kern_prot.c (210225) | kern_prot.c (210226) |
---|---|
1/*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. 4 * (c) UNIX System Laboratories, Inc. 5 * Copyright (c) 2000-2001 Robert N. M. Watson. 6 * All rights reserved. 7 * 8 * All or some portions of this file are derived from material licensed --- 28 unchanged lines hidden (view full) --- 37 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38 */ 39 40/* 41 * System calls related to processes and protection 42 */ 43 44#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. 4 * (c) UNIX System Laboratories, Inc. 5 * Copyright (c) 2000-2001 Robert N. M. Watson. 6 * All rights reserved. 7 * 8 * All or some portions of this file are derived from material licensed --- 28 unchanged lines hidden (view full) --- 37 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38 */ 39 40/* 41 * System calls related to processes and protection 42 */ 43 44#include <sys/cdefs.h> |
45__FBSDID("$FreeBSD: head/sys/kern/kern_prot.c 210225 2010-07-18 20:23:10Z trasz $"); | 45__FBSDID("$FreeBSD: head/sys/kern/kern_prot.c 210226 2010-07-18 20:57:53Z trasz $"); |
46 47#include "opt_compat.h" 48#include "opt_inet.h" 49#include "opt_inet6.h" 50 51#include <sys/param.h> 52#include <sys/systm.h> 53#include <sys/acct.h> --- 1257 unchanged lines hidden (view full) --- 1311 * using a variety of system MIBs. 1312 * XXX: data declarations should be together near the beginning of the file. 1313 */ 1314static int see_other_uids = 1; 1315SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1316 &see_other_uids, 0, 1317 "Unprivileged processes may see subjects/objects with different real uid"); 1318 | 46 47#include "opt_compat.h" 48#include "opt_inet.h" 49#include "opt_inet6.h" 50 51#include <sys/param.h> 52#include <sys/systm.h> 53#include <sys/acct.h> --- 1257 unchanged lines hidden (view full) --- 1311 * using a variety of system MIBs. 1312 * XXX: data declarations should be together near the beginning of the file. 1313 */ 1314static int see_other_uids = 1; 1315SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1316 &see_other_uids, 0, 1317 "Unprivileged processes may see subjects/objects with different real uid"); 1318 |
1319/* | 1319/*- |
1320 * Determine if u1 "can see" the subject specified by u2, according to the 1321 * 'see_other_uids' policy. 1322 * Returns: 0 for permitted, ESRCH otherwise 1323 * Locks: none 1324 * References: *u1 and *u2 must not change during the call 1325 * u1 may equal u2, in which case only one reference is required 1326 */ 1327static int --- 42 unchanged lines hidden (view full) --- 1370 if (!match) { 1371 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) 1372 return (ESRCH); 1373 } 1374 } 1375 return (0); 1376} 1377 | 1320 * Determine if u1 "can see" the subject specified by u2, according to the 1321 * 'see_other_uids' policy. 1322 * Returns: 0 for permitted, ESRCH otherwise 1323 * Locks: none 1324 * References: *u1 and *u2 must not change during the call 1325 * u1 may equal u2, in which case only one reference is required 1326 */ 1327static int --- 42 unchanged lines hidden (view full) --- 1370 if (!match) { 1371 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) 1372 return (ESRCH); 1373 } 1374 } 1375 return (0); 1376} 1377 |
1378/* | 1378/*- |
1379 * Determine if u1 "can see" the subject specified by u2. 1380 * Returns: 0 for permitted, an errno value otherwise 1381 * Locks: none 1382 * References: *u1 and *u2 must not change during the call 1383 * u1 may equal u2, in which case only one reference is required 1384 */ 1385int 1386cr_cansee(struct ucred *u1, struct ucred *u2) --- 8 unchanged lines hidden (view full) --- 1395#endif 1396 if ((error = cr_seeotheruids(u1, u2))) 1397 return (error); 1398 if ((error = cr_seeothergids(u1, u2))) 1399 return (error); 1400 return (0); 1401} 1402 | 1379 * Determine if u1 "can see" the subject specified by u2. 1380 * Returns: 0 for permitted, an errno value otherwise 1381 * Locks: none 1382 * References: *u1 and *u2 must not change during the call 1383 * u1 may equal u2, in which case only one reference is required 1384 */ 1385int 1386cr_cansee(struct ucred *u1, struct ucred *u2) --- 8 unchanged lines hidden (view full) --- 1395#endif 1396 if ((error = cr_seeotheruids(u1, u2))) 1397 return (error); 1398 if ((error = cr_seeothergids(u1, u2))) 1399 return (error); 1400 return (0); 1401} 1402 |
1403/* | 1403/*- |
1404 * Determine if td "can see" the subject specified by p. 1405 * Returns: 0 for permitted, an errno value otherwise 1406 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1407 * should be curthread. 1408 * References: td and p must be valid for the lifetime of the call 1409 */ 1410int 1411p_cansee(struct thread *td, struct proc *p) --- 14 unchanged lines hidden (view full) --- 1426 * may interfere with some applications that expect to be able to 1427 * deliver these signals to peer processes after having given up 1428 * privilege. 1429 */ 1430static int conservative_signals = 1; 1431SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1432 &conservative_signals, 0, "Unprivileged processes prevented from " 1433 "sending certain signals to processes whose credentials have changed"); | 1404 * Determine if td "can see" the subject specified by p. 1405 * Returns: 0 for permitted, an errno value otherwise 1406 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1407 * should be curthread. 1408 * References: td and p must be valid for the lifetime of the call 1409 */ 1410int 1411p_cansee(struct thread *td, struct proc *p) --- 14 unchanged lines hidden (view full) --- 1426 * may interfere with some applications that expect to be able to 1427 * deliver these signals to peer processes after having given up 1428 * privilege. 1429 */ 1430static int conservative_signals = 1; 1431SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1432 &conservative_signals, 0, "Unprivileged processes prevented from " 1433 "sending certain signals to processes whose credentials have changed"); |
1434/* | 1434/*- |
1435 * Determine whether cred may deliver the specified signal to proc. 1436 * Returns: 0 for permitted, an errno value otherwise. 1437 * Locks: A lock must be held for proc. 1438 * References: cred and proc must be valid for the lifetime of the call. 1439 */ 1440int 1441cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1442{ --- 59 unchanged lines hidden (view full) --- 1502 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); 1503 if (error) 1504 return (error); 1505 } 1506 1507 return (0); 1508} 1509 | 1435 * Determine whether cred may deliver the specified signal to proc. 1436 * Returns: 0 for permitted, an errno value otherwise. 1437 * Locks: A lock must be held for proc. 1438 * References: cred and proc must be valid for the lifetime of the call. 1439 */ 1440int 1441cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1442{ --- 59 unchanged lines hidden (view full) --- 1502 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); 1503 if (error) 1504 return (error); 1505 } 1506 1507 return (0); 1508} 1509 |
1510/* | 1510/*- |
1511 * Determine whether td may deliver the specified signal to p. 1512 * Returns: 0 for permitted, an errno value otherwise 1513 * Locks: Sufficient locks to protect various components of td and p 1514 * must be held. td must be curthread, and a lock must be 1515 * held for p. 1516 * References: td and p must be valid for the lifetime of the call 1517 */ 1518int --- 24 unchanged lines hidden (view full) --- 1543 */ 1544 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1545 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1546 return (0); 1547 1548 return (cr_cansignal(td->td_ucred, p, signum)); 1549} 1550 | 1511 * Determine whether td may deliver the specified signal to p. 1512 * Returns: 0 for permitted, an errno value otherwise 1513 * Locks: Sufficient locks to protect various components of td and p 1514 * must be held. td must be curthread, and a lock must be 1515 * held for p. 1516 * References: td and p must be valid for the lifetime of the call 1517 */ 1518int --- 24 unchanged lines hidden (view full) --- 1543 */ 1544 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1545 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1546 return (0); 1547 1548 return (cr_cansignal(td->td_ucred, p, signum)); 1549} 1550 |
1551/* | 1551/*- |
1552 * Determine whether td may reschedule p. 1553 * Returns: 0 for permitted, an errno value otherwise 1554 * Locks: Sufficient locks to protect various components of td and p 1555 * must be held. td must be curthread, and a lock must 1556 * be held for p. 1557 * References: td and p must be valid for the lifetime of the call 1558 */ 1559int --- 35 unchanged lines hidden (view full) --- 1595 * XXX: Should modifying and reading this variable require locking? 1596 * XXX: data declarations should be together near the beginning of the file. 1597 */ 1598static int unprivileged_proc_debug = 1; 1599SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1600 &unprivileged_proc_debug, 0, 1601 "Unprivileged processes may use process debugging facilities"); 1602 | 1552 * Determine whether td may reschedule p. 1553 * Returns: 0 for permitted, an errno value otherwise 1554 * Locks: Sufficient locks to protect various components of td and p 1555 * must be held. td must be curthread, and a lock must 1556 * be held for p. 1557 * References: td and p must be valid for the lifetime of the call 1558 */ 1559int --- 35 unchanged lines hidden (view full) --- 1595 * XXX: Should modifying and reading this variable require locking? 1596 * XXX: data declarations should be together near the beginning of the file. 1597 */ 1598static int unprivileged_proc_debug = 1; 1599SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1600 &unprivileged_proc_debug, 0, 1601 "Unprivileged processes may use process debugging facilities"); 1602 |
1603/* | 1603/*- |
1604 * Determine whether td may debug p. 1605 * Returns: 0 for permitted, an errno value otherwise 1606 * Locks: Sufficient locks to protect various components of td and p 1607 * must be held. td must be curthread, and a lock must 1608 * be held for p. 1609 * References: td and p must be valid for the lifetime of the call 1610 */ 1611int --- 81 unchanged lines hidden (view full) --- 1693 * should be moved to the caller's of p_candebug(). 1694 */ 1695 if ((p->p_flag & P_INEXEC) != 0) 1696 return (EBUSY); 1697 1698 return (0); 1699} 1700 | 1604 * Determine whether td may debug p. 1605 * Returns: 0 for permitted, an errno value otherwise 1606 * Locks: Sufficient locks to protect various components of td and p 1607 * must be held. td must be curthread, and a lock must 1608 * be held for p. 1609 * References: td and p must be valid for the lifetime of the call 1610 */ 1611int --- 81 unchanged lines hidden (view full) --- 1693 * should be moved to the caller's of p_candebug(). 1694 */ 1695 if ((p->p_flag & P_INEXEC) != 0) 1696 return (EBUSY); 1697 1698 return (0); 1699} 1700 |
1701/* | 1701/*- |
1702 * Determine whether the subject represented by cred can "see" a socket. 1703 * Returns: 0 for permitted, ENOENT otherwise. 1704 */ 1705int 1706cr_canseesocket(struct ucred *cred, struct socket *so) 1707{ 1708 int error; 1709 --- 9 unchanged lines hidden (view full) --- 1719 return (ENOENT); 1720 if (cr_seeothergids(cred, so->so_cred)) 1721 return (ENOENT); 1722 1723 return (0); 1724} 1725 1726#if defined(INET) || defined(INET6) | 1702 * Determine whether the subject represented by cred can "see" a socket. 1703 * Returns: 0 for permitted, ENOENT otherwise. 1704 */ 1705int 1706cr_canseesocket(struct ucred *cred, struct socket *so) 1707{ 1708 int error; 1709 --- 9 unchanged lines hidden (view full) --- 1719 return (ENOENT); 1720 if (cr_seeothergids(cred, so->so_cred)) 1721 return (ENOENT); 1722 1723 return (0); 1724} 1725 1726#if defined(INET) || defined(INET6) |
1727/* | 1727/*- |
1728 * Determine whether the subject represented by cred can "see" a socket. 1729 * Returns: 0 for permitted, ENOENT otherwise. 1730 */ 1731int 1732cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) 1733{ 1734 int error; 1735 --- 10 unchanged lines hidden (view full) --- 1746 return (ENOENT); 1747 if (cr_seeothergids(cred, inp->inp_cred)) 1748 return (ENOENT); 1749 1750 return (0); 1751} 1752#endif 1753 | 1728 * Determine whether the subject represented by cred can "see" a socket. 1729 * Returns: 0 for permitted, ENOENT otherwise. 1730 */ 1731int 1732cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) 1733{ 1734 int error; 1735 --- 10 unchanged lines hidden (view full) --- 1746 return (ENOENT); 1747 if (cr_seeothergids(cred, inp->inp_cred)) 1748 return (ENOENT); 1749 1750 return (0); 1751} 1752#endif 1753 |
1754/* | 1754/*- |
1755 * Determine whether td can wait for the exit of p. 1756 * Returns: 0 for permitted, an errno value otherwise 1757 * Locks: Sufficient locks to protect various components of td and p 1758 * must be held. td must be curthread, and a lock must 1759 * be held for p. 1760 * References: td and p must be valid for the lifetime of the call 1761 1762 */ --- 344 unchanged lines hidden (view full) --- 2107{ 2108 2109 PROC_LOCK_ASSERT(p, MA_OWNED); 2110 p->p_flag |= P_SUGID; 2111 if (!(p->p_pfsflags & PF_ISUGID)) 2112 p->p_stops = 0; 2113} 2114 | 1755 * Determine whether td can wait for the exit of p. 1756 * Returns: 0 for permitted, an errno value otherwise 1757 * Locks: Sufficient locks to protect various components of td and p 1758 * must be held. td must be curthread, and a lock must 1759 * be held for p. 1760 * References: td and p must be valid for the lifetime of the call 1761 1762 */ --- 344 unchanged lines hidden (view full) --- 2107{ 2108 2109 PROC_LOCK_ASSERT(p, MA_OWNED); 2110 p->p_flag |= P_SUGID; 2111 if (!(p->p_pfsflags & PF_ISUGID)) 2112 p->p_stops = 0; 2113} 2114 |
2115/* | 2115/*- |
2116 * Change a process's effective uid. 2117 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2118 * References: newcred must be an exclusive credential reference for the 2119 * duration of the call. 2120 */ 2121void 2122change_euid(struct ucred *newcred, struct uidinfo *euip) 2123{ 2124 2125 newcred->cr_uid = euip->ui_uid; 2126 uihold(euip); 2127 uifree(newcred->cr_uidinfo); 2128 newcred->cr_uidinfo = euip; 2129} 2130 | 2116 * Change a process's effective uid. 2117 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2118 * References: newcred must be an exclusive credential reference for the 2119 * duration of the call. 2120 */ 2121void 2122change_euid(struct ucred *newcred, struct uidinfo *euip) 2123{ 2124 2125 newcred->cr_uid = euip->ui_uid; 2126 uihold(euip); 2127 uifree(newcred->cr_uidinfo); 2128 newcred->cr_uidinfo = euip; 2129} 2130 |
2131/* | 2131/*- |
2132 * Change a process's effective gid. 2133 * Side effects: newcred->cr_gid will be modified. 2134 * References: newcred must be an exclusive credential reference for the 2135 * duration of the call. 2136 */ 2137void 2138change_egid(struct ucred *newcred, gid_t egid) 2139{ 2140 2141 newcred->cr_groups[0] = egid; 2142} 2143 | 2132 * Change a process's effective gid. 2133 * Side effects: newcred->cr_gid will be modified. 2134 * References: newcred must be an exclusive credential reference for the 2135 * duration of the call. 2136 */ 2137void 2138change_egid(struct ucred *newcred, gid_t egid) 2139{ 2140 2141 newcred->cr_groups[0] = egid; 2142} 2143 |
2144/* | 2144/*- |
2145 * Change a process's real uid. 2146 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2147 * will be updated, and the old and new cr_ruidinfo proc 2148 * counts will be updated. 2149 * References: newcred must be an exclusive credential reference for the 2150 * duration of the call. 2151 */ 2152void 2153change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2154{ 2155 2156 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2157 newcred->cr_ruid = ruip->ui_uid; 2158 uihold(ruip); 2159 uifree(newcred->cr_ruidinfo); 2160 newcred->cr_ruidinfo = ruip; 2161 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2162} 2163 | 2145 * Change a process's real uid. 2146 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2147 * will be updated, and the old and new cr_ruidinfo proc 2148 * counts will be updated. 2149 * References: newcred must be an exclusive credential reference for the 2150 * duration of the call. 2151 */ 2152void 2153change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2154{ 2155 2156 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2157 newcred->cr_ruid = ruip->ui_uid; 2158 uihold(ruip); 2159 uifree(newcred->cr_ruidinfo); 2160 newcred->cr_ruidinfo = ruip; 2161 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2162} 2163 |
2164/* | 2164/*- |
2165 * Change a process's real gid. 2166 * Side effects: newcred->cr_rgid will be updated. 2167 * References: newcred must be an exclusive credential reference for the 2168 * duration of the call. 2169 */ 2170void 2171change_rgid(struct ucred *newcred, gid_t rgid) 2172{ 2173 2174 newcred->cr_rgid = rgid; 2175} 2176 | 2165 * Change a process's real gid. 2166 * Side effects: newcred->cr_rgid will be updated. 2167 * References: newcred must be an exclusive credential reference for the 2168 * duration of the call. 2169 */ 2170void 2171change_rgid(struct ucred *newcred, gid_t rgid) 2172{ 2173 2174 newcred->cr_rgid = rgid; 2175} 2176 |
2177/* | 2177/*- |
2178 * Change a process's saved uid. 2179 * Side effects: newcred->cr_svuid will be updated. 2180 * References: newcred must be an exclusive credential reference for the 2181 * duration of the call. 2182 */ 2183void 2184change_svuid(struct ucred *newcred, uid_t svuid) 2185{ 2186 2187 newcred->cr_svuid = svuid; 2188} 2189 | 2178 * Change a process's saved uid. 2179 * Side effects: newcred->cr_svuid will be updated. 2180 * References: newcred must be an exclusive credential reference for the 2181 * duration of the call. 2182 */ 2183void 2184change_svuid(struct ucred *newcred, uid_t svuid) 2185{ 2186 2187 newcred->cr_svuid = svuid; 2188} 2189 |
2190/* | 2190/*- |
2191 * Change a process's saved gid. 2192 * Side effects: newcred->cr_svgid will be updated. 2193 * References: newcred must be an exclusive credential reference for the 2194 * duration of the call. 2195 */ 2196void 2197change_svgid(struct ucred *newcred, gid_t svgid) 2198{ 2199 2200 newcred->cr_svgid = svgid; 2201} | 2191 * Change a process's saved gid. 2192 * Side effects: newcred->cr_svgid will be updated. 2193 * References: newcred must be an exclusive credential reference for the 2194 * duration of the call. 2195 */ 2196void 2197change_svgid(struct ucred *newcred, gid_t svgid) 2198{ 2199 2200 newcred->cr_svgid = svgid; 2201} |