args *uap)
325 {
326 struct pgrp *pgrp;
327 int error;
328 struct proc *p = td->td_proc;
329 struct pgrp *newpgrp;
330 struct session *newsess;
331
332 error = 0;
333 pgrp = NULL;
334
335 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
336 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
337
338 sx_xlock(&proctree_lock);
339
340 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
341 if (pgrp != NULL)
342 PGRP_UNLOCK(pgrp);
343 error = EPERM;
344 } else {
345 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
346 td->td_retval[0] = p->p_pid;
347 newpgrp = NULL;
348 newsess = NULL;
349 }
350
351 sx_xunlock(&proctree_lock);
352
353 uma_zfree(pgrp_zone, newpgrp);
354 free(newsess, M_SESSION);
355
356 return (error);
357 }
358
359 /*
360 * set process group (setpgid/old setpgrp)
361 *
362 * caller does setpgid(targpid, targpgid)
363 *
364 * pid must be caller or child of caller (ESRCH)
365 * if a child
366 * pid must be in same session (EPERM)
367 * pid can't have done an exec (EACCES)
368 * if pgid != pid
369 * there must exist some pid in same session having pgid (EPERM)
370 * pid must not be session leader (EPERM)
371 */
372 #ifndef _SYS_SYSPROTO_H_
373 struct setpgid_args {
374 int pid; /* target process id */
375 int pgid; /* target pgrp id */
376 };
377 #endif
378 /* ARGSUSED */
379 int
380 sys_setpgid(struct thread *td, struct setpgid_args *uap)
381 {
382 struct proc *curp = td->td_proc;
383 struct proc *targp; /* target process */
384 struct pgrp *pgrp; /* target pgrp */
385 int error;
386 struct pgrp *newpgrp;
387
388 if (uap->pgid < 0)
389 return (EINVAL);
390
391 error = 0;
392
393 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
394
395 sx_xlock(&proctree_lock);
396 if (uap->pid != 0 && uap->pid != curp->p_pid) {
397 if ((targp = pfind(uap->pid)) == NULL) {
398 error = ESRCH;
399 goto done;
400 }
401 if (!inferior(targp)) {
402 PROC_UNLOCK(targp);
403 error = ESRCH;
404 goto done;
405 }
406 if ((error = p_cansee(td, targp))) {
407 PROC_UNLOCK(targp);
408 goto done;
409 }
410 if (targp->p_pgrp == NULL ||
411 targp->p_session != curp->p_session) {
412 PROC_UNLOCK(targp);
413 error = EPERM;
414 goto done;
415 }
416 if (targp->p_flag & P_EXEC) {
417 PROC_UNLOCK(targp);
418 error = EACCES;
419 goto done;
420 }
421 PROC_UNLOCK(targp);
422 } else
423 targp = curp;
424 if (SESS_LEADER(targp)) {
425 error = EPERM;
426 goto done;
427 }
428 if (uap->pgid == 0)
429 uap->pgid = targp->p_pid;
430 if ((pgrp = pgfind(uap->pgid)) == NULL) {
431 if (uap->pgid == targp->p_pid) {
432 error = enterpgrp(targp, uap->pgid, newpgrp,
433 NULL);
434 if (error == 0)
435 newpgrp = NULL;
436 } else
437 error = EPERM;
438 } else {
439 if (pgrp == targp->p_pgrp) {
440 PGRP_UNLOCK(pgrp);
441 goto done;
442 }
443 if (pgrp->pg_id != targp->p_pid &&
444 pgrp->pg_session != curp->p_session) {
445 PGRP_UNLOCK(pgrp);
446 error = EPERM;
447 goto done;
448 }
449 PGRP_UNLOCK(pgrp);
450 error = enterthispgrp(targp, pgrp);
451 }
452 done:
453 sx_xunlock(&proctree_lock);
454 KASSERT((error == 0) || (newpgrp != NULL),
455 ("setpgid failed and newpgrp is NULL"));
456 uma_zfree(pgrp_zone, newpgrp);
457 return (error);
458 }
459
460 /*
461 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
462 * compatible. It says that setting the uid/gid to euid/egid is a special
463 * case of "appropriate privilege". Once the rules are expanded out, this
464 * basically means that setuid(nnn) sets all three id's, in all permitted
465 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
466 * does not set the saved id - this is dangerous for traditional BSD
467 * programs. For this reason, we *really* do not want to set
468 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
469 */
470 #define POSIX_APPENDIX_B_4_2_2
471
472 #ifndef _SYS_SYSPROTO_H_
473 struct setuid_args {
474 uid_t uid;
475 };
476 #endif
477 /* ARGSUSED */
478 int
479 sys_setuid(struct thread *td, struct setuid_args *uap)
480 {
481 struct proc *p = td->td_proc;
482 struct ucred *newcred, *oldcred;
483 uid_t uid;
484 struct uidinfo *uip;
485 int error;
486
487 uid = uap->uid;
488 AUDIT_ARG_UID(uid);
489 newcred = crget();
490 uip = uifind(uid);
491 PROC_LOCK(p);
492 /*
493 * Copy credentials so other references do not see our changes.
494 */
495 oldcred = crcopysafe(p, newcred);
496
497 #ifdef MAC
498 error = mac_cred_check_setuid(oldcred, uid);
499 if (error)
500 goto fail;
501 #endif
502
503 /*
504 * See if we have "permission" by POSIX 1003.1 rules.
505 *
506 * Note that setuid(geteuid()) is a special case of
507 * "appropriate privileges" in appendix B.4.2.2. We need
508 * to use this clause to be compatible with traditional BSD
509 * semantics. Basically, it means that "setuid(xx)" sets all
510 * three id's (assuming you have privs).
511 *
512 * Notes on the logic. We do things in three steps.
513 * 1: We determine if the euid is going to change, and do EPERM
514 * right away. We unconditionally change the euid later if this
515 * test is satisfied, simplifying that part of the logic.
516 * 2: We determine if the real and/or saved uids are going to
517 * change. Determined by compile options.
518 * 3: Change euid last. (after tests in #2 for "appropriate privs")
519 */
520 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
521 #ifdef _POSIX_SAVED_IDS
522 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
523 #endif
524 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
525 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
526 #endif
527 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0)
528 goto fail;
529
530 #ifdef _POSIX_SAVED_IDS
531 /*
532 * Do we have "appropriate privileges" (are we root or uid == euid)
533 * If so, we are changing the real uid and/or saved uid.
534 */
535 if (
536 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
537 uid == oldcred->cr_uid ||
538 #endif
539 /* We are using privs. */
540 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0)
541 #endif
542 {
543 /*
544 * Set the real uid and transfer proc count to new user.
545 */
546 if (uid != oldcred->cr_ruid) {
547 change_ruid(newcred, uip);
548 setsugid(p);
549 }
550 /*
551 * Set saved uid
552 *
553 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
554 * the security of seteuid() depends on it. B.4.2.2 says it
555 * is important that we should do this.
556 */
557 if (uid != oldcred->cr_svuid) {
558 change_svuid(newcred, uid);
559 setsugid(p);
560 }
561 }
562
563 /*
564 * In all permitted cases, we are changing the euid.
565 */
566 if (uid != oldcred->cr_uid) {
567 change_euid(newcred, uip);
568 setsugid(p);
569 }
570 proc_set_cred(p, newcred);
571 #ifdef RACCT
572 racct_proc_ucred_changed(p, oldcred, newcred);
573 crhold(newcred);
574 #endif
575 PROC_UNLOCK(p);
576 #ifdef RCTL
577 rctl_proc_ucred_changed(p, newcred);
578 crfree(newcred);
579 #endif
580 uifree(uip);
581 crfree(oldcred);
582 return (0);
583
584 fail:
585 PROC_UNLOCK(p);
586 uifree(uip);
587 crfree(newcred);
588 return (error);
589 }
590
591 #ifndef _SYS_SYSPROTO_H_
592 struct seteuid_args {
593 uid_t euid;
594 };
595 #endif
596 /* ARGSUSED */
597 int
598 sys_seteuid(struct thread *td, struct seteuid_args *uap)
599 {
600 struct proc *p = td->td_proc;
601 struct ucred *newcred, *oldcred;
602 uid_t euid;
603 struct uidinfo *euip;
604 int error;
605
606 euid = uap->euid;
607 AUDIT_ARG_EUID(euid);
608 newcred = crget();
609 euip = uifind(euid);
610 PROC_LOCK(p);
611 /*
612 * Copy credentials so other references do not see our changes.
613 */
614 oldcred = crcopysafe(p, newcred);
615
616 #ifdef MAC
617 error = mac_cred_check_seteuid(oldcred, euid);
618 if (error)
619 goto fail;
620 #endif
621
622 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
623 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
624 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0)
625 goto fail;
626
627 /*
628 * Everything's okay, do it.
629 */
630 if (oldcred->cr_uid != euid) {
631 change_euid(newcred, euip);
632 setsugid(p);
633 }
634 proc_set_cred(p, newcred);
635 PROC_UNLOCK(p);
636 uifree(euip);
637 crfree(oldcred);
638 return (0);
639
640 fail:
641 PROC_UNLOCK(p);
642 uifree(euip);
643 crfree(newcred);
644 return (error);
645 }
646
647 #ifndef _SYS_SYSPROTO_H_
648 struct setgid_args {
649 gid_t gid;
650 };
651 #endif
652 /* ARGSUSED */
653 int
654 sys_setgid(struct thread *td, struct setgid_args *uap)
655 {
656 struct proc *p = td->td_proc;
657 struct ucred *newcred, *oldcred;
658 gid_t gid;
659 int error;
660
661 gid = uap->gid;
662 AUDIT_ARG_GID(gid);
663 newcred = crget();
664 PROC_LOCK(p);
665 oldcred = crcopysafe(p, newcred);
666
667 #ifdef MAC
668 error = mac_cred_check_setgid(oldcred, gid);
669 if (error)
670 goto fail;
671 #endif
672
673 /*
674 * See if we have "permission" by POSIX 1003.1 rules.
675 *
676 * Note that setgid(getegid()) is a special case of
677 * "appropriate privileges" in appendix B.4.2.2. We need
678 * to use this clause to be compatible with traditional BSD
679 * semantics. Basically, it means that "setgid(xx)" sets all
680 * three id's (assuming you have privs).
681 *
682 * For notes on the logic here, see setuid() above.
683 */
684 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
685 #ifdef _POSIX_SAVED_IDS
686 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
687 #endif
688 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
689 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
690 #endif
691 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0)
692 goto fail;
693
694 #ifdef _POSIX_SAVED_IDS
695 /*
696 * Do we have "appropriate privileges" (are we root or gid == egid)
697 * If so, we are changing the real uid and saved gid.
698 */
699 if (
700 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
701 gid == oldcred->cr_groups[0] ||
702 #endif
703 /* We are using privs. */
704 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0)
705 #endif
706 {
707 /*
708 * Set real gid
709 */
710 if (oldcred->cr_rgid != gid) {
711 change_rgid(newcred, gid);
712 setsugid(p);
713 }
714 /*
715 * Set saved gid
716 *
717 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
718 * the security of setegid() depends on it. B.4.2.2 says it
719 * is important that we should do this.
720 */
721 if (oldcred->cr_svgid != gid) {
722 change_svgid(newcred, gid);
723 setsugid(p);
724 }
725 }
726 /*
727 * In all cases permitted cases, we are changing the egid.
728 * Copy credentials so other references do not see our changes.
729 */
730 if (oldcred->cr_groups[0] != gid) {
731 change_egid(newcred, gid);
732 setsugid(p);
733 }
734 proc_set_cred(p, newcred);
735 PROC_UNLOCK(p);
736 crfree(oldcred);
737 return (0);
738
739 fail:
740 PROC_UNLOCK(p);
741 crfree(newcred);
742 return (error);
743 }
744
745 #ifndef _SYS_SYSPROTO_H_
746 struct setegid_args {
747 gid_t egid;
748 };
749 #endif
750 /* ARGSUSED */
751 int
752 sys_setegid(struct thread *td, struct setegid_args *uap)
753 {
754 struct proc *p = td->td_proc;
755 struct ucred *newcred, *oldcred;
756 gid_t egid;
757 int error;
758
759 egid = uap->egid;
760 AUDIT_ARG_EGID(egid);
761 newcred = crget();
762 PROC_LOCK(p);
763 oldcred = crcopysafe(p, newcred);
764
765 #ifdef MAC
766 error = mac_cred_check_setegid(oldcred, egid);
767 if (error)
768 goto fail;
769 #endif
770
771 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
772 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
773 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0)
774 goto fail;
775
776 if (oldcred->cr_groups[0] != egid) {
777 change_egid(newcred, egid);
778 setsugid(p);
779 }
780 proc_set_cred(p, newcred);
781 PROC_UNLOCK(p);
782 crfree(oldcred);
783 return (0);
784
785 fail:
786 PROC_UNLOCK(p);
787 crfree(newcred);
788 return (error);
789 }
790
791 #ifndef _SYS_SYSPROTO_H_
792 struct setgroups_args {
793 int gidsetsize;
794 gid_t *gidset;
795 };
796 #endif
797 /* ARGSUSED */
798 int
799 sys_setgroups(struct thread *td, struct setgroups_args *uap)
800 {
801 gid_t smallgroups[XU_NGROUPS];
802 gid_t *groups;
803 int gidsetsize, error;
804
805 gidsetsize = uap->gidsetsize;
806 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0)
807 return (EINVAL);
808
809 if (gidsetsize > XU_NGROUPS)
810 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
811 else
812 groups = smallgroups;
813
814 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
815 if (error == 0)
816 error = kern_setgroups(td, gidsetsize, groups);
817
818 if (gidsetsize > XU_NGROUPS)
819 free(groups, M_TEMP);
820 return (error);
821 }
822
823 int
824 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
825 {
826 struct proc *p = td->td_proc;
827 struct ucred *newcred, *oldcred;
828 int error;
829
830 MPASS(ngrp <= ngroups_max + 1);
831 AUDIT_ARG_GROUPSET(groups, ngrp);
832 newcred = crget();
833 crextend(newcred, ngrp);
834 PROC_LOCK(p);
835 oldcred = crcopysafe(p, newcred);
836
837 #ifdef MAC
838 error = mac_cred_check_setgroups(oldcred, ngrp, groups);
839 if (error)
840 goto fail;
841 #endif
842
843 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS);
844 if (error)
845 goto fail;
846
847 if (ngrp == 0) {
848 /*
849 * setgroups(0, NULL) is a legitimate way of clearing the
850 * groups vector on non-BSD systems (which generally do not
851 * have the egid in the groups[0]). We risk security holes
852 * when running non-BSD software if we do not do the same.
853 */
854 newcred->cr_ngroups = 1;
855 } else {
856 crsetgroups_locked(newcred, ngrp, groups);
857 }
858 setsugid(p);
859 proc_set_cred(p, newcred);
860 PROC_UNLOCK(p);
861 crfree(oldcred);
862 return (0);
863
864 fail:
865 PROC_UNLOCK(p);
866 crfree(newcred);
867 return (error);
868 }
869
870 #ifndef _SYS_SYSPROTO_H_
871 struct setreuid_args {
872 uid_t ruid;
873 uid_t euid;
874 };
875 #endif
876 /* ARGSUSED */
877 int
878 sys_setreuid(struct thread *td, struct setreuid_args *uap)
879 {
880 struct proc *p = td->td_proc;
881 struct ucred *newcred, *oldcred;
882 uid_t euid, ruid;
883 struct uidinfo *euip, *ruip;
884 int error;
885
886 euid = uap->euid;
887 ruid = uap->ruid;
888 AUDIT_ARG_EUID(euid);
889 AUDIT_ARG_RUID(ruid);
890 newcred = crget();
891 euip = uifind(euid);
892 ruip = uifind(ruid);
893 PROC_LOCK(p);
894 oldcred = crcopysafe(p, newcred);
895
896 #ifdef MAC
897 error = mac_cred_check_setreuid(oldcred, ruid, euid);
898 if (error)
899 goto fail;
900 #endif
901
902 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
903 ruid != oldcred->cr_svuid) ||
904 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
905 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
906 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0)
907 goto fail;
908
909 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
910 change_euid(newcred, euip);
911 setsugid(p);
912 }
913 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
914 change_ruid(newcred, ruip);
915 setsugid(p);
916 }
917 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
918 newcred->cr_svuid != newcred->cr_uid) {
919 change_svuid(newcred, newcred->cr_uid);
920 setsugid(p);
921 }
922 proc_set_cred(p, newcred);
923 #ifdef RACCT
924 racct_proc_ucred_changed(p, oldcred, newcred);
925 crhold(newcred);
926 #endif
927 PROC_UNLOCK(p);
928 #ifdef RCTL
929 rctl_proc_ucred_changed(p, newcred);
930 crfree(newcred);
931 #endif
932 uifree(ruip);
933 uifree(euip);
934 crfree(oldcred);
935 return (0);
936
937 fail:
938 PROC_UNLOCK(p);
939 uifree(ruip);
940 uifree(euip);
941 crfree(newcred);
942 return (error);
943 }
944
945 #ifndef _SYS_SYSPROTO_H_
946 struct setregid_args {
947 gid_t rgid;
948 gid_t egid;
949 };
950 #endif
951 /* ARGSUSED */
952 int
953 sys_setregid(struct thread *td, struct setregid_args *uap)
954 {
955 struct proc *p = td->td_proc;
956 struct ucred *newcred, *oldcred;
957 gid_t egid, rgid;
958 int error;
959
960 egid = uap->egid;
961 rgid = uap->rgid;
962 AUDIT_ARG_EGID(egid);
963 AUDIT_ARG_RGID(rgid);
964 newcred = crget();
965 PROC_LOCK(p);
966 oldcred = crcopysafe(p, newcred);
967
968 #ifdef MAC
969 error = mac_cred_check_setregid(oldcred, rgid, egid);
970 if (error)
971 goto fail;
972 #endif
973
974 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
975 rgid != oldcred->cr_svgid) ||
976 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
977 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
978 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0)
979 goto fail;
980
981 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
982 change_egid(newcred, egid);
983 setsugid(p);
984 }
985 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
986 change_rgid(newcred, rgid);
987 setsugid(p);
988 }
989 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
990 newcred->cr_svgid != newcred->cr_groups[0]) {
991 change_svgid(newcred, newcred->cr_groups[0]);
992 setsugid(p);
993 }
994 proc_set_cred(p, newcred);
995 PROC_UNLOCK(p);
996 crfree(oldcred);
997 return (0);
998
999 fail:
1000 PROC_UNLOCK(p);
1001 crfree(newcred);
1002 return (error);
1003 }
1004
1005 /*
1006 * setresuid(ruid, euid, suid) is like setreuid except control over the saved
1007 * uid is explicit.
1008 */
1009 #ifndef _SYS_SYSPROTO_H_
1010 struct setresuid_args {
1011 uid_t ruid;
1012 uid_t euid;
1013 uid_t suid;
1014 };
1015 #endif
1016 /* ARGSUSED */
1017 int
1018 sys_setresuid(struct thread *td, struct setresuid_args *uap)
1019 {
1020 struct proc *p = td->td_proc;
1021 struct ucred *newcred, *oldcred;
1022 uid_t euid, ruid, suid;
1023 struct uidinfo *euip, *ruip;
1024 int error;
1025
1026 euid = uap->euid;
1027 ruid = uap->ruid;
1028 suid = uap->suid;
1029 AUDIT_ARG_EUID(euid);
1030 AUDIT_ARG_RUID(ruid);
1031 AUDIT_ARG_SUID(suid);
1032 newcred = crget();
1033 euip = uifind(euid);
1034 ruip = uifind(ruid);
1035 PROC_LOCK(p);
1036 oldcred = crcopysafe(p, newcred);
1037
1038 #ifdef MAC
1039 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
1040 if (error)
1041 goto fail;
1042 #endif
1043
1044 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1045 ruid != oldcred->cr_svuid &&
1046 ruid != oldcred->cr_uid) ||
1047 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1048 euid != oldcred->cr_svuid &&
1049 euid != oldcred->cr_uid) ||
1050 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1051 suid != oldcred->cr_svuid &&
1052 suid != oldcred->cr_uid)) &&
1053 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0)
1054 goto fail;
1055
1056 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1057 change_euid(newcred, euip);
1058 setsugid(p);
1059 }
1060 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1061 change_ruid(newcred, ruip);
1062 setsugid(p);
1063 }
1064 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1065 change_svuid(newcred, suid);
1066 setsugid(p);
1067 }
1068 proc_set_cred(p, newcred);
1069 #ifdef RACCT
1070 racct_proc_ucred_changed(p, oldcred, newcred);
1071 crhold(newcred);
1072 #endif
1073 PROC_UNLOCK(p);
1074 #ifdef RCTL
1075 rctl_proc_ucred_changed(p, newcred);
1076 crfree(newcred);
1077 #endif
1078 uifree(ruip);
1079 uifree(euip);
1080 crfree(oldcred);
1081 return (0);
1082
1083 fail:
1084 PROC_UNLOCK(p);
1085 uifree(ruip);
1086 uifree(euip);
1087 crfree(newcred);
1088 return (error);
1089
1090 }
1091
1092 /*
1093 * setresgid(rgid, egid, sgid) is like setregid except control over the saved
1094 * gid is explicit.
1095 */
1096 #ifndef _SYS_SYSPROTO_H_
1097 struct setresgid_args {
1098 gid_t rgid;
1099 gid_t egid;
1100 gid_t sgid;
1101 };
1102 #endif
1103 /* ARGSUSED */
1104 int
1105 sys_setresgid(struct thread *td, struct setresgid_args *uap)
1106 {
1107 struct proc *p = td->td_proc;
1108 struct ucred *newcred, *oldcred;
1109 gid_t egid, rgid, sgid;
1110 int error;
1111
1112 egid = uap->egid;
1113 rgid = uap->rgid;
1114 sgid = uap->sgid;
1115 AUDIT_ARG_EGID(egid);
1116 AUDIT_ARG_RGID(rgid);
1117 AUDIT_ARG_SGID(sgid);
1118 newcred = crget();
1119 PROC_LOCK(p);
1120 oldcred = crcopysafe(p, newcred);
1121
1122 #ifdef MAC
1123 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
1124 if (error)
1125 goto fail;
1126 #endif
1127
1128 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1129 rgid != oldcred->cr_svgid &&
1130 rgid != oldcred->cr_groups[0]) ||
1131 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1132 egid != oldcred->cr_svgid &&
1133 egid != oldcred->cr_groups[0]) ||
1134 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1135 sgid != oldcred->cr_svgid &&
1136 sgid != oldcred->cr_groups[0])) &&
1137 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0)
1138 goto fail;
1139
1140 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1141 change_egid(newcred, egid);
1142 setsugid(p);
1143 }
1144 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1145 change_rgid(newcred, rgid);
1146 setsugid(p);
1147 }
1148 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1149 change_svgid(newcred, sgid);
1150 setsugid(p);
1151 }
1152 proc_set_cred(p, newcred);
1153 PROC_UNLOCK(p);
1154 crfree(oldcred);
1155 return (0);
1156
1157 fail:
1158 PROC_UNLOCK(p);
1159 crfree(newcred);
1160 return (error);
1161 }
1162
1163 #ifndef _SYS_SYSPROTO_H_
1164 struct getresuid_args {
1165 uid_t *ruid;
1166 uid_t *euid;
1167 uid_t *suid;
1168 };
1169 #endif
1170 /* ARGSUSED */
1171 int
1172 sys_getresuid(struct thread *td, struct getresuid_args *uap)
1173 {
1174 struct ucred *cred;
1175 int error1 = 0, error2 = 0, error3 = 0;
1176
1177 cred = td->td_ucred;
1178 if (uap->ruid)
1179 error1 = copyout(&cred->cr_ruid,
1180 uap->ruid, sizeof(cred->cr_ruid));
1181 if (uap->euid)
1182 error2 = copyout(&cred->cr_uid,
1183 uap->euid, sizeof(cred->cr_uid));
1184 if (uap->suid)
1185 error3 = copyout(&cred->cr_svuid,
1186 uap->suid, sizeof(cred->cr_svuid));
1187 return (error1 ? error1 : error2 ? error2 : error3);
1188 }
1189
1190 #ifndef _SYS_SYSPROTO_H_
1191 struct getresgid_args {
1192 gid_t *rgid;
1193 gid_t *egid;
1194 gid_t *sgid;
1195 };
1196 #endif
1197 /* ARGSUSED */
1198 int
1199 sys_getresgid(struct thread *td, struct getresgid_args *uap)
1200 {
1201 struct ucred *cred;
1202 int error1 = 0, error2 = 0, error3 = 0;
1203
1204 cred = td->td_ucred;
1205 if (uap->rgid)
1206 error1 = copyout(&cred->cr_rgid,
1207 uap->rgid, sizeof(cred->cr_rgid));
1208 if (uap->egid)
1209 error2 = copyout(&cred->cr_groups[0],
1210 uap->egid, sizeof(cred->cr_groups[0]));
1211 if (uap->sgid)
1212 error3 = copyout(&cred->cr_svgid,
1213 uap->sgid, sizeof(cred->cr_svgid));
1214 return (error1 ? error1 : error2 ? error2 : error3);
1215 }
1216
1217 #ifndef _SYS_SYSPROTO_H_
1218 struct issetugid_args {
1219 int dummy;
1220 };
1221 #endif
1222 /* ARGSUSED */
1223 int
1224 sys_issetugid(struct thread *td, struct issetugid_args *uap)
1225 {
1226 struct proc *p = td->td_proc;
1227
1228 /*
1229 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1230 * we use P_SUGID because we consider changing the owners as
1231 * "tainting" as well.
1232 * This is significant for procs that start as root and "become"
1233 * a user without an exec - programs cannot know *everything*
1234 * that libc *might* have put in their data segment.
1235 */
1236 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1237 return (0);
1238 }
1239
1240 int
1241 sys___setugid(struct thread *td, struct __setugid_args *uap)
1242 {
1243 #ifdef REGRESSION
1244 struct proc *p;
1245
1246 p = td->td_proc;
1247 switch (uap->flag) {
1248 case 0:
1249 PROC_LOCK(p);
1250 p->p_flag &= ~P_SUGID;
1251 PROC_UNLOCK(p);
1252 return (0);
1253 case 1:
1254 PROC_LOCK(p);
1255 p->p_flag |= P_SUGID;
1256 PROC_UNLOCK(p);
1257 return (0);
1258 default:
1259 return (EINVAL);
1260 }
1261 #else /* !REGRESSION */
1262
1263 return (ENOSYS);
1264 #endif /* REGRESSION */
1265 }
1266
1267 /*
1268 * Check if gid is a member of the group set.
1269 */
1270 int
1271 groupmember(gid_t gid, struct ucred *cred)
1272 {
1273 int l;
1274 int h;
1275 int m;
1276
1277 if (cred->cr_groups[0] == gid)
1278 return(1);
1279
1280 /*
1281 * If gid was not our primary group, perform a binary search
1282 * of the supplemental groups. This is possible because we
1283 * sort the groups in crsetgroups().
1284 */
1285 l = 1;
1286 h = cred->cr_ngroups;
1287 while (l < h) {
1288 m = l + ((h - l) / 2);
1289 if (cred->cr_groups[m] < gid)
1290 l = m + 1;
1291 else
1292 h = m;
1293 }
1294 if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid))
1295 return (1);
1296
1297 return (0);
1298 }
1299
1300 /*
1301 * Test the active securelevel against a given level. securelevel_gt()
1302 * implements (securelevel > level). securelevel_ge() implements
1303 * (securelevel >= level). Note that the logic is inverted -- these
1304 * functions return EPERM on "success" and 0 on "failure".
1305 *
1306 * Due to care taken when setting the securelevel, we know that no jail will
1307 * be less secure that its parent (or the physical system), so it is sufficient
1308 * to test the current jail only.
1309 *
1310 * XXXRW: Possibly since this has to do with privilege, it should move to
1311 * kern_priv.c.
1312 */
1313 int
1314 securelevel_gt(struct ucred *cr, int level)
1315 {
1316
1317 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0);
1318 }
1319
1320 int
1321 securelevel_ge(struct ucred *cr, int level)
1322 {
1323
1324 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0);
1325 }
1326
1327 /*
1328 * 'see_other_uids' determines whether or not visibility of processes
1329 * and sockets with credentials holding different real uids is possible
1330 * using a variety of system MIBs.
1331 * XXX: data declarations should be together near the beginning of the file.
1332 */
1333 static int see_other_uids = 1;
1334 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1335 &see_other_uids, 0,
1336 "Unprivileged processes may see subjects/objects with different real uid");
1337
1338 /*-
1339 * Determine if u1 "can see" the subject specified by u2, according to the
1340 * 'see_other_uids' policy.
1341 * Returns: 0 for permitted, ESRCH otherwise
1342 * Locks: none
1343 * References: *u1 and *u2 must not change during the call
1344 * u1 may equal u2, in which case only one reference is required
1345 */
1346 int
1347 cr_canseeotheruids(struct ucred *u1, struct ucred *u2)
1348 {
1349
1350 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1351 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0)
1352 return (ESRCH);
1353 }
1354 return (0);
1355 }
1356
1357 /*
1358 * 'see_other_gids' determines whether or not visibility of processes
1359 * and sockets with credentials holding different real gids is possible
1360 * using a variety of system MIBs.
1361 * XXX: data declarations should be together near the beginning of the file.
1362 */
1363 static int see_other_gids = 1;
1364 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1365 &see_other_gids, 0,
1366 "Unprivileged processes may see subjects/objects with different real gid");
1367
1368 /*
1369 * Determine if u1 can "see" the subject specified by u2, according to the
1370 * 'see_other_gids' policy.
1371 * Returns: 0 for permitted, ESRCH otherwise
1372 * Locks: none
1373 * References: *u1 and *u2 must not change during the call
1374 * u1 may equal u2, in which case only one reference is required
1375 */
1376 int
1377 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
1378 {
1379 int i, match;
1380
1381 if (!see_other_gids) {
1382 match = 0;
1383 for (i = 0; i < u1->cr_ngroups; i++) {
1384 if (groupmember(u1->cr_groups[i], u2))
1385 match = 1;
1386 if (match)
1387 break;
1388 }
1389 if (!match) {
1390 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
1391 return (ESRCH);
1392 }
1393 }
1394 return (0);
1395 }
1396
1397 /*
1398 * 'see_jail_proc' determines whether or not visibility of processes and
1399 * sockets with credentials holding different jail ids is possible using a
1400 * variety of system MIBs.
1401 *
1402 * XXX: data declarations should be together near the beginning of the file.
1403 */
1404
1405 static int see_jail_proc = 1;
1406 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
1407 &see_jail_proc, 0,
1408 "Unprivileged processes may see subjects/objects with different jail ids");
1409
1410 /*-
1411 * Determine if u1 "can see" the subject specified by u2, according to the
1412 * 'see_jail_proc' policy.
1413 * Returns: 0 for permitted, ESRCH otherwise
1414 * Locks: none
1415 * References: *u1 and *u2 must not change during the call
1416 * u1 may equal u2, in which case only one reference is required
1417 */
1418 int
1419 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
1420 {
1421 if (u1->cr_uid == 0)
1422 return (0);
1423 return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
1424 }
1425
1426 /*-
1427 * Determine if u1 "can see" the subject specified by u2.
1428 * Returns: 0 for permitted, an errno value otherwise
1429 * Locks: none
1430 * References: *u1 and *u2 must not change during the call
1431 * u1 may equal u2, in which case only one reference is required
1432 */
1433 int
1434 cr_cansee(struct ucred *u1, struct ucred *u2)
1435 {
1436 int error;
1437
1438 if ((error = prison_check(u1, u2)))
1439 return (error);
1440 #ifdef MAC
1441 if ((error = mac_cred_check_visible(u1, u2)))
1442 return (error);
1443 #endif
1444 if ((error = cr_canseeotheruids(u1, u2)))
1445 return (error);
1446 if ((error = cr_canseeothergids(u1, u2)))
1447 return (error);
1448 if ((error = cr_canseejailproc(u1, u2)))
1449 return (error);
1450 return (0);
1451 }
1452
1453 /*-
1454 * Determine if td "can see" the subject specified by p.
1455 * Returns: 0 for permitted, an errno value otherwise
1456 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1457 * should be curthread.
1458 * References: td and p must be valid for the lifetime of the call
1459 */
1460 int
1461 p_cansee(struct thread *td, struct proc *p)
1462 {
1463
1464 /* Wrap cr_cansee() for all functionality. */
1465 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1466 PROC_LOCK_ASSERT(p, MA_OWNED);
1467 return (cr_cansee(td->td_ucred, p->p_ucred));
1468 }
1469
1470 /*
1471 * 'conservative_signals' prevents the delivery of a broad class of
1472 * signals by unprivileged processes to processes that have changed their
1473 * credentials since the last invocation of execve(). This can prevent
1474 * the leakage of cached information or retained privileges as a result
1475 * of a common class of signal-related vulnerabilities. However, this
1476 * may interfere with some applications that expect to be able to
1477 * deliver these signals to peer processes after having given up
1478 * privilege.
1479 */
1480 static int conservative_signals = 1;
1481 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1482 &conservative_signals, 0, "Unprivileged processes prevented from "
1483 "sending certain signals to processes whose credentials have changed");
1484 /*-
1485 * Determine whether cred may deliver the specified signal to proc.
1486 * Returns: 0 for permitted, an errno value otherwise.
1487 * Locks: A lock must be held for proc.
1488 * References: cred and proc must be valid for the lifetime of the call.
1489 */
1490 int
1491 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1492 {
1493 int error;
1494
1495 PROC_LOCK_ASSERT(proc, MA_OWNED);
1496 /*
1497 * Jail semantics limit the scope of signalling to proc in the
1498 * same jail as cred, if cred is in jail.
1499 */
1500 error = prison_check(cred, proc->p_ucred);
1501 if (error)
1502 return (error);
1503 #ifdef MAC
1504 if ((error = mac_proc_check_signal(cred, proc, signum)))
1505 return (error);
1506 #endif
1507 if ((error = cr_canseeotheruids(cred, proc->p_ucred)))
1508 return (error);
1509 if ((error = cr_canseeothergids(cred, proc->p_ucred)))
1510 return (error);
1511
1512 /*
1513 * UNIX signal semantics depend on the status of the P_SUGID
1514 * bit on the target process. If the bit is set, then additional
1515 * restrictions are placed on the set of available signals.
1516 */
1517 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1518 switch (signum) {
1519 case 0:
1520 case SIGKILL:
1521 case SIGINT:
1522 case SIGTERM:
1523 case SIGALRM:
1524 case SIGSTOP:
1525 case SIGTTIN:
1526 case SIGTTOU:
1527 case SIGTSTP:
1528 case SIGHUP:
1529 case SIGUSR1:
1530 case SIGUSR2:
1531 /*
1532 * Generally, permit job and terminal control
1533 * signals.
1534 */
1535 break;
1536 default:
1537 /* Not permitted without privilege. */
1538 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID);
1539 if (error)
1540 return (error);
1541 }
1542 }
1543
1544 /*
1545 * Generally, the target credential's ruid or svuid must match the
1546 * subject credential's ruid or euid.
1547 */
1548 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1549 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1550 cred->cr_uid != proc->p_ucred->cr_ruid &&
1551 cred->cr_uid != proc->p_ucred->cr_svuid) {
1552 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED);
1553 if (error)
1554 return (error);
1555 }
1556
1557 return (0);
1558 }
1559
1560 /*-
1561 * Determine whether td may deliver the specified signal to p.
1562 * Returns: 0 for permitted, an errno value otherwise
1563 * Locks: Sufficient locks to protect various components of td and p
1564 * must be held. td must be curthread, and a lock must be
1565 * held for p.
1566 * References: td and p must be valid for the lifetime of the call
1567 */
1568 int
1569 p_cansignal(struct thread *td, struct proc *p, int signum)
1570 {
1571
1572 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1573 PROC_LOCK_ASSERT(p, MA_OWNED);
1574 if (td->td_proc == p)
1575 return (0);
1576
1577 /*
1578 * UNIX signalling semantics require that processes in the same
1579 * session always be able to deliver SIGCONT to one another,
1580 * overriding the remaining protections.
1581 */
1582 /* XXX: This will require an additional lock of some sort. */
1583 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1584 return (0);
1585 /*
1586 * Some compat layers use SIGTHR and higher signals for
1587 * communication between different kernel threads of the same
1588 * process, so that they expect that it's always possible to
1589 * deliver them, even for suid applications where cr_cansignal() can
1590 * deny such ability for security consideration. It should be
1591 * pretty safe to do since the only way to create two processes
1592 * with the same p_leader is via rfork(2).
1593 */
1594 if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
1595 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
1596 return (0);
1597
1598 return (cr_cansignal(td->td_ucred, p, signum));
1599 }
1600
1601 /*-
1602 * Determine whether td may reschedule p.
1603 * Returns: 0 for permitted, an errno value otherwise
1604 * Locks: Sufficient locks to protect various components of td and p
1605 * must be held. td must be curthread, and a lock must
1606 * be held for p.
1607 * References: td and p must be valid for the lifetime of the call
1608 */
1609 int
1610 p_cansched(struct thread *td, struct proc *p)
1611 {
1612 int error;
1613
1614 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1615 PROC_LOCK_ASSERT(p, MA_OWNED);
1616 if (td->td_proc == p)
1617 return (0);
1618 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1619 return (error);
1620 #ifdef MAC
1621 if ((error = mac_proc_check_sched(td->td_ucred, p)))
1622 return (error);
1623 #endif
1624 if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
1625 return (error);
1626 if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
1627 return (error);
1628 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
1629 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
1630 error = priv_check(td, PRIV_SCHED_DIFFCRED);
1631 if (error)
1632 return (error);
1633 }
1634 return (0);
1635 }
1636
1637 /*
1638 * Handle getting or setting the prison's unprivileged_proc_debug
1639 * value.
1640 */
1641 static int
1642 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)
1643 {
1644 int error, val;
1645
1646 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG);
1647 error = sysctl_handle_int(oidp, &val, 0, req);
1648 if (error != 0 || req->newptr == NULL)
1649 return (error);
1650 if (val != 0 && val != 1)
1651 return (EINVAL);
1652 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val);
1653 return (0);
1654 }
1655
1656 /*
1657 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1658 * unprivileged inter-process debugging services, including some procfs
1659 * functionality, ptrace(), and ktrace(). In the past, inter-process
1660 * debugging has been involved in a variety of security problems, and sites
1661 * not requiring the service might choose to disable it when hardening
1662 * systems.
1663 */
1664 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug,
1665 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE |
1666 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I",
1667 "Unprivileged processes may use process debugging facilities");
1668
1669 /*-
1670 * Determine whether td may debug p.
1671 * Returns: 0 for permitted, an errno value otherwise
1672 * Locks: Sufficient locks to protect various components of td and p
1673 * must be held. td must be curthread, and a lock must
1674 * be held for p.
1675 * References: td and p must be valid for the lifetime of the call
1676 */
1677 int
1678 p_candebug(struct thread *td, struct proc *p)
1679 {
1680 int credentialchanged, error, grpsubset, i, uidsubset;
1681
1682 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1683 PROC_LOCK_ASSERT(p, MA_OWNED);
1684 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV)))
1685 return (error);
1686 if (td->td_proc == p)
1687 return (0);
1688 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1689 return (error);
1690 #ifdef MAC
1691 if ((error = mac_proc_check_debug(td->td_ucred, p)))
1692 return (error);
1693 #endif
1694 if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
1695 return (error);
1696 if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
1697 return (error);
1698
1699 /*
1700 * Is p's group set a subset of td's effective group set? This
1701 * includes p's egid, group access list, rgid, and svgid.
1702 */
1703 grpsubset = 1;
1704 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1705 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1706 grpsubset = 0;
1707 break;
1708 }
1709 }
1710 grpsubset = grpsubset &&
1711 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1712 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1713
1714 /*
1715 * Are the uids present in p's credential equal to td's
1716 * effective uid? This includes p's euid, svuid, and ruid.
1717 */
1718 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1719 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1720 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1721
1722 /*
1723 * Has the credential of the process changed since the last exec()?
1724 */
1725 credentialchanged = (p->p_flag & P_SUGID);
1726
1727 /*
1728 * If p's gids aren't a subset, or the uids aren't a subset,
1729 * or the credential has changed, require appropriate privilege
1730 * for td to debug p.
1731 */
1732 if (!grpsubset || !uidsubset) {
1733 error = priv_check(td, PRIV_DEBUG_DIFFCRED);
1734 if (error)
1735 return (error);
1736 }
1737
1738 if (credentialchanged) {
1739 error = priv_check(td, PRIV_DEBUG_SUGID);
1740 if (error)
1741 return (error);
1742 }
1743
1744 /* Can't trace init when securelevel > 0. */
1745 if (p == initproc) {
1746 error = securelevel_gt(td->td_ucred, 0);
1747 if (error)
1748 return (error);
1749 }
1750
1751 /*
1752 * Can't trace a process that's currently exec'ing.
1753 *
1754 * XXX: Note, this is not a security policy decision, it's a
1755 * basic correctness/functionality decision. Therefore, this check
1756 * should be moved to the caller's of p_candebug().
1757 */
1758 if ((p->p_flag & P_INEXEC) != 0)
1759 return (EBUSY);
1760
1761 /* Denied explicitely */
1762 if ((p->p_flag2 & P2_NOTRACE) != 0) {
1763 error = priv_check(td, PRIV_DEBUG_DENIED);
1764 if (error != 0)
1765 return (error);
1766 }
1767
1768 return (0);
1769 }
1770
1771 /*-
1772 * Determine whether the subject represented by cred can "see" a socket.
1773 * Returns: 0 for permitted, ENOENT otherwise.
1774 */
1775 int
1776 cr_canseesocket(struct ucred *cred, struct socket *so)
1777 {
1778 int error;
1779
1780 error = prison_check(cred, so->so_cred);
1781 if (error)
1782 return (ENOENT);
1783 #ifdef MAC
1784 error = mac_socket_check_visible(cred, so);
1785 if (error)
1786 return (error);
1787 #endif
1788 if (cr_canseeotheruids(cred, so->so_cred))
1789 return (ENOENT);
1790 if (cr_canseeothergids(cred, so->so_cred))
1791 return (ENOENT);
1792
1793 return (0);
1794 }
1795
1796 /*-
1797 * Determine whether td can wait for the exit of p.
1798 * Returns: 0 for permitted, an errno value otherwise
1799 * Locks: Sufficient locks to protect various components of td and p
1800 * must be held. td must be curthread, and a lock must
1801 * be held for p.
1802 * References: td and p must be valid for the lifetime of the call
1803
1804 */
1805 int
1806 p_canwait(struct thread *td, struct proc *p)
1807 {
1808 int error;
1809
1810 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1811 PROC_LOCK_ASSERT(p, MA_OWNED);
1812 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1813 return (error);
1814 #ifdef MAC
1815 if ((error = mac_proc_check_wait(td->td_ucred, p)))
1816 return (error);
1817 #endif
1818 #if 0
1819 /* XXXMAC: This could have odd effects on some shells. */
1820 if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
1821 return (error);
1822 #endif
1823
1824 return (0);
1825 }
1826
1827 /*
1828 * Credential management.
1829 *
1830 * struct ucred objects are rarely allocated but gain and lose references all
1831 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into
1832 * a significant source of cache-line ping ponging. Common cases are worked
1833 * around by modifying thread-local counter instead if the cred to operate on
1834 * matches td_realucred.
1835 *
1836 * The counter is split into 2 parts:
1837 * - cr_users -- total count of all struct proc and struct thread objects
1838 * which have given cred in p_ucred and td_ucred respectively
1839 * - cr_ref -- the actual ref count, only valid if cr_users == 0
1840 *
1841 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if
1842 * the count reaches 0 the object is freeable.
1843 * If users > 0 and curthread->td_realucred == cred, then updates are performed
1844 * against td_ucredref.
1845 * In other cases updates are performed against cr_ref.
1846 *
1847 * Changing td_realucred into something else decrements cr_users and transfers
1848 * accumulated updates.
1849 */
1850 struct ucred *
1851 crcowget(struct ucred *cr)
1852 {
1853
1854 mtx_lock(&cr->cr_mtx);
1855 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
1856 __func__, cr->cr_users, cr));
1857 cr->cr_users++;
1858 cr->cr_ref++;
1859 mtx_unlock(&cr->cr_mtx);
1860 return (cr);
1861 }
1862
1863 static struct ucred *
1864 crunuse(struct thread *td)
1865 {
1866 struct ucred *cr, *crold;
1867
1868 MPASS(td->td_realucred == td->td_ucred);
1869 cr = td->td_realucred;
1870 mtx_lock(&cr->cr_mtx);
1871 cr->cr_ref += td->td_ucredref;
1872 td->td_ucredref = 0;
1873 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
1874 __func__, cr->cr_users, cr));
1875 cr->cr_users--;
1876 if (cr->cr_users == 0) {
1877 KASSERT(cr->cr_ref > 0, ("%s: ref %d not > 0 on cred %p",
1878 __func__, cr->cr_ref, cr));
1879 crold = cr;
1880 } else {
1881 cr->cr_ref--;
1882 crold = NULL;
1883 }
1884 mtx_unlock(&cr->cr_mtx);
1885 td->td_realucred = NULL;
1886 return (crold);
1887 }
1888
1889 static void
1890 crunusebatch(struct ucred *cr, int users, int ref)
1891 {
1892
1893 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p",
1894 __func__, users, cr));
1895 mtx_lock(&cr->cr_mtx);
1896 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p",
1897 __func__, cr->cr_users, users, cr));
1898 cr->cr_users -= users;
1899 cr->cr_ref += ref;
1900 cr->cr_ref -= users;
1901 if (cr->cr_users > 0) {
1902 mtx_unlock(&cr->cr_mtx);
1903 return;
1904 }
1905 KASSERT(cr->cr_ref >= 0, ("%s: ref %d not >= 0 on cred %p",
1906 __func__, cr->cr_ref, cr));
1907 if (cr->cr_ref > 0) {
1908 mtx_unlock(&cr->cr_mtx);
1909 return;
1910 }
1911 crfree_final(cr);
1912 }
1913
1914 void
1915 crcowfree(struct thread *td)
1916 {
1917 struct ucred *cr;
1918
1919 cr = crunuse(td);
1920 if (cr != NULL)
1921 crfree(cr);
1922 }
1923
1924 struct ucred *
1925 crcowsync(void)
1926 {
1927 struct thread *td;
1928 struct proc *p;
1929 struct ucred *crnew, *crold;
1930
1931 td = curthread;
1932 p = td->td_proc;
1933 PROC_LOCK_ASSERT(p, MA_OWNED);
1934
1935 MPASS(td->td_realucred == td->td_ucred);
1936 if (td->td_realucred == p->p_ucred)
1937 return (NULL);
1938
1939 crnew = crcowget(p->p_ucred);
1940 crold = crunuse(td);
1941 td->td_realucred = crnew;
1942 td->td_ucred = td->td_realucred;
1943 return (crold);
1944 }
1945
1946 /*
1947 * Batching.
1948 */
1949 void
1950 credbatch_add(struct credbatch *crb, struct thread *td)
1951 {
1952 struct ucred *cr;
1953
1954 MPASS(td->td_realucred != NULL);
1955 MPASS(td->td_realucred == td->td_ucred);
1956 MPASS(td->td_state == TDS_INACTIVE);
1957 cr = td->td_realucred;
1958 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
1959 __func__, cr->cr_users, cr));
1960 if (crb->cred != cr) {
1961 if (crb->users > 0) {
1962 MPASS(crb->cred != NULL);
1963 crunusebatch(crb->cred, crb->users, crb->ref);
1964 crb->users = 0;
1965 crb->ref = 0;
1966 }
1967 }
1968 crb->cred = cr;
1969 crb->users++;
1970 crb->ref += td->td_ucredref;
1971 td->td_ucredref = 0;
1972 td->td_realucred = NULL;
1973 }
1974
1975 void
1976 credbatch_final(struct credbatch *crb)
1977 {
1978
1979 MPASS(crb->cred != NULL);
1980 MPASS(crb->users > 0);
1981 crunusebatch(crb->cred, crb->users, crb->ref);
1982 }
1983
1984 /*
1985 * Allocate a zeroed cred structure.
1986 */
1987 struct ucred *
1988 crget(void)
1989 {
1990 struct ucred *cr;
1991
1992 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1993 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF);
1994 cr->cr_ref = 1;
1995 #ifdef AUDIT
1996 audit_cred_init(cr);
1997 #endif
1998 #ifdef MAC
1999 mac_cred_init(cr);
2000 #endif
2001 cr->cr_groups = cr->cr_smallgroups;
2002 cr->cr_agroups =
2003 sizeof(cr->cr_smallgroups) / sizeof(cr->cr_smallgroups[0]);
2004 return (cr);
2005 }
2006
2007 /*
2008 * Claim another reference to a ucred structure.
2009 */
2010 struct ucred *
2011 crhold(struct ucred *cr)
2012 {
2013 struct thread *td;
2014
2015 td = curthread;
2016 if (__predict_true(td->td_realucred == cr)) {
2017 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2018 __func__, cr->cr_users, cr));
2019 td->td_ucredref++;
2020 return (cr);
2021 }
2022 mtx_lock(&cr->cr_mtx);
2023 cr->cr_ref++;
2024 mtx_unlock(&cr->cr_mtx);
2025 return (cr);
2026 }
2027
2028 /*
2029 * Free a cred structure. Throws away space when ref count gets to 0.
2030 */
2031 void
2032 crfree(struct ucred *cr)
2033 {
2034 struct thread *td;
2035
2036 td = curthread;
2037 if (__predict_true(td->td_realucred == cr)) {
2038 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2039 __func__, cr->cr_users, cr));
2040 td->td_ucredref--;
2041 return;
2042 }
2043 mtx_lock(&cr->cr_mtx);
2044 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p",
2045 __func__, cr->cr_users, cr));
2046 cr->cr_ref--;
2047 if (cr->cr_users > 0) {
2048 mtx_unlock(&cr->cr_mtx);
2049 return;
2050 }
2051 KASSERT(cr->cr_ref >= 0, ("%s: ref %d not >= 0 on cred %p",
2052 __func__, cr->cr_ref, cr));
2053 if (cr->cr_ref > 0) {
2054 mtx_unlock(&cr->cr_mtx);
2055 return;
2056 }
2057 crfree_final(cr);
2058 }
2059
2060 static void
2061 crfree_final(struct ucred *cr)
2062 {
2063
2064 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p",
2065 __func__, cr->cr_users, cr));
2066 KASSERT(cr->cr_ref == 0, ("%s: ref %d not == 0 on cred %p",
2067 __func__, cr->cr_ref, cr));
2068
2069 /*
2070 * Some callers of crget(), such as nfs_statfs(), allocate a temporary
2071 * credential, but don't allocate a uidinfo structure.
2072 */
2073 if (cr->cr_uidinfo != NULL)
2074 uifree(cr->cr_uidinfo);
2075 if (cr->cr_ruidinfo != NULL)
2076 uifree(cr->cr_ruidinfo);
2077 if (cr->cr_prison != NULL)
2078 prison_free(cr->cr_prison);
2079 if (cr->cr_loginclass != NULL)
2080 loginclass_free(cr->cr_loginclass);
2081 #ifdef AUDIT
2082 audit_cred_destroy(cr);
2083 #endif
2084 #ifdef MAC
2085 mac_cred_destroy(cr);
2086 #endif
2087 mtx_destroy(&cr->cr_mtx);
2088 if (cr->cr_groups != cr->cr_smallgroups)
2089 free(cr->cr_groups, M_CRED);
2090 free(cr, M_CRED);
2091 }
2092
2093 /*
2094 * Copy a ucred's contents from a template. Does not block.
2095 */
2096 void
2097 crcopy(struct ucred *dest, struct ucred *src)
2098 {
2099
2100 KASSERT(dest->cr_ref == 1, ("crcopy of shared ucred"));
2101 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
2102 (unsigned)((caddr_t)&src->cr_endcopy -
2103 (caddr_t)&src->cr_startcopy));
2104 crsetgroups(dest, src->cr_ngroups, src->cr_groups);
2105 uihold(dest->cr_uidinfo);
2106 uihold(dest->cr_ruidinfo);
2107 prison_hold(dest->cr_prison);
2108 loginclass_hold(dest->cr_loginclass);
2109 #ifdef AUDIT
2110 audit_cred_copy(src, dest);
2111 #endif
2112 #ifdef MAC
2113 mac_cred_copy(src, dest);
2114 #endif
2115 }
2116
2117 /*
2118 * Dup cred struct to a new held one.
2119 */
2120 struct ucred *
2121 crdup(struct ucred *cr)
2122 {
2123 struct ucred *newcr;
2124
2125 newcr = crget();
2126 crcopy(newcr, cr);
2127 return (newcr);
2128 }
2129
2130 /*
2131 * Fill in a struct xucred based on a struct ucred.
2132 */
2133 void
2134 cru2x(struct ucred *cr, struct xucred *xcr)
2135 {
2136 int ngroups;
2137
2138 bzero(xcr, sizeof(*xcr));
2139 xcr->cr_version = XUCRED_VERSION;
2140 xcr->cr_uid = cr->cr_uid;
2141
2142 ngroups = MIN(cr->cr_ngroups, XU_NGROUPS);
2143 xcr->cr_ngroups = ngroups;
2144 bcopy(cr->cr_groups, xcr->cr_groups,
2145 ngroups * sizeof(*cr->cr_groups));
2146 }
2147
2148 void
2149 cru2xt(struct thread *td, struct xucred *xcr)
2150 {
2151
2152 cru2x(td->td_ucred, xcr);
2153 xcr->cr_pid = td->td_proc->p_pid;
2154 }
2155
2156 /*
2157 * Set initial process credentials.
2158 * Callers are responsible for providing the reference for provided credentials.
2159 */
2160 void
2161 proc_set_cred_init(struct proc *p, struct ucred *newcred)
2162 {
2163
2164 p->p_ucred = crcowget(newcred);
2165 }
2166
2167 /*
2168 * Change process credentials.
2169 * Callers are responsible for providing the reference for passed credentials
2170 * and for freeing old ones.
2171 *
2172 * Process has to be locked except when it does not have credentials (as it
2173 * should not be visible just yet) or when newcred is NULL (as this can be
2174 * only used when the process is about to be freed, at which point it should
2175 * not be visible anymore).
2176 */
2177 void
2178 proc_set_cred(struct proc *p, struct ucred *newcred)
2179 {
2180 struct ucred *cr;
2181
2182 cr = p->p_ucred;
2183 MPASS(cr != NULL);
2184 PROC_LOCK_ASSERT(p, MA_OWNED);
2185 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p",
2186 __func__, newcred->cr_users, newcred));
2187 mtx_lock(&cr->cr_mtx);
2188 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2189 __func__, cr->cr_users, cr));
2190 cr->cr_users--;
2191 mtx_unlock(&cr->cr_mtx);
2192 p->p_ucred = newcred;
2193 newcred->cr_users = 1;
2194 PROC_UPDATE_COW(p);
2195 }
2196
2197 void
2198 proc_unset_cred(struct proc *p)
2199 {
2200 struct ucred *cr;
2201
2202 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW);
2203 cr = p->p_ucred;
2204 p->p_ucred = NULL;
2205 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2206 __func__, cr->cr_users, cr));
2207 mtx_lock(&cr->cr_mtx);
2208 cr->cr_users--;
2209 if (cr->cr_users == 0)
2210 KASSERT(cr->cr_ref > 0, ("%s: ref %d not > 0 on cred %p",
2211 __func__, cr->cr_ref, cr));
2212 mtx_unlock(&cr->cr_mtx);
2213 crfree(cr);
2214 }
2215
2216 struct ucred *
2217 crcopysafe(struct proc *p, struct ucred *cr)
2218 {
2219 struct ucred *oldcred;
2220 int groups;
2221
2222 PROC_LOCK_ASSERT(p, MA_OWNED);
2223
2224 oldcred = p->p_ucred;
2225 while (cr->cr_agroups < oldcred->cr_agroups) {
2226 groups = oldcred->cr_agroups;
2227 PROC_UNLOCK(p);
2228 crextend(cr, groups);
2229 PROC_LOCK(p);
2230 oldcred = p->p_ucred;
2231 }
2232 crcopy(cr, oldcred);
2233
2234 return (oldcred);
2235 }
2236
2237 /*
2238 * Extend the passed in credential to hold n items.
2239 */
2240 void
2241 crextend(struct ucred *cr, int n)
2242 {
2243 int cnt;
2244
2245 /* Truncate? */
2246 if (n <= cr->cr_agroups)
2247 return;
2248
2249 /*
2250 * We extend by 2 each time since we're using a power of two
2251 * allocator until we need enough groups to fill a page.
2252 * Once we're allocating multiple pages, only allocate as many
2253 * as we actually need. The case of processes needing a
2254 * non-power of two number of pages seems more likely than
2255 * a real world process that adds thousands of groups one at a
2256 * time.
2257 */
2258 if ( n < PAGE_SIZE / sizeof(gid_t) ) {
2259 if (cr->cr_agroups == 0)
2260 cnt = MAX(1, MINALLOCSIZE / sizeof(gid_t));
2261 else
2262 cnt = cr->cr_agroups * 2;
2263
2264 while (cnt < n)
2265 cnt *= 2;
2266 } else
2267 cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t));
2268
2269 /* Free the old array. */
2270 if (cr->cr_groups != cr->cr_smallgroups)
2271 free(cr->cr_groups, M_CRED);
2272
2273 cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO);
2274 cr->cr_agroups = cnt;
2275 }
2276
2277 /*
2278 * Copy groups in to a credential, preserving any necessary invariants.
2279 * Currently this includes the sorting of all supplemental gids.
2280 * crextend() must have been called before hand to ensure sufficient
2281 * space is available.
2282 */
2283 static void
2284 crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups)
2285 {
2286 int i;
2287 int j;
2288 gid_t g;
2289
2290 KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small"));
2291
2292 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t));
2293 cr->cr_ngroups = ngrp;
2294
2295 /*
2296 * Sort all groups except cr_groups[0] to allow groupmember to
2297 * perform a binary search.
2298 *
2299 * XXX: If large numbers of groups become common this should
2300 * be replaced with shell sort like linux uses or possibly
2301 * heap sort.
2302 */
2303 for (i = 2; i < ngrp; i++) {
2304 g = cr->cr_groups[i];
2305 for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--)
2306 cr->cr_groups[j + 1] = cr->cr_groups[j];
2307 cr->cr_groups[j + 1] = g;
2308 }
2309 }
2310
2311 /*
2312 * Copy groups in to a credential after expanding it if required.
2313 * Truncate the list to (ngroups_max + 1) if it is too large.
2314 */
2315 void
2316 crsetgroups(struct ucred *cr, int ngrp, gid_t *groups)
2317 {
2318
2319 if (ngrp > ngroups_max + 1)
2320 ngrp = ngroups_max + 1;
2321
2322 crextend(cr, ngrp);
2323 crsetgroups_locked(cr, ngrp, groups);
2324 }
2325
2326 /*
2327 * Get login name, if available.
2328 */
2329 #ifndef _SYS_SYSPROTO_H_
2330 struct getlogin_args {
2331 char *namebuf;
2332 u_int namelen;
2333 };
2334 #endif
2335 /* ARGSUSED */
2336 int
2337 sys_getlogin(struct thread *td, struct getlogin_args *uap)
2338 {
2339 char login[MAXLOGNAME];
2340 struct proc *p = td->td_proc;
2341 size_t len;
2342
2343 if (uap->namelen > MAXLOGNAME)
2344 uap->namelen = MAXLOGNAME;
2345 PROC_LOCK(p);
2346 SESS_LOCK(p->p_session);
2347 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
2348 SESS_UNLOCK(p->p_session);
2349 PROC_UNLOCK(p);
2350 if (len > uap->namelen)
2351 return (ERANGE);
2352 return (copyout(login, uap->namebuf, len));
2353 }
2354
2355 /*
2356 * Set login name.
2357 */
2358 #ifndef _SYS_SYSPROTO_H_
2359 struct setlogin_args {
2360 char *namebuf;
2361 };
2362 #endif
2363 /* ARGSUSED */
2364 int
2365 sys_setlogin(struct thread *td, struct setlogin_args *uap)
2366 {
2367 struct proc *p = td->td_proc;
2368 int error;
2369 char logintmp[MAXLOGNAME];
2370
2371 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
2372
2373 error = priv_check(td, PRIV_PROC_SETLOGIN);
2374 if (error)
2375 return (error);
2376 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
2377 if (error != 0) {
2378 if (error == ENAMETOOLONG)
2379 error = EINVAL;
2380 return (error);
2381 }
2382 AUDIT_ARG_LOGIN(logintmp);
2383 PROC_LOCK(p);
2384 SESS_LOCK(p->p_session);
2385 strcpy(p->p_session->s_login, logintmp);
2386 SESS_UNLOCK(p->p_session);
2387 PROC_UNLOCK(p);
2388 return (0);
2389 }
2390
2391 void
2392 setsugid(struct proc *p)
2393 {
2394
2395 PROC_LOCK_ASSERT(p, MA_OWNED);
2396 p->p_flag |= P_SUGID;
2397 }
2398
2399 /*-
2400 * Change a process's effective uid.
2401 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
2402 * References: newcred must be an exclusive credential reference for the
2403 * duration of the call.
2404 */
2405 void
2406 change_euid(struct ucred *newcred, struct uidinfo *euip)
2407 {
2408
2409 newcred->cr_uid = euip->ui_uid;
2410 uihold(euip);
2411 uifree(newcred->cr_uidinfo);
2412 newcred->cr_uidinfo = euip;
2413 }
2414
2415 /*-
2416 * Change a process's effective gid.
2417 * Side effects: newcred->cr_gid will be modified.
2418 * References: newcred must be an exclusive credential reference for the
2419 * duration of the call.
2420 */
2421 void
2422 change_egid(struct ucred *newcred, gid_t egid)
2423 {
2424
2425 newcred->cr_groups[0] = egid;
2426 }
2427
2428 /*-
2429 * Change a process's real uid.
2430 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
2431 * will be updated, and the old and new cr_ruidinfo proc
2432 * counts will be updated.
2433 * References: newcred must be an exclusive credential reference for the
2434 * duration of the call.
2435 */
2436 void
2437 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
2438 {
2439
2440 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
2441 newcred->cr_ruid = ruip->ui_uid;
2442 uihold(ruip);
2443 uifree(newcred->cr_ruidinfo);
2444 newcred->cr_ruidinfo = ruip;
2445 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2446 }
2447
2448 /*-
2449 * Change a process's real gid.
2450 * Side effects: newcred->cr_rgid will be updated.
2451 * References: newcred must be an exclusive credential reference for the
2452 * duration of the call.
2453 */
2454 void
2455 change_rgid(struct ucred *newcred, gid_t rgid)
2456 {
2457
2458 newcred->cr_rgid = rgid;
2459 }
2460
2461 /*-
2462 * Change a process's saved uid.
2463 * Side effects: newcred->cr_svuid will be updated.
2464 * References: newcred must be an exclusive credential reference for the
2465 * duration of the call.
2466 */
2467 void
2468 change_svuid(struct ucred *newcred, uid_t svuid)
2469 {
2470
2471 newcred->cr_svuid = svuid;
2472 }
2473
2474 /*-
2475 * Change a process's saved gid.
2476 * Side effects: newcred->cr_svgid will be updated.
2477 * References: newcred must be an exclusive credential reference for the
2478 * duration of the call.
2479 */
2480 void
2481 change_svgid(struct ucred *newcred, gid_t svgid)
2482 {
2483
2484 newcred->cr_svgid = svgid;
2485 }
Cache object: b0eff671ebb01ee05b1ed388fe030dde
|