| kern_prot.c (163606) | kern_prot.c (164032) |
|---|---|
| 1/*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. --- 26 unchanged lines hidden (view full) --- 35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 36 */ 37 38/* 39 * System calls related to processes and protection 40 */ 41 42#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. --- 26 unchanged lines hidden (view full) --- 35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 36 */ 37 38/* 39 * System calls related to processes and protection 40 */ 41 42#include <sys/cdefs.h> |
| 43__FBSDID("$FreeBSD: head/sys/kern/kern_prot.c 163606 2006-10-22 11:52:19Z rwatson $"); | 43__FBSDID("$FreeBSD: head/sys/kern/kern_prot.c 164032 2006-11-06 13:37:19Z rwatson $"); |
| 44 45#include "opt_compat.h" 46#include "opt_mac.h" 47 48#include <sys/param.h> 49#include <sys/systm.h> 50#include <sys/acct.h> 51#include <sys/kdb.h> 52#include <sys/kernel.h> 53#include <sys/lock.h> 54#include <sys/malloc.h> 55#include <sys/mutex.h> 56#include <sys/refcount.h> 57#include <sys/sx.h> | 44 45#include "opt_compat.h" 46#include "opt_mac.h" 47 48#include <sys/param.h> 49#include <sys/systm.h> 50#include <sys/acct.h> 51#include <sys/kdb.h> 52#include <sys/kernel.h> 53#include <sys/lock.h> 54#include <sys/malloc.h> 55#include <sys/mutex.h> 56#include <sys/refcount.h> 57#include <sys/sx.h> |
| 58#include <sys/priv.h> |
|
| 58#include <sys/proc.h> 59#include <sys/sysproto.h> 60#include <sys/jail.h> 61#include <sys/pioctl.h> 62#include <sys/resourcevar.h> 63#include <sys/socket.h> 64#include <sys/socketvar.h> 65#include <sys/syscallsubr.h> --- 476 unchanged lines hidden (view full) --- 542 */ 543 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 544#ifdef _POSIX_SAVED_IDS 545 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 546#endif 547#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 548 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 549#endif | 59#include <sys/proc.h> 60#include <sys/sysproto.h> 61#include <sys/jail.h> 62#include <sys/pioctl.h> 63#include <sys/resourcevar.h> 64#include <sys/socket.h> 65#include <sys/socketvar.h> 66#include <sys/syscallsubr.h> --- 476 unchanged lines hidden (view full) --- 543 */ 544 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 545#ifdef _POSIX_SAVED_IDS 546 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 547#endif 548#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 549 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 550#endif |
| 550 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) | 551 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 552 SUSER_ALLOWJAIL)) != 0) |
| 551 goto fail; 552 553 /* 554 * Copy credentials so other references do not see our changes. 555 */ 556 crcopy(newcred, oldcred); 557#ifdef _POSIX_SAVED_IDS 558 /* 559 * Do we have "appropriate privileges" (are we root or uid == euid) 560 * If so, we are changing the real uid and/or saved uid. 561 */ 562 if ( 563#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 564 uid == oldcred->cr_uid || 565#endif | 553 goto fail; 554 555 /* 556 * Copy credentials so other references do not see our changes. 557 */ 558 crcopy(newcred, oldcred); 559#ifdef _POSIX_SAVED_IDS 560 /* 561 * Do we have "appropriate privileges" (are we root or uid == euid) 562 * If so, we are changing the real uid and/or saved uid. 563 */ 564 if ( 565#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 566 uid == oldcred->cr_uid || 567#endif |
| 566 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ | 568 /* We are using privs. */ 569 priv_check_cred(oldcred, PRIV_CRED_SETUID, SUSER_ALLOWJAIL) == 0) |
| 567#endif 568 { 569 /* 570 * Set the real uid and transfer proc count to new user. 571 */ 572 if (uid != oldcred->cr_ruid) { 573 change_ruid(newcred, uip); 574 setsugid(p); --- 59 unchanged lines hidden (view full) --- 634#ifdef MAC 635 error = mac_check_proc_seteuid(p, oldcred, euid); 636 if (error) 637 goto fail; 638#endif 639 640 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 641 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ | 570#endif 571 { 572 /* 573 * Set the real uid and transfer proc count to new user. 574 */ 575 if (uid != oldcred->cr_ruid) { 576 change_ruid(newcred, uip); 577 setsugid(p); --- 59 unchanged lines hidden (view full) --- 637#ifdef MAC 638 error = mac_check_proc_seteuid(p, oldcred, euid); 639 if (error) 640 goto fail; 641#endif 642 643 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 644 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ |
| 642 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) | 645 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 646 SUSER_ALLOWJAIL)) != 0) |
| 643 goto fail; 644 645 /* 646 * Everything's okay, do it. Copy credentials so other references do 647 * not see our changes. 648 */ 649 crcopy(newcred, oldcred); 650 if (oldcred->cr_uid != euid) { --- 55 unchanged lines hidden (view full) --- 706 */ 707 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 708#ifdef _POSIX_SAVED_IDS 709 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 710#endif 711#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 712 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 713#endif | 647 goto fail; 648 649 /* 650 * Everything's okay, do it. Copy credentials so other references do 651 * not see our changes. 652 */ 653 crcopy(newcred, oldcred); 654 if (oldcred->cr_uid != euid) { --- 55 unchanged lines hidden (view full) --- 710 */ 711 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 712#ifdef _POSIX_SAVED_IDS 713 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 714#endif 715#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 716 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 717#endif |
| 714 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) | 718 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 719 SUSER_ALLOWJAIL)) != 0) |
| 715 goto fail; 716 717 crcopy(newcred, oldcred); 718#ifdef _POSIX_SAVED_IDS 719 /* 720 * Do we have "appropriate privileges" (are we root or gid == egid) 721 * If so, we are changing the real uid and saved gid. 722 */ 723 if ( 724#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 725 gid == oldcred->cr_groups[0] || 726#endif | 720 goto fail; 721 722 crcopy(newcred, oldcred); 723#ifdef _POSIX_SAVED_IDS 724 /* 725 * Do we have "appropriate privileges" (are we root or gid == egid) 726 * If so, we are changing the real uid and saved gid. 727 */ 728 if ( 729#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 730 gid == oldcred->cr_groups[0] || 731#endif |
| 727 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ | 732 /* We are using privs. */ 733 priv_check_cred(oldcred, PRIV_CRED_SETGID, SUSER_ALLOWJAIL) == 0) |
| 728#endif 729 { 730 /* 731 * Set real gid 732 */ 733 if (oldcred->cr_rgid != gid) { 734 change_rgid(newcred, gid); 735 setsugid(p); --- 55 unchanged lines hidden (view full) --- 791#ifdef MAC 792 error = mac_check_proc_setegid(p, oldcred, egid); 793 if (error) 794 goto fail; 795#endif 796 797 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 798 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ | 734#endif 735 { 736 /* 737 * Set real gid 738 */ 739 if (oldcred->cr_rgid != gid) { 740 change_rgid(newcred, gid); 741 setsugid(p); --- 55 unchanged lines hidden (view full) --- 797#ifdef MAC 798 error = mac_check_proc_setegid(p, oldcred, egid); 799 if (error) 800 goto fail; 801#endif 802 803 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 804 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ |
| 799 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) | 805 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 806 SUSER_ALLOWJAIL)) != 0) |
| 800 goto fail; 801 802 crcopy(newcred, oldcred); 803 if (oldcred->cr_groups[0] != egid) { 804 change_egid(newcred, egid); 805 setsugid(p); 806 } 807 p->p_ucred = newcred; --- 46 unchanged lines hidden (view full) --- 854 oldcred = p->p_ucred; 855 856#ifdef MAC 857 error = mac_check_proc_setgroups(p, oldcred, ngrp, groups); 858 if (error) 859 goto fail; 860#endif 861 | 807 goto fail; 808 809 crcopy(newcred, oldcred); 810 if (oldcred->cr_groups[0] != egid) { 811 change_egid(newcred, egid); 812 setsugid(p); 813 } 814 p->p_ucred = newcred; --- 46 unchanged lines hidden (view full) --- 861 oldcred = p->p_ucred; 862 863#ifdef MAC 864 error = mac_check_proc_setgroups(p, oldcred, ngrp, groups); 865 if (error) 866 goto fail; 867#endif 868 |
| 862 error = suser_cred(oldcred, SUSER_ALLOWJAIL); | 869 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 870 SUSER_ALLOWJAIL); |
| 863 if (error) 864 goto fail; 865 866 /* 867 * XXX A little bit lazy here. We could test if anything has 868 * changed before crcopy() and setting P_SUGID. 869 */ 870 crcopy(newcred, oldcred); --- 55 unchanged lines hidden (view full) --- 926 if (error) 927 goto fail; 928#endif 929 930 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 931 ruid != oldcred->cr_svuid) || 932 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 933 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && | 871 if (error) 872 goto fail; 873 874 /* 875 * XXX A little bit lazy here. We could test if anything has 876 * changed before crcopy() and setting P_SUGID. 877 */ 878 crcopy(newcred, oldcred); --- 55 unchanged lines hidden (view full) --- 934 if (error) 935 goto fail; 936#endif 937 938 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 939 ruid != oldcred->cr_svuid) || 940 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 941 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && |
| 934 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) | 942 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 943 SUSER_ALLOWJAIL)) != 0) |
| 935 goto fail; 936 937 crcopy(newcred, oldcred); 938 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 939 change_euid(newcred, euip); 940 setsugid(p); 941 } 942 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { --- 51 unchanged lines hidden (view full) --- 994 if (error) 995 goto fail; 996#endif 997 998 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 999 rgid != oldcred->cr_svgid) || 1000 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 1001 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && | 944 goto fail; 945 946 crcopy(newcred, oldcred); 947 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 948 change_euid(newcred, euip); 949 setsugid(p); 950 } 951 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { --- 51 unchanged lines hidden (view full) --- 1003 if (error) 1004 goto fail; 1005#endif 1006 1007 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1008 rgid != oldcred->cr_svgid) || 1009 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 1010 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && |
| 1002 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) | 1011 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 1012 SUSER_ALLOWJAIL)) != 0) |
| 1003 goto fail; 1004 1005 crcopy(newcred, oldcred); 1006 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1007 change_egid(newcred, egid); 1008 setsugid(p); 1009 } 1010 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { --- 63 unchanged lines hidden (view full) --- 1074 ruid != oldcred->cr_svuid && 1075 ruid != oldcred->cr_uid) || 1076 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1077 euid != oldcred->cr_svuid && 1078 euid != oldcred->cr_uid) || 1079 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1080 suid != oldcred->cr_svuid && 1081 suid != oldcred->cr_uid)) && | 1013 goto fail; 1014 1015 crcopy(newcred, oldcred); 1016 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1017 change_egid(newcred, egid); 1018 setsugid(p); 1019 } 1020 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { --- 63 unchanged lines hidden (view full) --- 1084 ruid != oldcred->cr_svuid && 1085 ruid != oldcred->cr_uid) || 1086 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1087 euid != oldcred->cr_svuid && 1088 euid != oldcred->cr_uid) || 1089 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1090 suid != oldcred->cr_svuid && 1091 suid != oldcred->cr_uid)) && |
| 1082 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) | 1092 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 1093 SUSER_ALLOWJAIL)) != 0) |
| 1083 goto fail; 1084 1085 crcopy(newcred, oldcred); 1086 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1087 change_euid(newcred, euip); 1088 setsugid(p); 1089 } 1090 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { --- 64 unchanged lines hidden (view full) --- 1155 rgid != oldcred->cr_svgid && 1156 rgid != oldcred->cr_groups[0]) || 1157 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1158 egid != oldcred->cr_svgid && 1159 egid != oldcred->cr_groups[0]) || 1160 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1161 sgid != oldcred->cr_svgid && 1162 sgid != oldcred->cr_groups[0])) && | 1094 goto fail; 1095 1096 crcopy(newcred, oldcred); 1097 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1098 change_euid(newcred, euip); 1099 setsugid(p); 1100 } 1101 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { --- 64 unchanged lines hidden (view full) --- 1166 rgid != oldcred->cr_svgid && 1167 rgid != oldcred->cr_groups[0]) || 1168 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1169 egid != oldcred->cr_svgid && 1170 egid != oldcred->cr_groups[0]) || 1171 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1172 sgid != oldcred->cr_svgid && 1173 sgid != oldcred->cr_groups[0])) && |
| 1163 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) | 1174 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 1175 SUSER_ALLOWJAIL)) != 0) |
| 1164 goto fail; 1165 1166 crcopy(newcred, oldcred); 1167 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1168 change_egid(newcred, egid); 1169 setsugid(p); 1170 } 1171 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { --- 147 unchanged lines hidden (view full) --- 1319 egp = &(cred->cr_groups[cred->cr_ngroups]); 1320 for (gp = cred->cr_groups; gp < egp; gp++) 1321 if (*gp == gid) 1322 return (1); 1323 return (0); 1324} 1325 1326/* | 1176 goto fail; 1177 1178 crcopy(newcred, oldcred); 1179 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1180 change_egid(newcred, egid); 1181 setsugid(p); 1182 } 1183 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { --- 147 unchanged lines hidden (view full) --- 1331 egp = &(cred->cr_groups[cred->cr_ngroups]); 1332 for (gp = cred->cr_groups; gp < egp; gp++) 1333 if (*gp == gid) 1334 return (1); 1335 return (0); 1336} 1337 1338/* |
| 1327 * `suser_enabled' (which can be set by the security.suser_enabled 1328 * sysctl) determines whether the system 'super-user' policy is in effect. 1329 * If it is nonzero, an effective uid of 0 connotes special privilege, 1330 * overriding many mandatory and discretionary protections. If it is zero, 1331 * uid 0 is offered no special privilege in the kernel security policy. 1332 * Setting it to zero may seriously impact the functionality of many 1333 * existing userland programs, and should not be done without careful 1334 * consideration of the consequences. 1335 */ 1336int suser_enabled = 1; 1337SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1338 &suser_enabled, 0, "processes with uid 0 have privilege"); 1339TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1340 1341/* 1342 * Test whether the specified credentials imply "super-user" privilege. 1343 * Return 0 or EPERM. 1344 */ 1345int 1346suser_cred(struct ucred *cred, int flag) 1347{ 1348 1349 if (!suser_enabled) 1350 return (EPERM); 1351 if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0) 1352 return (EPERM); 1353 if (jailed(cred) && !(flag & SUSER_ALLOWJAIL)) 1354 return (EPERM); 1355 return (0); 1356} 1357 1358/* 1359 * Shortcut to hide contents of struct td and struct proc from the 1360 * caller, promoting binary compatibility. 1361 */ 1362int 1363suser(struct thread *td) 1364{ 1365 1366#ifdef INVARIANTS 1367 if (td != curthread) { 1368 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n", 1369 td, td->td_proc->p_pid, td->td_proc->p_comm, 1370 curthread, curthread->td_proc->p_pid, 1371 curthread->td_proc->p_comm); 1372#ifdef KDB 1373 kdb_backtrace(); 1374#endif 1375 } 1376#endif 1377 return (suser_cred(td->td_ucred, 0)); 1378} 1379 1380/* | |
| 1381 * Test the active securelevel against a given level. securelevel_gt() 1382 * implements (securelevel > level). securelevel_ge() implements 1383 * (securelevel >= level). Note that the logic is inverted -- these 1384 * functions return EPERM on "success" and 0 on "failure". 1385 * | 1339 * Test the active securelevel against a given level. securelevel_gt() 1340 * implements (securelevel > level). securelevel_ge() implements 1341 * (securelevel >= level). Note that the logic is inverted -- these 1342 * functions return EPERM on "success" and 0 on "failure". 1343 * |
| 1344 * XXXRW: Possibly since this has to do with privilege, it should move to 1345 * kern_priv.c. 1346 * |
|
| 1386 * MPSAFE 1387 */ 1388int 1389securelevel_gt(struct ucred *cr, int level) 1390{ 1391 int active_securelevel; 1392 1393 active_securelevel = securelevel; --- 36 unchanged lines hidden (view full) --- 1430 * References: *u1 and *u2 must not change during the call 1431 * u1 may equal u2, in which case only one reference is required 1432 */ 1433static int 1434cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1435{ 1436 1437 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { | 1347 * MPSAFE 1348 */ 1349int 1350securelevel_gt(struct ucred *cr, int level) 1351{ 1352 int active_securelevel; 1353 1354 active_securelevel = securelevel; --- 36 unchanged lines hidden (view full) --- 1391 * References: *u1 and *u2 must not change during the call 1392 * u1 may equal u2, in which case only one reference is required 1393 */ 1394static int 1395cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1396{ 1397 1398 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { |
| 1438 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) | 1399 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL) 1400 != 0) |
| 1439 return (ESRCH); 1440 } 1441 return (0); 1442} 1443 1444/* 1445 * 'see_other_gids' determines whether or not visibility of processes 1446 * and sockets with credentials holding different real gids is possible --- 22 unchanged lines hidden (view full) --- 1469 match = 0; 1470 for (i = 0; i < u1->cr_ngroups; i++) { 1471 if (groupmember(u1->cr_groups[i], u2)) 1472 match = 1; 1473 if (match) 1474 break; 1475 } 1476 if (!match) { | 1401 return (ESRCH); 1402 } 1403 return (0); 1404} 1405 1406/* 1407 * 'see_other_gids' determines whether or not visibility of processes 1408 * and sockets with credentials holding different real gids is possible --- 22 unchanged lines hidden (view full) --- 1431 match = 0; 1432 for (i = 0; i < u1->cr_ngroups; i++) { 1433 if (groupmember(u1->cr_groups[i], u2)) 1434 match = 1; 1435 if (match) 1436 break; 1437 } 1438 if (!match) { |
| 1477 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) | 1439 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 1440 SUSER_ALLOWJAIL) != 0) |
| 1478 return (ESRCH); 1479 } 1480 } 1481 return (0); 1482} 1483 1484/*- 1485 * Determine if u1 "can see" the subject specified by u2. --- 100 unchanged lines hidden (view full) --- 1586 case SIGUSR2: 1587 /* 1588 * Generally, permit job and terminal control 1589 * signals. 1590 */ 1591 break; 1592 default: 1593 /* Not permitted without privilege. */ | 1441 return (ESRCH); 1442 } 1443 } 1444 return (0); 1445} 1446 1447/*- 1448 * Determine if u1 "can see" the subject specified by u2. --- 100 unchanged lines hidden (view full) --- 1549 case SIGUSR2: 1550 /* 1551 * Generally, permit job and terminal control 1552 * signals. 1553 */ 1554 break; 1555 default: 1556 /* Not permitted without privilege. */ |
| 1594 error = suser_cred(cred, SUSER_ALLOWJAIL); | 1557 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 1558 SUSER_ALLOWJAIL); |
| 1595 if (error) 1596 return (error); 1597 } 1598 } 1599 1600 /* 1601 * Generally, the target credential's ruid or svuid must match the 1602 * subject credential's ruid or euid. 1603 */ 1604 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1605 cred->cr_ruid != proc->p_ucred->cr_svuid && 1606 cred->cr_uid != proc->p_ucred->cr_ruid && 1607 cred->cr_uid != proc->p_ucred->cr_svuid) { 1608 /* Not permitted without privilege. */ | 1559 if (error) 1560 return (error); 1561 } 1562 } 1563 1564 /* 1565 * Generally, the target credential's ruid or svuid must match the 1566 * subject credential's ruid or euid. 1567 */ 1568 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1569 cred->cr_ruid != proc->p_ucred->cr_svuid && 1570 cred->cr_uid != proc->p_ucred->cr_ruid && 1571 cred->cr_uid != proc->p_ucred->cr_svuid) { 1572 /* Not permitted without privilege. */ |
| 1609 error = suser_cred(cred, SUSER_ALLOWJAIL); | 1573 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 1574 SUSER_ALLOWJAIL); |
| 1610 if (error) 1611 return (error); 1612 } 1613 1614 return (0); 1615} 1616 | 1575 if (error) 1576 return (error); 1577 } 1578 1579 return (0); 1580} 1581 |
| 1617 | |
| 1618/*- 1619 * Determine whether td may deliver the specified signal to p. 1620 * Returns: 0 for permitted, an errno value otherwise 1621 * Locks: Sufficient locks to protect various components of td and p 1622 * must be held. td must be curthread, and a lock must be 1623 * held for p. 1624 * References: td and p must be valid for the lifetime of the call 1625 */ --- 52 unchanged lines hidden (view full) --- 1678#ifdef MAC 1679 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1680 return (error); 1681#endif 1682 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1683 return (error); 1684 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1685 return (error); | 1582/*- 1583 * Determine whether td may deliver the specified signal to p. 1584 * Returns: 0 for permitted, an errno value otherwise 1585 * Locks: Sufficient locks to protect various components of td and p 1586 * must be held. td must be curthread, and a lock must be 1587 * held for p. 1588 * References: td and p must be valid for the lifetime of the call 1589 */ --- 52 unchanged lines hidden (view full) --- 1642#ifdef MAC 1643 if ((error = mac_check_proc_sched(td->td_ucred, p))) 1644 return (error); 1645#endif 1646 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1647 return (error); 1648 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1649 return (error); |
| 1686 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) 1687 return (0); 1688 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) 1689 return (0); 1690 if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0) 1691 return (0); 1692 1693#ifdef CAPABILITIES 1694 if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL)) 1695 return (0); 1696#endif 1697 1698 return (EPERM); | 1650 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1651 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1652 error = priv_check_cred(td->td_ucred, PRIV_SCHED_DIFFCRED, 1653 SUSER_ALLOWJAIL); 1654 if (error) 1655 return (error); 1656 } 1657 return (0); |
| 1699} 1700 1701/* 1702 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1703 * unprivileged inter-process debugging services, including some procfs 1704 * functionality, ptrace(), and ktrace(). In the past, inter-process 1705 * debugging has been involved in a variety of security problems, and sites 1706 * not requiring the service might choose to disable it when hardening --- 18 unchanged lines hidden (view full) --- 1725int 1726p_candebug(struct thread *td, struct proc *p) 1727{ 1728 int credentialchanged, error, grpsubset, i, uidsubset; 1729 1730 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1731 PROC_LOCK_ASSERT(p, MA_OWNED); 1732 if (!unprivileged_proc_debug) { | 1658} 1659 1660/* 1661 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1662 * unprivileged inter-process debugging services, including some procfs 1663 * functionality, ptrace(), and ktrace(). In the past, inter-process 1664 * debugging has been involved in a variety of security problems, and sites 1665 * not requiring the service might choose to disable it when hardening --- 18 unchanged lines hidden (view full) --- 1684int 1685p_candebug(struct thread *td, struct proc *p) 1686{ 1687 int credentialchanged, error, grpsubset, i, uidsubset; 1688 1689 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1690 PROC_LOCK_ASSERT(p, MA_OWNED); 1691 if (!unprivileged_proc_debug) { |
| 1733 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); | 1692 error = priv_check_cred(td->td_ucred, PRIV_DEBUG_UNPRIV, 1693 SUSER_ALLOWJAIL); |
| 1734 if (error) 1735 return (error); 1736 } 1737 if (td->td_proc == p) 1738 return (0); 1739 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1740 return (error); 1741#ifdef MAC --- 31 unchanged lines hidden (view full) --- 1773 /* 1774 * Has the credential of the process changed since the last exec()? 1775 */ 1776 credentialchanged = (p->p_flag & P_SUGID); 1777 1778 /* 1779 * If p's gids aren't a subset, or the uids aren't a subset, 1780 * or the credential has changed, require appropriate privilege | 1694 if (error) 1695 return (error); 1696 } 1697 if (td->td_proc == p) 1698 return (0); 1699 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1700 return (error); 1701#ifdef MAC --- 31 unchanged lines hidden (view full) --- 1733 /* 1734 * Has the credential of the process changed since the last exec()? 1735 */ 1736 credentialchanged = (p->p_flag & P_SUGID); 1737 1738 /* 1739 * If p's gids aren't a subset, or the uids aren't a subset, 1740 * or the credential has changed, require appropriate privilege |
| 1781 * for td to debug p. For POSIX.1e capabilities, this will 1782 * require CAP_SYS_PTRACE. | 1741 * for td to debug p. |
| 1783 */ | 1742 */ |
| 1784 if (!grpsubset || !uidsubset || credentialchanged) { 1785 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); | 1743 if (!grpsubset || !uidsubset) { 1744 error = priv_check_cred(td->td_ucred, PRIV_DEBUG_DIFFCRED, 1745 SUSER_ALLOWJAIL); |
| 1786 if (error) 1787 return (error); 1788 } 1789 | 1746 if (error) 1747 return (error); 1748 } 1749 |
| 1750 if (credentialchanged) { 1751 error = priv_check_cred(td->td_ucred, PRIV_DEBUG_SUGID, 1752 SUSER_ALLOWJAIL); 1753 if (error) 1754 return (error); 1755 } 1756 |
|
| 1790 /* Can't trace init when securelevel > 0. */ 1791 if (p == initproc) { 1792 error = securelevel_gt(td->td_ucred, 0); 1793 if (error) 1794 return (error); 1795 } 1796 1797 /* 1798 * Can't trace a process that's currently exec'ing. | 1757 /* Can't trace init when securelevel > 0. */ 1758 if (p == initproc) { 1759 error = securelevel_gt(td->td_ucred, 0); 1760 if (error) 1761 return (error); 1762 } 1763 1764 /* 1765 * Can't trace a process that's currently exec'ing. |
| 1766 * |
|
| 1799 * XXX: Note, this is not a security policy decision, it's a 1800 * basic correctness/functionality decision. Therefore, this check 1801 * should be moved to the caller's of p_candebug(). 1802 */ 1803 if ((p->p_flag & P_INEXEC) != 0) 1804 return (EAGAIN); 1805 1806 return (0); --- 245 unchanged lines hidden (view full) --- 2052/* ARGSUSED */ 2053int 2054setlogin(struct thread *td, struct setlogin_args *uap) 2055{ 2056 struct proc *p = td->td_proc; 2057 int error; 2058 char logintmp[MAXLOGNAME]; 2059 | 1767 * XXX: Note, this is not a security policy decision, it's a 1768 * basic correctness/functionality decision. Therefore, this check 1769 * should be moved to the caller's of p_candebug(). 1770 */ 1771 if ((p->p_flag & P_INEXEC) != 0) 1772 return (EAGAIN); 1773 1774 return (0); --- 245 unchanged lines hidden (view full) --- 2020/* ARGSUSED */ 2021int 2022setlogin(struct thread *td, struct setlogin_args *uap) 2023{ 2024 struct proc *p = td->td_proc; 2025 int error; 2026 char logintmp[MAXLOGNAME]; 2027 |
| 2060 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); | 2028 error = priv_check_cred(td->td_ucred, PRIV_PROC_SETLOGIN, 2029 SUSER_ALLOWJAIL); |
| 2061 if (error) 2062 return (error); 2063 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2064 if (error == ENAMETOOLONG) 2065 error = EINVAL; 2066 else if (!error) { 2067 PROC_LOCK(p); 2068 SESS_LOCK(p->p_session); --- 105 unchanged lines hidden --- | 2030 if (error) 2031 return (error); 2032 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2033 if (error == ENAMETOOLONG) 2034 error = EINVAL; 2035 else if (!error) { 2036 PROC_LOCK(p); 2037 SESS_LOCK(p->p_session); --- 105 unchanged lines hidden --- |