257 td->td_retval[1] = td->td_ucred->cr_groups[0];
258#endif
259 return (0);
260}
261
262/*
263 * Get effective group ID. The "egid" is groups[0], and could be obtained
264 * via getgroups. This syscall exists because it is somewhat painful to do
265 * correctly in a library function.
266 */
267#ifndef _SYS_SYSPROTO_H_
268struct getegid_args {
269 int dummy;
270};
271#endif
272/*
273 * MPSAFE
274 */
275/* ARGSUSED */
276int
277getegid(struct thread *td, struct getegid_args *uap)
278{
279
280 td->td_retval[0] = td->td_ucred->cr_groups[0];
281 return (0);
282}
283
284#ifndef _SYS_SYSPROTO_H_
285struct getgroups_args {
286 u_int gidsetsize;
287 gid_t *gidset;
288};
289#endif
290/*
291 * MPSAFE
292 */
293int
294getgroups(struct thread *td, register struct getgroups_args *uap)
295{
296 struct ucred *cred;
297 u_int ngrp;
298 int error;
299
300 cred = td->td_ucred;
301 if ((ngrp = uap->gidsetsize) == 0) {
302 td->td_retval[0] = cred->cr_ngroups;
303 return (0);
304 }
305 if (ngrp < cred->cr_ngroups)
306 return (EINVAL);
307 ngrp = cred->cr_ngroups;
308 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
309 if (error == 0)
310 td->td_retval[0] = ngrp;
311 return (error);
312}
313
314#ifndef _SYS_SYSPROTO_H_
315struct setsid_args {
316 int dummy;
317};
318#endif
319/*
320 * MPSAFE
321 */
322/* ARGSUSED */
323int
324setsid(register struct thread *td, struct setsid_args *uap)
325{
326 struct pgrp *pgrp;
327 int error;
328 struct proc *p = td->td_proc;
329 struct pgrp *newpgrp;
330 struct session *newsess;
331
332 error = 0;
333 pgrp = NULL;
334
335 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
336 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
337
338 sx_xlock(&proctree_lock);
339
340 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
341 if (pgrp != NULL)
342 PGRP_UNLOCK(pgrp);
343 error = EPERM;
344 } else {
345 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
346 td->td_retval[0] = p->p_pid;
347 newpgrp = NULL;
348 newsess = NULL;
349 }
350
351 sx_xunlock(&proctree_lock);
352
353 if (newpgrp != NULL)
354 FREE(newpgrp, M_PGRP);
355 if (newsess != NULL)
356 FREE(newsess, M_SESSION);
357
358 return (error);
359}
360
361/*
362 * set process group (setpgid/old setpgrp)
363 *
364 * caller does setpgid(targpid, targpgid)
365 *
366 * pid must be caller or child of caller (ESRCH)
367 * if a child
368 * pid must be in same session (EPERM)
369 * pid can't have done an exec (EACCES)
370 * if pgid != pid
371 * there must exist some pid in same session having pgid (EPERM)
372 * pid must not be session leader (EPERM)
373 */
374#ifndef _SYS_SYSPROTO_H_
375struct setpgid_args {
376 int pid; /* target process id */
377 int pgid; /* target pgrp id */
378};
379#endif
380/*
381 * MPSAFE
382 */
383/* ARGSUSED */
384int
385setpgid(struct thread *td, register struct setpgid_args *uap)
386{
387 struct proc *curp = td->td_proc;
388 register struct proc *targp; /* target process */
389 register struct pgrp *pgrp; /* target pgrp */
390 int error;
391 struct pgrp *newpgrp;
392
393 if (uap->pgid < 0)
394 return (EINVAL);
395
396 error = 0;
397
398 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
399
400 sx_xlock(&proctree_lock);
401 if (uap->pid != 0 && uap->pid != curp->p_pid) {
402 if ((targp = pfind(uap->pid)) == NULL) {
403 error = ESRCH;
404 goto done;
405 }
406 if (!inferior(targp)) {
407 PROC_UNLOCK(targp);
408 error = ESRCH;
409 goto done;
410 }
411 if ((error = p_cansee(curthread, targp))) {
412 PROC_UNLOCK(targp);
413 goto done;
414 }
415 if (targp->p_pgrp == NULL ||
416 targp->p_session != curp->p_session) {
417 PROC_UNLOCK(targp);
418 error = EPERM;
419 goto done;
420 }
421 if (targp->p_flag & P_EXEC) {
422 PROC_UNLOCK(targp);
423 error = EACCES;
424 goto done;
425 }
426 PROC_UNLOCK(targp);
427 } else
428 targp = curp;
429 if (SESS_LEADER(targp)) {
430 error = EPERM;
431 goto done;
432 }
433 if (uap->pgid == 0)
434 uap->pgid = targp->p_pid;
435 if ((pgrp = pgfind(uap->pgid)) == NULL) {
436 if (uap->pgid == targp->p_pid) {
437 error = enterpgrp(targp, uap->pgid, newpgrp,
438 NULL);
439 if (error == 0)
440 newpgrp = NULL;
441 } else
442 error = EPERM;
443 } else {
444 if (pgrp == targp->p_pgrp) {
445 PGRP_UNLOCK(pgrp);
446 goto done;
447 }
448 if (pgrp->pg_id != targp->p_pid &&
449 pgrp->pg_session != curp->p_session) {
450 PGRP_UNLOCK(pgrp);
451 error = EPERM;
452 goto done;
453 }
454 PGRP_UNLOCK(pgrp);
455 error = enterthispgrp(targp, pgrp);
456 }
457done:
458 sx_xunlock(&proctree_lock);
459 KASSERT((error == 0) || (newpgrp != NULL),
460 ("setpgid failed and newpgrp is NULL"));
461 if (newpgrp != NULL)
462 FREE(newpgrp, M_PGRP);
463 return (error);
464}
465
466/*
467 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
468 * compatible. It says that setting the uid/gid to euid/egid is a special
469 * case of "appropriate privilege". Once the rules are expanded out, this
470 * basically means that setuid(nnn) sets all three id's, in all permitted
471 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
472 * does not set the saved id - this is dangerous for traditional BSD
473 * programs. For this reason, we *really* do not want to set
474 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
475 */
476#define POSIX_APPENDIX_B_4_2_2
477
478#ifndef _SYS_SYSPROTO_H_
479struct setuid_args {
480 uid_t uid;
481};
482#endif
483/*
484 * MPSAFE
485 */
486/* ARGSUSED */
487int
488setuid(struct thread *td, struct setuid_args *uap)
489{
490 struct proc *p = td->td_proc;
491 struct ucred *newcred, *oldcred;
492 uid_t uid;
493 struct uidinfo *uip;
494 int error;
495
496 uid = uap->uid;
497 newcred = crget();
498 uip = uifind(uid);
499 PROC_LOCK(p);
500 oldcred = p->p_ucred;
501
502 /*
503 * See if we have "permission" by POSIX 1003.1 rules.
504 *
505 * Note that setuid(geteuid()) is a special case of
506 * "appropriate privileges" in appendix B.4.2.2. We need
507 * to use this clause to be compatible with traditional BSD
508 * semantics. Basically, it means that "setuid(xx)" sets all
509 * three id's (assuming you have privs).
510 *
511 * Notes on the logic. We do things in three steps.
512 * 1: We determine if the euid is going to change, and do EPERM
513 * right away. We unconditionally change the euid later if this
514 * test is satisfied, simplifying that part of the logic.
515 * 2: We determine if the real and/or saved uids are going to
516 * change. Determined by compile options.
517 * 3: Change euid last. (after tests in #2 for "appropriate privs")
518 */
519 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
520#ifdef _POSIX_SAVED_IDS
521 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
522#endif
523#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
524 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
525#endif
526 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
527 PROC_UNLOCK(p);
528 uifree(uip);
529 crfree(newcred);
530 return (error);
531 }
532
533 /*
534 * Copy credentials so other references do not see our changes.
535 */
536 crcopy(newcred, oldcred);
537#ifdef _POSIX_SAVED_IDS
538 /*
539 * Do we have "appropriate privileges" (are we root or uid == euid)
540 * If so, we are changing the real uid and/or saved uid.
541 */
542 if (
543#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
544 uid == oldcred->cr_uid ||
545#endif
546 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
547#endif
548 {
549 /*
550 * Set the real uid and transfer proc count to new user.
551 */
552 if (uid != oldcred->cr_ruid) {
553 change_ruid(newcred, uip);
554 setsugid(p);
555 }
556 /*
557 * Set saved uid
558 *
559 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
560 * the security of seteuid() depends on it. B.4.2.2 says it
561 * is important that we should do this.
562 */
563 if (uid != oldcred->cr_svuid) {
564 change_svuid(newcred, uid);
565 setsugid(p);
566 }
567 }
568
569 /*
570 * In all permitted cases, we are changing the euid.
571 */
572 if (uid != oldcred->cr_uid) {
573 change_euid(newcred, uip);
574 setsugid(p);
575 }
576 p->p_ucred = newcred;
577 PROC_UNLOCK(p);
578 uifree(uip);
579 crfree(oldcred);
580 return (0);
581}
582
583#ifndef _SYS_SYSPROTO_H_
584struct seteuid_args {
585 uid_t euid;
586};
587#endif
588/*
589 * MPSAFE
590 */
591/* ARGSUSED */
592int
593seteuid(struct thread *td, struct seteuid_args *uap)
594{
595 struct proc *p = td->td_proc;
596 struct ucred *newcred, *oldcred;
597 uid_t euid;
598 struct uidinfo *euip;
599 int error;
600
601 euid = uap->euid;
602 newcred = crget();
603 euip = uifind(euid);
604 PROC_LOCK(p);
605 oldcred = p->p_ucred;
606 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
607 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
608 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
609 PROC_UNLOCK(p);
610 uifree(euip);
611 crfree(newcred);
612 return (error);
613 }
614 /*
615 * Everything's okay, do it. Copy credentials so other references do
616 * not see our changes.
617 */
618 crcopy(newcred, oldcred);
619 if (oldcred->cr_uid != euid) {
620 change_euid(newcred, euip);
621 setsugid(p);
622 }
623 p->p_ucred = newcred;
624 PROC_UNLOCK(p);
625 uifree(euip);
626 crfree(oldcred);
627 return (0);
628}
629
630#ifndef _SYS_SYSPROTO_H_
631struct setgid_args {
632 gid_t gid;
633};
634#endif
635/*
636 * MPSAFE
637 */
638/* ARGSUSED */
639int
640setgid(struct thread *td, struct setgid_args *uap)
641{
642 struct proc *p = td->td_proc;
643 struct ucred *newcred, *oldcred;
644 gid_t gid;
645 int error;
646
647 gid = uap->gid;
648 newcred = crget();
649 PROC_LOCK(p);
650 oldcred = p->p_ucred;
651
652 /*
653 * See if we have "permission" by POSIX 1003.1 rules.
654 *
655 * Note that setgid(getegid()) is a special case of
656 * "appropriate privileges" in appendix B.4.2.2. We need
657 * to use this clause to be compatible with traditional BSD
658 * semantics. Basically, it means that "setgid(xx)" sets all
659 * three id's (assuming you have privs).
660 *
661 * For notes on the logic here, see setuid() above.
662 */
663 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
664#ifdef _POSIX_SAVED_IDS
665 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
666#endif
667#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
668 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
669#endif
670 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
671 PROC_UNLOCK(p);
672 crfree(newcred);
673 return (error);
674 }
675
676 crcopy(newcred, oldcred);
677#ifdef _POSIX_SAVED_IDS
678 /*
679 * Do we have "appropriate privileges" (are we root or gid == egid)
680 * If so, we are changing the real uid and saved gid.
681 */
682 if (
683#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
684 gid == oldcred->cr_groups[0] ||
685#endif
686 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
687#endif
688 {
689 /*
690 * Set real gid
691 */
692 if (oldcred->cr_rgid != gid) {
693 change_rgid(newcred, gid);
694 setsugid(p);
695 }
696 /*
697 * Set saved gid
698 *
699 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
700 * the security of setegid() depends on it. B.4.2.2 says it
701 * is important that we should do this.
702 */
703 if (oldcred->cr_svgid != gid) {
704 change_svgid(newcred, gid);
705 setsugid(p);
706 }
707 }
708 /*
709 * In all cases permitted cases, we are changing the egid.
710 * Copy credentials so other references do not see our changes.
711 */
712 if (oldcred->cr_groups[0] != gid) {
713 change_egid(newcred, gid);
714 setsugid(p);
715 }
716 p->p_ucred = newcred;
717 PROC_UNLOCK(p);
718 crfree(oldcred);
719 return (0);
720}
721
722#ifndef _SYS_SYSPROTO_H_
723struct setegid_args {
724 gid_t egid;
725};
726#endif
727/*
728 * MPSAFE
729 */
730/* ARGSUSED */
731int
732setegid(struct thread *td, struct setegid_args *uap)
733{
734 struct proc *p = td->td_proc;
735 struct ucred *newcred, *oldcred;
736 gid_t egid;
737 int error;
738
739 egid = uap->egid;
740 newcred = crget();
741 PROC_LOCK(p);
742 oldcred = p->p_ucred;
743 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
744 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
745 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
746 PROC_UNLOCK(p);
747 crfree(newcred);
748 return (error);
749 }
750 crcopy(newcred, oldcred);
751 if (oldcred->cr_groups[0] != egid) {
752 change_egid(newcred, egid);
753 setsugid(p);
754 }
755 p->p_ucred = newcred;
756 PROC_UNLOCK(p);
757 crfree(oldcred);
758 return (0);
759}
760
761#ifndef _SYS_SYSPROTO_H_
762struct setgroups_args {
763 u_int gidsetsize;
764 gid_t *gidset;
765};
766#endif
767/*
768 * MPSAFE
769 */
770/* ARGSUSED */
771int
772setgroups(struct thread *td, struct setgroups_args *uap)
773{
774 struct proc *p = td->td_proc;
775 struct ucred *newcred, *tempcred, *oldcred;
776 u_int ngrp;
777 int error;
778
779 ngrp = uap->gidsetsize;
780 if (ngrp > NGROUPS)
781 return (EINVAL);
782 tempcred = crget();
783 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
784 if (error != 0) {
785 crfree(tempcred);
786 return (error);
787 }
788 newcred = crget();
789 PROC_LOCK(p);
790 oldcred = p->p_ucred;
791 error = suser_cred(oldcred, PRISON_ROOT);
792 if (error) {
793 PROC_UNLOCK(p);
794 crfree(newcred);
795 crfree(tempcred);
796 return (error);
797 }
798
799 /*
800 * XXX A little bit lazy here. We could test if anything has
801 * changed before crcopy() and setting P_SUGID.
802 */
803 crcopy(newcred, oldcred);
804 if (ngrp < 1) {
805 /*
806 * setgroups(0, NULL) is a legitimate way of clearing the
807 * groups vector on non-BSD systems (which generally do not
808 * have the egid in the groups[0]). We risk security holes
809 * when running non-BSD software if we do not do the same.
810 */
811 newcred->cr_ngroups = 1;
812 } else {
813 bcopy(tempcred->cr_groups, newcred->cr_groups,
814 ngrp * sizeof(gid_t));
815 newcred->cr_ngroups = ngrp;
816 }
817 setsugid(p);
818 p->p_ucred = newcred;
819 PROC_UNLOCK(p);
820 crfree(tempcred);
821 crfree(oldcred);
822 return (0);
823}
824
825#ifndef _SYS_SYSPROTO_H_
826struct setreuid_args {
827 uid_t ruid;
828 uid_t euid;
829};
830#endif
831/*
832 * MPSAFE
833 */
834/* ARGSUSED */
835int
836setreuid(register struct thread *td, struct setreuid_args *uap)
837{
838 struct proc *p = td->td_proc;
839 struct ucred *newcred, *oldcred;
840 uid_t euid, ruid;
841 struct uidinfo *euip, *ruip;
842 int error;
843
844 euid = uap->euid;
845 ruid = uap->ruid;
846 newcred = crget();
847 euip = uifind(euid);
848 ruip = uifind(ruid);
849 PROC_LOCK(p);
850 oldcred = p->p_ucred;
851 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
852 ruid != oldcred->cr_svuid) ||
853 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
854 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
855 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
856 PROC_UNLOCK(p);
857 uifree(ruip);
858 uifree(euip);
859 crfree(newcred);
860 return (error);
861 }
862 crcopy(newcred, oldcred);
863 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
864 change_euid(newcred, euip);
865 setsugid(p);
866 }
867 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
868 change_ruid(newcred, ruip);
869 setsugid(p);
870 }
871 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
872 newcred->cr_svuid != newcred->cr_uid) {
873 change_svuid(newcred, newcred->cr_uid);
874 setsugid(p);
875 }
876 p->p_ucred = newcred;
877 PROC_UNLOCK(p);
878 uifree(ruip);
879 uifree(euip);
880 crfree(oldcred);
881 return (0);
882}
883
884#ifndef _SYS_SYSPROTO_H_
885struct setregid_args {
886 gid_t rgid;
887 gid_t egid;
888};
889#endif
890/*
891 * MPSAFE
892 */
893/* ARGSUSED */
894int
895setregid(register struct thread *td, struct setregid_args *uap)
896{
897 struct proc *p = td->td_proc;
898 struct ucred *newcred, *oldcred;
899 gid_t egid, rgid;
900 int error;
901
902 egid = uap->egid;
903 rgid = uap->rgid;
904 newcred = crget();
905 PROC_LOCK(p);
906 oldcred = p->p_ucred;
907 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
908 rgid != oldcred->cr_svgid) ||
909 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
910 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
911 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
912 PROC_UNLOCK(p);
913 crfree(newcred);
914 return (error);
915 }
916
917 crcopy(newcred, oldcred);
918 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
919 change_egid(newcred, egid);
920 setsugid(p);
921 }
922 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
923 change_rgid(newcred, rgid);
924 setsugid(p);
925 }
926 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
927 newcred->cr_svgid != newcred->cr_groups[0]) {
928 change_svgid(newcred, newcred->cr_groups[0]);
929 setsugid(p);
930 }
931 p->p_ucred = newcred;
932 PROC_UNLOCK(p);
933 crfree(oldcred);
934 return (0);
935}
936
937/*
938 * setresuid(ruid, euid, suid) is like setreuid except control over the
939 * saved uid is explicit.
940 */
941
942#ifndef _SYS_SYSPROTO_H_
943struct setresuid_args {
944 uid_t ruid;
945 uid_t euid;
946 uid_t suid;
947};
948#endif
949/*
950 * MPSAFE
951 */
952/* ARGSUSED */
953int
954setresuid(register struct thread *td, struct setresuid_args *uap)
955{
956 struct proc *p = td->td_proc;
957 struct ucred *newcred, *oldcred;
958 uid_t euid, ruid, suid;
959 struct uidinfo *euip, *ruip;
960 int error;
961
962 euid = uap->euid;
963 ruid = uap->ruid;
964 suid = uap->suid;
965 newcred = crget();
966 euip = uifind(euid);
967 ruip = uifind(ruid);
968 PROC_LOCK(p);
969 oldcred = p->p_ucred;
970 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
971 ruid != oldcred->cr_svuid &&
972 ruid != oldcred->cr_uid) ||
973 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
974 euid != oldcred->cr_svuid &&
975 euid != oldcred->cr_uid) ||
976 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
977 suid != oldcred->cr_svuid &&
978 suid != oldcred->cr_uid)) &&
979 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
980 PROC_UNLOCK(p);
981 uifree(ruip);
982 uifree(euip);
983 crfree(newcred);
984 return (error);
985 }
986
987 crcopy(newcred, oldcred);
988 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
989 change_euid(newcred, euip);
990 setsugid(p);
991 }
992 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
993 change_ruid(newcred, ruip);
994 setsugid(p);
995 }
996 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
997 change_svuid(newcred, suid);
998 setsugid(p);
999 }
1000 p->p_ucred = newcred;
1001 PROC_UNLOCK(p);
1002 uifree(ruip);
1003 uifree(euip);
1004 crfree(oldcred);
1005 return (0);
1006}
1007
1008/*
1009 * setresgid(rgid, egid, sgid) is like setregid except control over the
1010 * saved gid is explicit.
1011 */
1012
1013#ifndef _SYS_SYSPROTO_H_
1014struct setresgid_args {
1015 gid_t rgid;
1016 gid_t egid;
1017 gid_t sgid;
1018};
1019#endif
1020/*
1021 * MPSAFE
1022 */
1023/* ARGSUSED */
1024int
1025setresgid(register struct thread *td, struct setresgid_args *uap)
1026{
1027 struct proc *p = td->td_proc;
1028 struct ucred *newcred, *oldcred;
1029 gid_t egid, rgid, sgid;
1030 int error;
1031
1032 egid = uap->egid;
1033 rgid = uap->rgid;
1034 sgid = uap->sgid;
1035 newcred = crget();
1036 PROC_LOCK(p);
1037 oldcred = p->p_ucred;
1038 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1039 rgid != oldcred->cr_svgid &&
1040 rgid != oldcred->cr_groups[0]) ||
1041 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1042 egid != oldcred->cr_svgid &&
1043 egid != oldcred->cr_groups[0]) ||
1044 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1045 sgid != oldcred->cr_svgid &&
1046 sgid != oldcred->cr_groups[0])) &&
1047 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
1048 PROC_UNLOCK(p);
1049 crfree(newcred);
1050 return (error);
1051 }
1052
1053 crcopy(newcred, oldcred);
1054 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1055 change_egid(newcred, egid);
1056 setsugid(p);
1057 }
1058 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1059 change_rgid(newcred, rgid);
1060 setsugid(p);
1061 }
1062 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1063 change_svgid(newcred, sgid);
1064 setsugid(p);
1065 }
1066 p->p_ucred = newcred;
1067 PROC_UNLOCK(p);
1068 crfree(oldcred);
1069 return (0);
1070}
1071
1072#ifndef _SYS_SYSPROTO_H_
1073struct getresuid_args {
1074 uid_t *ruid;
1075 uid_t *euid;
1076 uid_t *suid;
1077};
1078#endif
1079/*
1080 * MPSAFE
1081 */
1082/* ARGSUSED */
1083int
1084getresuid(register struct thread *td, struct getresuid_args *uap)
1085{
1086 struct ucred *cred;
1087 int error1 = 0, error2 = 0, error3 = 0;
1088
1089 cred = td->td_ucred;
1090 if (uap->ruid)
1091 error1 = copyout(&cred->cr_ruid,
1092 uap->ruid, sizeof(cred->cr_ruid));
1093 if (uap->euid)
1094 error2 = copyout(&cred->cr_uid,
1095 uap->euid, sizeof(cred->cr_uid));
1096 if (uap->suid)
1097 error3 = copyout(&cred->cr_svuid,
1098 uap->suid, sizeof(cred->cr_svuid));
1099 return (error1 ? error1 : error2 ? error2 : error3);
1100}
1101
1102#ifndef _SYS_SYSPROTO_H_
1103struct getresgid_args {
1104 gid_t *rgid;
1105 gid_t *egid;
1106 gid_t *sgid;
1107};
1108#endif
1109/*
1110 * MPSAFE
1111 */
1112/* ARGSUSED */
1113int
1114getresgid(register struct thread *td, struct getresgid_args *uap)
1115{
1116 struct ucred *cred;
1117 int error1 = 0, error2 = 0, error3 = 0;
1118
1119 cred = td->td_ucred;
1120 if (uap->rgid)
1121 error1 = copyout(&cred->cr_rgid,
1122 uap->rgid, sizeof(cred->cr_rgid));
1123 if (uap->egid)
1124 error2 = copyout(&cred->cr_groups[0],
1125 uap->egid, sizeof(cred->cr_groups[0]));
1126 if (uap->sgid)
1127 error3 = copyout(&cred->cr_svgid,
1128 uap->sgid, sizeof(cred->cr_svgid));
1129 return (error1 ? error1 : error2 ? error2 : error3);
1130}
1131
1132#ifndef _SYS_SYSPROTO_H_
1133struct issetugid_args {
1134 int dummy;
1135};
1136#endif
1137/*
1138 * MPSAFE
1139 */
1140/* ARGSUSED */
1141int
1142issetugid(register struct thread *td, struct issetugid_args *uap)
1143{
1144 struct proc *p = td->td_proc;
1145
1146 /*
1147 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1148 * we use P_SUGID because we consider changing the owners as
1149 * "tainting" as well.
1150 * This is significant for procs that start as root and "become"
1151 * a user without an exec - programs cannot know *everything*
1152 * that libc *might* have put in their data segment.
1153 */
1154 PROC_LOCK(p);
1155 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1156 PROC_UNLOCK(p);
1157 return (0);
1158}
1159
1160/*
1161 * MPSAFE
1162 */
1163int
1164__setugid(struct thread *td, struct __setugid_args *uap)
1165{
1166#ifdef REGRESSION
1167 struct proc *p;
1168
1169 p = td->td_proc;
1170 switch (uap->flag) {
1171 case 0:
1172 PROC_LOCK(p);
1173 p->p_flag &= ~P_SUGID;
1174 PROC_UNLOCK(p);
1175 return (0);
1176 case 1:
1177 PROC_LOCK(p);
1178 p->p_flag |= P_SUGID;
1179 PROC_UNLOCK(p);
1180 return (0);
1181 default:
1182 return (EINVAL);
1183 }
1184#else /* !REGRESSION */
1185
1186 return (ENOSYS);
1187#endif /* REGRESSION */
1188}
1189
1190/*
1191 * Check if gid is a member of the group set.
1192 *
1193 * MPSAFE (cred must be held)
1194 */
1195int
1196groupmember(gid_t gid, struct ucred *cred)
1197{
1198 register gid_t *gp;
1199 gid_t *egp;
1200
1201 egp = &(cred->cr_groups[cred->cr_ngroups]);
1202 for (gp = cred->cr_groups; gp < egp; gp++)
1203 if (*gp == gid)
1204 return (1);
1205 return (0);
1206}
1207
1208/*
1209 * `suser_enabled' (which can be set by the security.suser_enabled
1210 * sysctl) determines whether the system 'super-user' policy is in effect.
1211 * If it is nonzero, an effective uid of 0 connotes special privilege,
1212 * overriding many mandatory and discretionary protections. If it is zero,
1213 * uid 0 is offered no special privilege in the kernel security policy.
1214 * Setting it to zero may seriously impact the functionality of many
1215 * existing userland programs, and should not be done without careful
1216 * consideration of the consequences.
1217 */
1218int suser_enabled = 1;
1219SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1220 &suser_enabled, 0, "processes with uid 0 have privilege");
1221TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
1222
1223/*
1224 * Test whether the specified credentials imply "super-user" privilege.
1225 * Return 0 or EPERM. The flag argument is currently used only to
1226 * specify jail interaction.
1227 */
1228int
1229suser_cred(struct ucred *cred, int flag)
1230{
1231
1232 if (!suser_enabled)
1233 return (EPERM);
1234 if (cred->cr_uid != 0)
1235 return (EPERM);
1236 if (jailed(cred) && !(flag & PRISON_ROOT))
1237 return (EPERM);
1238 return (0);
1239}
1240
1241/*
1242 * Shortcut to hide contents of struct td and struct proc from the
1243 * caller, promoting binary compatibility.
1244 */
1245int
1246suser(struct thread *td)
1247{
1248
1249 return (suser_cred(td->td_ucred, 0));
1250}
1251
1252/*
1253 * Test the active securelevel against a given level. securelevel_gt()
1254 * implements (securelevel > level). securelevel_ge() implements
1255 * (securelevel >= level). Note that the logic is inverted -- these
1256 * functions return EPERM on "success" and 0 on "failure".
1257 *
1258 * MPSAFE
1259 */
1260int
1261securelevel_gt(struct ucred *cr, int level)
1262{
1263 int active_securelevel;
1264
1265 active_securelevel = securelevel;
1266 KASSERT(cr != NULL, ("securelevel_gt: null cr"));
1267 if (cr->cr_prison != NULL) {
1268 mtx_lock(&cr->cr_prison->pr_mtx);
1269 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1270 active_securelevel);
1271 mtx_unlock(&cr->cr_prison->pr_mtx);
1272 }
1273 return (active_securelevel > level ? EPERM : 0);
1274}
1275
1276int
1277securelevel_ge(struct ucred *cr, int level)
1278{
1279 int active_securelevel;
1280
1281 active_securelevel = securelevel;
1282 KASSERT(cr != NULL, ("securelevel_ge: null cr"));
1283 if (cr->cr_prison != NULL) {
1284 mtx_lock(&cr->cr_prison->pr_mtx);
1285 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1286 active_securelevel);
1287 mtx_unlock(&cr->cr_prison->pr_mtx);
1288 }
1289 return (active_securelevel >= level ? EPERM : 0);
1290}
1291
1292/*
1293 * 'see_other_uids' determines whether or not visibility of processes
1294 * and sockets with credentials holding different real uids is possible
1295 * using a variety of system MIBs.
1296 * XXX: data declarations should be together near the beginning of the file.
1297 */
1298static int see_other_uids = 1;
1299SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1300 &see_other_uids, 0,
1301 "Unprivileged processes may see subjects/objects with different real uid");
1302
1303/*-
1304 * Determine if u1 "can see" the subject specified by u2, according to the
1305 * 'see_other_uids' policy.
1306 * Returns: 0 for permitted, ESRCH otherwise
1307 * Locks: none
1308 * References: *u1 and *u2 must not change during the call
1309 * u1 may equal u2, in which case only one reference is required
1310 */
1311static int
1312cr_seeotheruids(struct ucred *u1, struct ucred *u2)
1313{
1314
1315 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1316 if (suser_cred(u1, PRISON_ROOT) != 0)
1317 return (ESRCH);
1318 }
1319 return (0);
1320}
1321
1322/*
1323 * 'see_other_gids' determines whether or not visibility of processes
1324 * and sockets with credentials holding different real gids is possible
1325 * using a variety of system MIBs.
1326 * XXX: data declarations should be together near the beginning of the file.
1327 */
1328static int see_other_gids = 1;
1329SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1330 &see_other_gids, 0,
1331 "Unprivileged processes may see subjects/objects with different real gid");
1332
1333/*
1334 * Determine if u1 can "see" the subject specified by u2, according to the
1335 * 'see_other_gids' policy.
1336 * Returns: 0 for permitted, ESRCH otherwise
1337 * Locks: none
1338 * References: *u1 and *u2 must not change during the call
1339 * u1 may equal u2, in which case only one reference is required
1340 */
1341static int
1342cr_seeothergids(struct ucred *u1, struct ucred *u2)
1343{
1344 int i, match;
1345
1346 if (!see_other_gids) {
1347 match = 0;
1348 for (i = 0; i < u1->cr_ngroups; i++) {
1349 if (groupmember(u1->cr_groups[i], u2))
1350 match = 1;
1351 if (match)
1352 break;
1353 }
1354 if (!match) {
1355 if (suser_cred(u1, PRISON_ROOT) != 0)
1356 return (ESRCH);
1357 }
1358 }
1359 return (0);
1360}
1361
1362/*-
1363 * Determine if u1 "can see" the subject specified by u2.
1364 * Returns: 0 for permitted, an errno value otherwise
1365 * Locks: none
1366 * References: *u1 and *u2 must not change during the call
1367 * u1 may equal u2, in which case only one reference is required
1368 */
1369int
1370cr_cansee(struct ucred *u1, struct ucred *u2)
1371{
1372 int error;
1373
1374 if ((error = prison_check(u1, u2)))
1375 return (error);
1376#ifdef MAC
1377 if ((error = mac_check_cred_visible(u1, u2)))
1378 return (error);
1379#endif
1380 if ((error = cr_seeotheruids(u1, u2)))
1381 return (error);
1382 if ((error = cr_seeothergids(u1, u2)))
1383 return (error);
1384 return (0);
1385}
1386
1387/*-
1388 * Determine if td "can see" the subject specified by p.
1389 * Returns: 0 for permitted, an errno value otherwise
1390 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1391 * should be curthread.
1392 * References: td and p must be valid for the lifetime of the call
1393 */
1394int
1395p_cansee(struct thread *td, struct proc *p)
1396{
1397
1398 /* Wrap cr_cansee() for all functionality. */
1399 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1400 PROC_LOCK_ASSERT(p, MA_OWNED);
1401 return (cr_cansee(td->td_ucred, p->p_ucred));
1402}
1403
1404/*
1405 * 'conservative_signals' prevents the delivery of a broad class of
1406 * signals by unprivileged processes to processes that have changed their
1407 * credentials since the last invocation of execve(). This can prevent
1408 * the leakage of cached information or retained privileges as a result
1409 * of a common class of signal-related vulnerabilities. However, this
1410 * may interfere with some applications that expect to be able to
1411 * deliver these signals to peer processes after having given up
1412 * privilege.
1413 */
1414static int conservative_signals = 1;
1415SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1416 &conservative_signals, 0, "Unprivileged processes prevented from "
1417 "sending certain signals to processes whose credentials have changed");
1418/*-
1419 * Determine whether cred may deliver the specified signal to proc.
1420 * Returns: 0 for permitted, an errno value otherwise.
1421 * Locks: A lock must be held for proc.
1422 * References: cred and proc must be valid for the lifetime of the call.
1423 */
1424int
1425cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1426{
1427 int error;
1428
1429 PROC_LOCK_ASSERT(proc, MA_OWNED);
1430 /*
1431 * Jail semantics limit the scope of signalling to proc in the
1432 * same jail as cred, if cred is in jail.
1433 */
1434 error = prison_check(cred, proc->p_ucred);
1435 if (error)
1436 return (error);
1437#ifdef MAC
1438 if ((error = mac_check_proc_signal(cred, proc, signum)))
1439 return (error);
1440#endif
1441 if ((error = cr_seeotheruids(cred, proc->p_ucred)))
1442 return (error);
1443 if ((error = cr_seeothergids(cred, proc->p_ucred)))
1444 return (error);
1445
1446 /*
1447 * UNIX signal semantics depend on the status of the P_SUGID
1448 * bit on the target process. If the bit is set, then additional
1449 * restrictions are placed on the set of available signals.
1450 */
1451 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1452 switch (signum) {
1453 case 0:
1454 case SIGKILL:
1455 case SIGINT:
1456 case SIGTERM:
1457 case SIGALRM:
1458 case SIGSTOP:
1459 case SIGTTIN:
1460 case SIGTTOU:
1461 case SIGTSTP:
1462 case SIGHUP:
1463 case SIGUSR1:
1464 case SIGUSR2:
1465 /*
1466 * Generally, permit job and terminal control
1467 * signals.
1468 */
1469 break;
1470 default:
1471 /* Not permitted without privilege. */
1472 error = suser_cred(cred, PRISON_ROOT);
1473 if (error)
1474 return (error);
1475 }
1476 }
1477
1478 /*
1479 * Generally, the target credential's ruid or svuid must match the
1480 * subject credential's ruid or euid.
1481 */
1482 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1483 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1484 cred->cr_uid != proc->p_ucred->cr_ruid &&
1485 cred->cr_uid != proc->p_ucred->cr_svuid) {
1486 /* Not permitted without privilege. */
1487 error = suser_cred(cred, PRISON_ROOT);
1488 if (error)
1489 return (error);
1490 }
1491
1492 return (0);
1493}
1494
1495
1496/*-
1497 * Determine whether td may deliver the specified signal to p.
1498 * Returns: 0 for permitted, an errno value otherwise
1499 * Locks: Sufficient locks to protect various components of td and p
1500 * must be held. td must be curthread, and a lock must be
1501 * held for p.
1502 * References: td and p must be valid for the lifetime of the call
1503 */
1504int
1505p_cansignal(struct thread *td, struct proc *p, int signum)
1506{
1507
1508 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1509 PROC_LOCK_ASSERT(p, MA_OWNED);
1510 if (td->td_proc == p)
1511 return (0);
1512
1513 /*
1514 * UNIX signalling semantics require that processes in the same
1515 * session always be able to deliver SIGCONT to one another,
1516 * overriding the remaining protections.
1517 */
1518 /* XXX: This will require an additional lock of some sort. */
1519 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1520 return (0);
1521
1522 return (cr_cansignal(td->td_ucred, p, signum));
1523}
1524
1525/*-
1526 * Determine whether td may reschedule p.
1527 * Returns: 0 for permitted, an errno value otherwise
1528 * Locks: Sufficient locks to protect various components of td and p
1529 * must be held. td must be curthread, and a lock must
1530 * be held for p.
1531 * References: td and p must be valid for the lifetime of the call
1532 */
1533int
1534p_cansched(struct thread *td, struct proc *p)
1535{
1536 int error;
1537
1538 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1539 PROC_LOCK_ASSERT(p, MA_OWNED);
1540 if (td->td_proc == p)
1541 return (0);
1542 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1543 return (error);
1544#ifdef MAC
1545 if ((error = mac_check_proc_sched(td->td_ucred, p)))
1546 return (error);
1547#endif
1548 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1549 return (error);
1550 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1551 return (error);
1552 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
1553 return (0);
1554 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
1555 return (0);
1556 if (suser_cred(td->td_ucred, PRISON_ROOT) == 0)
1557 return (0);
1558
1559#ifdef CAPABILITIES
1560 if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT))
1561 return (0);
1562#endif
1563
1564 return (EPERM);
1565}
1566
1567/*
1568 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1569 * unprivileged inter-process debugging services, including some procfs
1570 * functionality, ptrace(), and ktrace(). In the past, inter-process
1571 * debugging has been involved in a variety of security problems, and sites
1572 * not requiring the service might choose to disable it when hardening
1573 * systems.
1574 *
1575 * XXX: Should modifying and reading this variable require locking?
1576 * XXX: data declarations should be together near the beginning of the file.
1577 */
1578static int unprivileged_proc_debug = 1;
1579SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1580 &unprivileged_proc_debug, 0,
1581 "Unprivileged processes may use process debugging facilities");
1582
1583/*-
1584 * Determine whether td may debug p.
1585 * Returns: 0 for permitted, an errno value otherwise
1586 * Locks: Sufficient locks to protect various components of td and p
1587 * must be held. td must be curthread, and a lock must
1588 * be held for p.
1589 * References: td and p must be valid for the lifetime of the call
1590 */
1591int
1592p_candebug(struct thread *td, struct proc *p)
1593{
1594 int credentialchanged, error, grpsubset, i, uidsubset;
1595
1596 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1597 PROC_LOCK_ASSERT(p, MA_OWNED);
1598 if (!unprivileged_proc_debug) {
1599 error = suser_cred(td->td_ucred, PRISON_ROOT);
1600 if (error)
1601 return (error);
1602 }
1603 if (td->td_proc == p)
1604 return (0);
1605 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1606 return (error);
1607#ifdef MAC
1608 if ((error = mac_check_proc_debug(td->td_ucred, p)))
1609 return (error);
1610#endif
1611 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1612 return (error);
1613 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1614 return (error);
1615
1616 /*
1617 * Is p's group set a subset of td's effective group set? This
1618 * includes p's egid, group access list, rgid, and svgid.
1619 */
1620 grpsubset = 1;
1621 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1622 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1623 grpsubset = 0;
1624 break;
1625 }
1626 }
1627 grpsubset = grpsubset &&
1628 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1629 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1630
1631 /*
1632 * Are the uids present in p's credential equal to td's
1633 * effective uid? This includes p's euid, svuid, and ruid.
1634 */
1635 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1636 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1637 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1638
1639 /*
1640 * Has the credential of the process changed since the last exec()?
1641 */
1642 credentialchanged = (p->p_flag & P_SUGID);
1643
1644 /*
1645 * If p's gids aren't a subset, or the uids aren't a subset,
1646 * or the credential has changed, require appropriate privilege
1647 * for td to debug p. For POSIX.1e capabilities, this will
1648 * require CAP_SYS_PTRACE.
1649 */
1650 if (!grpsubset || !uidsubset || credentialchanged) {
1651 error = suser_cred(td->td_ucred, PRISON_ROOT);
1652 if (error)
1653 return (error);
1654 }
1655
1656 /* Can't trace init when securelevel > 0. */
1657 if (p == initproc) {
1658 error = securelevel_gt(td->td_ucred, 0);
1659 if (error)
1660 return (error);
1661 }
1662
1663 /*
1664 * Can't trace a process that's currently exec'ing.
1665 * XXX: Note, this is not a security policy decision, it's a
1666 * basic correctness/functionality decision. Therefore, this check
1667 * should be moved to the caller's of p_candebug().
1668 */
1669 if ((p->p_flag & P_INEXEC) != 0)
1670 return (EAGAIN);
1671
1672 return (0);
1673}
1674
1675/*-
1676 * Determine whether the subject represented by cred can "see" a socket.
1677 * Returns: 0 for permitted, ENOENT otherwise.
1678 */
1679int
1680cr_canseesocket(struct ucred *cred, struct socket *so)
1681{
1682 int error;
1683
1684 error = prison_check(cred, so->so_cred);
1685 if (error)
1686 return (ENOENT);
1687#ifdef MAC
1688 error = mac_check_socket_visible(cred, so);
1689 if (error)
1690 return (error);
1691#endif
1692 if (cr_seeotheruids(cred, so->so_cred))
1693 return (ENOENT);
1694 if (cr_seeothergids(cred, so->so_cred))
1695 return (ENOENT);
1696
1697 return (0);
1698}
1699
1700/*
1701 * Allocate a zeroed cred structure.
1702 * MPSAFE
1703 */
1704struct ucred *
1705crget(void)
1706{
1707 register struct ucred *cr;
1708
1709 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1710 cr->cr_ref = 1;
1711 cr->cr_mtxp = mtx_pool_find(mtxpool_sleep, cr);
1712#ifdef MAC
1713 mac_init_cred(cr);
1714#endif
1715 return (cr);
1716}
1717
1718/*
1719 * Claim another reference to a ucred structure.
1720 * MPSAFE
1721 */
1722struct ucred *
1723crhold(struct ucred *cr)
1724{
1725
1726 mtx_lock(cr->cr_mtxp);
1727 cr->cr_ref++;
1728 mtx_unlock(cr->cr_mtxp);
1729 return (cr);
1730}
1731
1732/*
1733 * Free a cred structure.
1734 * Throws away space when ref count gets to 0.
1735 * MPSAFE
1736 */
1737void
1738crfree(struct ucred *cr)
1739{
1740 struct mtx *mtxp = cr->cr_mtxp;
1741
1742 mtx_lock(mtxp);
1743 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1744 if (--cr->cr_ref == 0) {
1745 mtx_unlock(mtxp);
1746 /*
1747 * Some callers of crget(), such as nfs_statfs(),
1748 * allocate a temporary credential, but don't
1749 * allocate a uidinfo structure.
1750 */
1751 if (cr->cr_uidinfo != NULL)
1752 uifree(cr->cr_uidinfo);
1753 if (cr->cr_ruidinfo != NULL)
1754 uifree(cr->cr_ruidinfo);
1755 /*
1756 * Free a prison, if any.
1757 */
1758 if (jailed(cr))
1759 prison_free(cr->cr_prison);
1760#ifdef MAC
1761 mac_destroy_cred(cr);
1762#endif
1763 FREE(cr, M_CRED);
1764 } else {
1765 mtx_unlock(mtxp);
1766 }
1767}
1768
1769/*
1770 * Check to see if this ucred is shared.
1771 * MPSAFE
1772 */
1773int
1774crshared(struct ucred *cr)
1775{
1776 int shared;
1777
1778 mtx_lock(cr->cr_mtxp);
1779 shared = (cr->cr_ref > 1);
1780 mtx_unlock(cr->cr_mtxp);
1781 return (shared);
1782}
1783
1784/*
1785 * Copy a ucred's contents from a template. Does not block.
1786 * MPSAFE
1787 */
1788void
1789crcopy(struct ucred *dest, struct ucred *src)
1790{
1791
1792 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1793 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1794 (unsigned)((caddr_t)&src->cr_endcopy -
1795 (caddr_t)&src->cr_startcopy));
1796 uihold(dest->cr_uidinfo);
1797 uihold(dest->cr_ruidinfo);
1798 if (jailed(dest))
1799 prison_hold(dest->cr_prison);
1800#ifdef MAC
1801 mac_copy_cred(src, dest);
1802#endif
1803}
1804
1805/*
1806 * Dup cred struct to a new held one.
1807 * MPSAFE
1808 */
1809struct ucred *
1810crdup(struct ucred *cr)
1811{
1812 struct ucred *newcr;
1813
1814 newcr = crget();
1815 crcopy(newcr, cr);
1816 return (newcr);
1817}
1818
1819#ifdef DIAGNOSTIC
1820void
1821cred_free_thread(struct thread *td)
1822{
1823 struct ucred *cred;
1824
1825 cred = td->td_ucred;
1826 td->td_ucred = NULL;
1827 if (cred != NULL)
1828 crfree(cred);
1829}
1830#endif
1831
1832/*
1833 * Fill in a struct xucred based on a struct ucred.
1834 * MPSAFE
1835 */
1836void
1837cru2x(struct ucred *cr, struct xucred *xcr)
1838{
1839
1840 bzero(xcr, sizeof(*xcr));
1841 xcr->cr_version = XUCRED_VERSION;
1842 xcr->cr_uid = cr->cr_uid;
1843 xcr->cr_ngroups = cr->cr_ngroups;
1844 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1845}
1846
1847/*
1848 * small routine to swap a thread's current ucred for the correct one
1849 * taken from the process.
1850 * MPSAFE
1851 */
1852void
1853cred_update_thread(struct thread *td)
1854{
1855 struct proc *p;
1856 struct ucred *cred;
1857
1858 p = td->td_proc;
1859 cred = td->td_ucred;
1860 PROC_LOCK(p);
1861 td->td_ucred = crhold(p->p_ucred);
1862 PROC_UNLOCK(p);
1863 if (cred != NULL)
1864 crfree(cred);
1865}
1866
1867/*
1868 * Get login name, if available.
1869 */
1870#ifndef _SYS_SYSPROTO_H_
1871struct getlogin_args {
1872 char *namebuf;
1873 u_int namelen;
1874};
1875#endif
1876/*
1877 * MPSAFE
1878 */
1879/* ARGSUSED */
1880int
1881getlogin(struct thread *td, struct getlogin_args *uap)
1882{
1883 int error;
1884 char login[MAXLOGNAME];
1885 struct proc *p = td->td_proc;
1886
1887 if (uap->namelen > MAXLOGNAME)
1888 uap->namelen = MAXLOGNAME;
1889 PROC_LOCK(p);
1890 SESS_LOCK(p->p_session);
1891 bcopy(p->p_session->s_login, login, uap->namelen);
1892 SESS_UNLOCK(p->p_session);
1893 PROC_UNLOCK(p);
1894 error = copyout(login, uap->namebuf, uap->namelen);
1895 return(error);
1896}
1897
1898/*
1899 * Set login name.
1900 */
1901#ifndef _SYS_SYSPROTO_H_
1902struct setlogin_args {
1903 char *namebuf;
1904};
1905#endif
1906/*
1907 * MPSAFE
1908 */
1909/* ARGSUSED */
1910int
1911setlogin(struct thread *td, struct setlogin_args *uap)
1912{
1913 struct proc *p = td->td_proc;
1914 int error;
1915 char logintmp[MAXLOGNAME];
1916
1917 error = suser_cred(td->td_ucred, PRISON_ROOT);
1918 if (error)
1919 return (error);
1920 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
1921 if (error == ENAMETOOLONG)
1922 error = EINVAL;
1923 else if (!error) {
1924 PROC_LOCK(p);
1925 SESS_LOCK(p->p_session);
1926 (void) memcpy(p->p_session->s_login, logintmp,
1927 sizeof(logintmp));
1928 SESS_UNLOCK(p->p_session);
1929 PROC_UNLOCK(p);
1930 }
1931 return (error);
1932}
1933
1934void
1935setsugid(struct proc *p)
1936{
1937
1938 PROC_LOCK_ASSERT(p, MA_OWNED);
1939 p->p_flag |= P_SUGID;
1940 if (!(p->p_pfsflags & PF_ISUGID))
1941 p->p_stops = 0;
1942}
1943
1944/*-
1945 * Change a process's effective uid.
1946 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1947 * References: newcred must be an exclusive credential reference for the
1948 * duration of the call.
1949 */
1950void
1951change_euid(struct ucred *newcred, struct uidinfo *euip)
1952{
1953
1954 newcred->cr_uid = euip->ui_uid;
1955 uihold(euip);
1956 uifree(newcred->cr_uidinfo);
1957 newcred->cr_uidinfo = euip;
1958}
1959
1960/*-
1961 * Change a process's effective gid.
1962 * Side effects: newcred->cr_gid will be modified.
1963 * References: newcred must be an exclusive credential reference for the
1964 * duration of the call.
1965 */
1966void
1967change_egid(struct ucred *newcred, gid_t egid)
1968{
1969
1970 newcred->cr_groups[0] = egid;
1971}
1972
1973/*-
1974 * Change a process's real uid.
1975 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1976 * will be updated, and the old and new cr_ruidinfo proc
1977 * counts will be updated.
1978 * References: newcred must be an exclusive credential reference for the
1979 * duration of the call.
1980 */
1981void
1982change_ruid(struct ucred *newcred, struct uidinfo *ruip)
1983{
1984
1985 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1986 newcred->cr_ruid = ruip->ui_uid;
1987 uihold(ruip);
1988 uifree(newcred->cr_ruidinfo);
1989 newcred->cr_ruidinfo = ruip;
1990 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1991}
1992
1993/*-
1994 * Change a process's real gid.
1995 * Side effects: newcred->cr_rgid will be updated.
1996 * References: newcred must be an exclusive credential reference for the
1997 * duration of the call.
1998 */
1999void
2000change_rgid(struct ucred *newcred, gid_t rgid)
2001{
2002
2003 newcred->cr_rgid = rgid;
2004}
2005
2006/*-
2007 * Change a process's saved uid.
2008 * Side effects: newcred->cr_svuid will be updated.
2009 * References: newcred must be an exclusive credential reference for the
2010 * duration of the call.
2011 */
2012void
2013change_svuid(struct ucred *newcred, uid_t svuid)
2014{
2015
2016 newcred->cr_svuid = svuid;
2017}
2018
2019/*-
2020 * Change a process's saved gid.
2021 * Side effects: newcred->cr_svgid will be updated.
2022 * References: newcred must be an exclusive credential reference for the
2023 * duration of the call.
2024 */
2025void
2026change_svgid(struct ucred *newcred, gid_t svgid)
2027{
2028
2029 newcred->cr_svgid = svgid;
2030}
| 257 td->td_retval[1] = td->td_ucred->cr_groups[0];
258#endif
259 return (0);
260}
261
262/*
263 * Get effective group ID. The "egid" is groups[0], and could be obtained
264 * via getgroups. This syscall exists because it is somewhat painful to do
265 * correctly in a library function.
266 */
267#ifndef _SYS_SYSPROTO_H_
268struct getegid_args {
269 int dummy;
270};
271#endif
272/*
273 * MPSAFE
274 */
275/* ARGSUSED */
276int
277getegid(struct thread *td, struct getegid_args *uap)
278{
279
280 td->td_retval[0] = td->td_ucred->cr_groups[0];
281 return (0);
282}
283
284#ifndef _SYS_SYSPROTO_H_
285struct getgroups_args {
286 u_int gidsetsize;
287 gid_t *gidset;
288};
289#endif
290/*
291 * MPSAFE
292 */
293int
294getgroups(struct thread *td, register struct getgroups_args *uap)
295{
296 struct ucred *cred;
297 u_int ngrp;
298 int error;
299
300 cred = td->td_ucred;
301 if ((ngrp = uap->gidsetsize) == 0) {
302 td->td_retval[0] = cred->cr_ngroups;
303 return (0);
304 }
305 if (ngrp < cred->cr_ngroups)
306 return (EINVAL);
307 ngrp = cred->cr_ngroups;
308 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
309 if (error == 0)
310 td->td_retval[0] = ngrp;
311 return (error);
312}
313
314#ifndef _SYS_SYSPROTO_H_
315struct setsid_args {
316 int dummy;
317};
318#endif
319/*
320 * MPSAFE
321 */
322/* ARGSUSED */
323int
324setsid(register struct thread *td, struct setsid_args *uap)
325{
326 struct pgrp *pgrp;
327 int error;
328 struct proc *p = td->td_proc;
329 struct pgrp *newpgrp;
330 struct session *newsess;
331
332 error = 0;
333 pgrp = NULL;
334
335 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
336 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
337
338 sx_xlock(&proctree_lock);
339
340 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
341 if (pgrp != NULL)
342 PGRP_UNLOCK(pgrp);
343 error = EPERM;
344 } else {
345 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
346 td->td_retval[0] = p->p_pid;
347 newpgrp = NULL;
348 newsess = NULL;
349 }
350
351 sx_xunlock(&proctree_lock);
352
353 if (newpgrp != NULL)
354 FREE(newpgrp, M_PGRP);
355 if (newsess != NULL)
356 FREE(newsess, M_SESSION);
357
358 return (error);
359}
360
361/*
362 * set process group (setpgid/old setpgrp)
363 *
364 * caller does setpgid(targpid, targpgid)
365 *
366 * pid must be caller or child of caller (ESRCH)
367 * if a child
368 * pid must be in same session (EPERM)
369 * pid can't have done an exec (EACCES)
370 * if pgid != pid
371 * there must exist some pid in same session having pgid (EPERM)
372 * pid must not be session leader (EPERM)
373 */
374#ifndef _SYS_SYSPROTO_H_
375struct setpgid_args {
376 int pid; /* target process id */
377 int pgid; /* target pgrp id */
378};
379#endif
380/*
381 * MPSAFE
382 */
383/* ARGSUSED */
384int
385setpgid(struct thread *td, register struct setpgid_args *uap)
386{
387 struct proc *curp = td->td_proc;
388 register struct proc *targp; /* target process */
389 register struct pgrp *pgrp; /* target pgrp */
390 int error;
391 struct pgrp *newpgrp;
392
393 if (uap->pgid < 0)
394 return (EINVAL);
395
396 error = 0;
397
398 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
399
400 sx_xlock(&proctree_lock);
401 if (uap->pid != 0 && uap->pid != curp->p_pid) {
402 if ((targp = pfind(uap->pid)) == NULL) {
403 error = ESRCH;
404 goto done;
405 }
406 if (!inferior(targp)) {
407 PROC_UNLOCK(targp);
408 error = ESRCH;
409 goto done;
410 }
411 if ((error = p_cansee(curthread, targp))) {
412 PROC_UNLOCK(targp);
413 goto done;
414 }
415 if (targp->p_pgrp == NULL ||
416 targp->p_session != curp->p_session) {
417 PROC_UNLOCK(targp);
418 error = EPERM;
419 goto done;
420 }
421 if (targp->p_flag & P_EXEC) {
422 PROC_UNLOCK(targp);
423 error = EACCES;
424 goto done;
425 }
426 PROC_UNLOCK(targp);
427 } else
428 targp = curp;
429 if (SESS_LEADER(targp)) {
430 error = EPERM;
431 goto done;
432 }
433 if (uap->pgid == 0)
434 uap->pgid = targp->p_pid;
435 if ((pgrp = pgfind(uap->pgid)) == NULL) {
436 if (uap->pgid == targp->p_pid) {
437 error = enterpgrp(targp, uap->pgid, newpgrp,
438 NULL);
439 if (error == 0)
440 newpgrp = NULL;
441 } else
442 error = EPERM;
443 } else {
444 if (pgrp == targp->p_pgrp) {
445 PGRP_UNLOCK(pgrp);
446 goto done;
447 }
448 if (pgrp->pg_id != targp->p_pid &&
449 pgrp->pg_session != curp->p_session) {
450 PGRP_UNLOCK(pgrp);
451 error = EPERM;
452 goto done;
453 }
454 PGRP_UNLOCK(pgrp);
455 error = enterthispgrp(targp, pgrp);
456 }
457done:
458 sx_xunlock(&proctree_lock);
459 KASSERT((error == 0) || (newpgrp != NULL),
460 ("setpgid failed and newpgrp is NULL"));
461 if (newpgrp != NULL)
462 FREE(newpgrp, M_PGRP);
463 return (error);
464}
465
466/*
467 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
468 * compatible. It says that setting the uid/gid to euid/egid is a special
469 * case of "appropriate privilege". Once the rules are expanded out, this
470 * basically means that setuid(nnn) sets all three id's, in all permitted
471 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
472 * does not set the saved id - this is dangerous for traditional BSD
473 * programs. For this reason, we *really* do not want to set
474 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
475 */
476#define POSIX_APPENDIX_B_4_2_2
477
478#ifndef _SYS_SYSPROTO_H_
479struct setuid_args {
480 uid_t uid;
481};
482#endif
483/*
484 * MPSAFE
485 */
486/* ARGSUSED */
487int
488setuid(struct thread *td, struct setuid_args *uap)
489{
490 struct proc *p = td->td_proc;
491 struct ucred *newcred, *oldcred;
492 uid_t uid;
493 struct uidinfo *uip;
494 int error;
495
496 uid = uap->uid;
497 newcred = crget();
498 uip = uifind(uid);
499 PROC_LOCK(p);
500 oldcred = p->p_ucred;
501
502 /*
503 * See if we have "permission" by POSIX 1003.1 rules.
504 *
505 * Note that setuid(geteuid()) is a special case of
506 * "appropriate privileges" in appendix B.4.2.2. We need
507 * to use this clause to be compatible with traditional BSD
508 * semantics. Basically, it means that "setuid(xx)" sets all
509 * three id's (assuming you have privs).
510 *
511 * Notes on the logic. We do things in three steps.
512 * 1: We determine if the euid is going to change, and do EPERM
513 * right away. We unconditionally change the euid later if this
514 * test is satisfied, simplifying that part of the logic.
515 * 2: We determine if the real and/or saved uids are going to
516 * change. Determined by compile options.
517 * 3: Change euid last. (after tests in #2 for "appropriate privs")
518 */
519 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
520#ifdef _POSIX_SAVED_IDS
521 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
522#endif
523#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
524 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
525#endif
526 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
527 PROC_UNLOCK(p);
528 uifree(uip);
529 crfree(newcred);
530 return (error);
531 }
532
533 /*
534 * Copy credentials so other references do not see our changes.
535 */
536 crcopy(newcred, oldcred);
537#ifdef _POSIX_SAVED_IDS
538 /*
539 * Do we have "appropriate privileges" (are we root or uid == euid)
540 * If so, we are changing the real uid and/or saved uid.
541 */
542 if (
543#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
544 uid == oldcred->cr_uid ||
545#endif
546 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
547#endif
548 {
549 /*
550 * Set the real uid and transfer proc count to new user.
551 */
552 if (uid != oldcred->cr_ruid) {
553 change_ruid(newcred, uip);
554 setsugid(p);
555 }
556 /*
557 * Set saved uid
558 *
559 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
560 * the security of seteuid() depends on it. B.4.2.2 says it
561 * is important that we should do this.
562 */
563 if (uid != oldcred->cr_svuid) {
564 change_svuid(newcred, uid);
565 setsugid(p);
566 }
567 }
568
569 /*
570 * In all permitted cases, we are changing the euid.
571 */
572 if (uid != oldcred->cr_uid) {
573 change_euid(newcred, uip);
574 setsugid(p);
575 }
576 p->p_ucred = newcred;
577 PROC_UNLOCK(p);
578 uifree(uip);
579 crfree(oldcred);
580 return (0);
581}
582
583#ifndef _SYS_SYSPROTO_H_
584struct seteuid_args {
585 uid_t euid;
586};
587#endif
588/*
589 * MPSAFE
590 */
591/* ARGSUSED */
592int
593seteuid(struct thread *td, struct seteuid_args *uap)
594{
595 struct proc *p = td->td_proc;
596 struct ucred *newcred, *oldcred;
597 uid_t euid;
598 struct uidinfo *euip;
599 int error;
600
601 euid = uap->euid;
602 newcred = crget();
603 euip = uifind(euid);
604 PROC_LOCK(p);
605 oldcred = p->p_ucred;
606 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
607 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
608 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
609 PROC_UNLOCK(p);
610 uifree(euip);
611 crfree(newcred);
612 return (error);
613 }
614 /*
615 * Everything's okay, do it. Copy credentials so other references do
616 * not see our changes.
617 */
618 crcopy(newcred, oldcred);
619 if (oldcred->cr_uid != euid) {
620 change_euid(newcred, euip);
621 setsugid(p);
622 }
623 p->p_ucred = newcred;
624 PROC_UNLOCK(p);
625 uifree(euip);
626 crfree(oldcred);
627 return (0);
628}
629
630#ifndef _SYS_SYSPROTO_H_
631struct setgid_args {
632 gid_t gid;
633};
634#endif
635/*
636 * MPSAFE
637 */
638/* ARGSUSED */
639int
640setgid(struct thread *td, struct setgid_args *uap)
641{
642 struct proc *p = td->td_proc;
643 struct ucred *newcred, *oldcred;
644 gid_t gid;
645 int error;
646
647 gid = uap->gid;
648 newcred = crget();
649 PROC_LOCK(p);
650 oldcred = p->p_ucred;
651
652 /*
653 * See if we have "permission" by POSIX 1003.1 rules.
654 *
655 * Note that setgid(getegid()) is a special case of
656 * "appropriate privileges" in appendix B.4.2.2. We need
657 * to use this clause to be compatible with traditional BSD
658 * semantics. Basically, it means that "setgid(xx)" sets all
659 * three id's (assuming you have privs).
660 *
661 * For notes on the logic here, see setuid() above.
662 */
663 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
664#ifdef _POSIX_SAVED_IDS
665 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
666#endif
667#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
668 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
669#endif
670 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
671 PROC_UNLOCK(p);
672 crfree(newcred);
673 return (error);
674 }
675
676 crcopy(newcred, oldcred);
677#ifdef _POSIX_SAVED_IDS
678 /*
679 * Do we have "appropriate privileges" (are we root or gid == egid)
680 * If so, we are changing the real uid and saved gid.
681 */
682 if (
683#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
684 gid == oldcred->cr_groups[0] ||
685#endif
686 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */
687#endif
688 {
689 /*
690 * Set real gid
691 */
692 if (oldcred->cr_rgid != gid) {
693 change_rgid(newcred, gid);
694 setsugid(p);
695 }
696 /*
697 * Set saved gid
698 *
699 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
700 * the security of setegid() depends on it. B.4.2.2 says it
701 * is important that we should do this.
702 */
703 if (oldcred->cr_svgid != gid) {
704 change_svgid(newcred, gid);
705 setsugid(p);
706 }
707 }
708 /*
709 * In all cases permitted cases, we are changing the egid.
710 * Copy credentials so other references do not see our changes.
711 */
712 if (oldcred->cr_groups[0] != gid) {
713 change_egid(newcred, gid);
714 setsugid(p);
715 }
716 p->p_ucred = newcred;
717 PROC_UNLOCK(p);
718 crfree(oldcred);
719 return (0);
720}
721
722#ifndef _SYS_SYSPROTO_H_
723struct setegid_args {
724 gid_t egid;
725};
726#endif
727/*
728 * MPSAFE
729 */
730/* ARGSUSED */
731int
732setegid(struct thread *td, struct setegid_args *uap)
733{
734 struct proc *p = td->td_proc;
735 struct ucred *newcred, *oldcred;
736 gid_t egid;
737 int error;
738
739 egid = uap->egid;
740 newcred = crget();
741 PROC_LOCK(p);
742 oldcred = p->p_ucred;
743 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
744 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
745 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
746 PROC_UNLOCK(p);
747 crfree(newcred);
748 return (error);
749 }
750 crcopy(newcred, oldcred);
751 if (oldcred->cr_groups[0] != egid) {
752 change_egid(newcred, egid);
753 setsugid(p);
754 }
755 p->p_ucred = newcred;
756 PROC_UNLOCK(p);
757 crfree(oldcred);
758 return (0);
759}
760
761#ifndef _SYS_SYSPROTO_H_
762struct setgroups_args {
763 u_int gidsetsize;
764 gid_t *gidset;
765};
766#endif
767/*
768 * MPSAFE
769 */
770/* ARGSUSED */
771int
772setgroups(struct thread *td, struct setgroups_args *uap)
773{
774 struct proc *p = td->td_proc;
775 struct ucred *newcred, *tempcred, *oldcred;
776 u_int ngrp;
777 int error;
778
779 ngrp = uap->gidsetsize;
780 if (ngrp > NGROUPS)
781 return (EINVAL);
782 tempcred = crget();
783 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
784 if (error != 0) {
785 crfree(tempcred);
786 return (error);
787 }
788 newcred = crget();
789 PROC_LOCK(p);
790 oldcred = p->p_ucred;
791 error = suser_cred(oldcred, PRISON_ROOT);
792 if (error) {
793 PROC_UNLOCK(p);
794 crfree(newcred);
795 crfree(tempcred);
796 return (error);
797 }
798
799 /*
800 * XXX A little bit lazy here. We could test if anything has
801 * changed before crcopy() and setting P_SUGID.
802 */
803 crcopy(newcred, oldcred);
804 if (ngrp < 1) {
805 /*
806 * setgroups(0, NULL) is a legitimate way of clearing the
807 * groups vector on non-BSD systems (which generally do not
808 * have the egid in the groups[0]). We risk security holes
809 * when running non-BSD software if we do not do the same.
810 */
811 newcred->cr_ngroups = 1;
812 } else {
813 bcopy(tempcred->cr_groups, newcred->cr_groups,
814 ngrp * sizeof(gid_t));
815 newcred->cr_ngroups = ngrp;
816 }
817 setsugid(p);
818 p->p_ucred = newcred;
819 PROC_UNLOCK(p);
820 crfree(tempcred);
821 crfree(oldcred);
822 return (0);
823}
824
825#ifndef _SYS_SYSPROTO_H_
826struct setreuid_args {
827 uid_t ruid;
828 uid_t euid;
829};
830#endif
831/*
832 * MPSAFE
833 */
834/* ARGSUSED */
835int
836setreuid(register struct thread *td, struct setreuid_args *uap)
837{
838 struct proc *p = td->td_proc;
839 struct ucred *newcred, *oldcred;
840 uid_t euid, ruid;
841 struct uidinfo *euip, *ruip;
842 int error;
843
844 euid = uap->euid;
845 ruid = uap->ruid;
846 newcred = crget();
847 euip = uifind(euid);
848 ruip = uifind(ruid);
849 PROC_LOCK(p);
850 oldcred = p->p_ucred;
851 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
852 ruid != oldcred->cr_svuid) ||
853 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
854 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
855 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
856 PROC_UNLOCK(p);
857 uifree(ruip);
858 uifree(euip);
859 crfree(newcred);
860 return (error);
861 }
862 crcopy(newcred, oldcred);
863 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
864 change_euid(newcred, euip);
865 setsugid(p);
866 }
867 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
868 change_ruid(newcred, ruip);
869 setsugid(p);
870 }
871 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
872 newcred->cr_svuid != newcred->cr_uid) {
873 change_svuid(newcred, newcred->cr_uid);
874 setsugid(p);
875 }
876 p->p_ucred = newcred;
877 PROC_UNLOCK(p);
878 uifree(ruip);
879 uifree(euip);
880 crfree(oldcred);
881 return (0);
882}
883
884#ifndef _SYS_SYSPROTO_H_
885struct setregid_args {
886 gid_t rgid;
887 gid_t egid;
888};
889#endif
890/*
891 * MPSAFE
892 */
893/* ARGSUSED */
894int
895setregid(register struct thread *td, struct setregid_args *uap)
896{
897 struct proc *p = td->td_proc;
898 struct ucred *newcred, *oldcred;
899 gid_t egid, rgid;
900 int error;
901
902 egid = uap->egid;
903 rgid = uap->rgid;
904 newcred = crget();
905 PROC_LOCK(p);
906 oldcred = p->p_ucred;
907 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
908 rgid != oldcred->cr_svgid) ||
909 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
910 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
911 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
912 PROC_UNLOCK(p);
913 crfree(newcred);
914 return (error);
915 }
916
917 crcopy(newcred, oldcred);
918 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
919 change_egid(newcred, egid);
920 setsugid(p);
921 }
922 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
923 change_rgid(newcred, rgid);
924 setsugid(p);
925 }
926 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
927 newcred->cr_svgid != newcred->cr_groups[0]) {
928 change_svgid(newcred, newcred->cr_groups[0]);
929 setsugid(p);
930 }
931 p->p_ucred = newcred;
932 PROC_UNLOCK(p);
933 crfree(oldcred);
934 return (0);
935}
936
937/*
938 * setresuid(ruid, euid, suid) is like setreuid except control over the
939 * saved uid is explicit.
940 */
941
942#ifndef _SYS_SYSPROTO_H_
943struct setresuid_args {
944 uid_t ruid;
945 uid_t euid;
946 uid_t suid;
947};
948#endif
949/*
950 * MPSAFE
951 */
952/* ARGSUSED */
953int
954setresuid(register struct thread *td, struct setresuid_args *uap)
955{
956 struct proc *p = td->td_proc;
957 struct ucred *newcred, *oldcred;
958 uid_t euid, ruid, suid;
959 struct uidinfo *euip, *ruip;
960 int error;
961
962 euid = uap->euid;
963 ruid = uap->ruid;
964 suid = uap->suid;
965 newcred = crget();
966 euip = uifind(euid);
967 ruip = uifind(ruid);
968 PROC_LOCK(p);
969 oldcred = p->p_ucred;
970 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
971 ruid != oldcred->cr_svuid &&
972 ruid != oldcred->cr_uid) ||
973 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
974 euid != oldcred->cr_svuid &&
975 euid != oldcred->cr_uid) ||
976 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
977 suid != oldcred->cr_svuid &&
978 suid != oldcred->cr_uid)) &&
979 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
980 PROC_UNLOCK(p);
981 uifree(ruip);
982 uifree(euip);
983 crfree(newcred);
984 return (error);
985 }
986
987 crcopy(newcred, oldcred);
988 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
989 change_euid(newcred, euip);
990 setsugid(p);
991 }
992 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
993 change_ruid(newcred, ruip);
994 setsugid(p);
995 }
996 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
997 change_svuid(newcred, suid);
998 setsugid(p);
999 }
1000 p->p_ucred = newcred;
1001 PROC_UNLOCK(p);
1002 uifree(ruip);
1003 uifree(euip);
1004 crfree(oldcred);
1005 return (0);
1006}
1007
1008/*
1009 * setresgid(rgid, egid, sgid) is like setregid except control over the
1010 * saved gid is explicit.
1011 */
1012
1013#ifndef _SYS_SYSPROTO_H_
1014struct setresgid_args {
1015 gid_t rgid;
1016 gid_t egid;
1017 gid_t sgid;
1018};
1019#endif
1020/*
1021 * MPSAFE
1022 */
1023/* ARGSUSED */
1024int
1025setresgid(register struct thread *td, struct setresgid_args *uap)
1026{
1027 struct proc *p = td->td_proc;
1028 struct ucred *newcred, *oldcred;
1029 gid_t egid, rgid, sgid;
1030 int error;
1031
1032 egid = uap->egid;
1033 rgid = uap->rgid;
1034 sgid = uap->sgid;
1035 newcred = crget();
1036 PROC_LOCK(p);
1037 oldcred = p->p_ucred;
1038 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1039 rgid != oldcred->cr_svgid &&
1040 rgid != oldcred->cr_groups[0]) ||
1041 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1042 egid != oldcred->cr_svgid &&
1043 egid != oldcred->cr_groups[0]) ||
1044 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1045 sgid != oldcred->cr_svgid &&
1046 sgid != oldcred->cr_groups[0])) &&
1047 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) {
1048 PROC_UNLOCK(p);
1049 crfree(newcred);
1050 return (error);
1051 }
1052
1053 crcopy(newcred, oldcred);
1054 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1055 change_egid(newcred, egid);
1056 setsugid(p);
1057 }
1058 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1059 change_rgid(newcred, rgid);
1060 setsugid(p);
1061 }
1062 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1063 change_svgid(newcred, sgid);
1064 setsugid(p);
1065 }
1066 p->p_ucred = newcred;
1067 PROC_UNLOCK(p);
1068 crfree(oldcred);
1069 return (0);
1070}
1071
1072#ifndef _SYS_SYSPROTO_H_
1073struct getresuid_args {
1074 uid_t *ruid;
1075 uid_t *euid;
1076 uid_t *suid;
1077};
1078#endif
1079/*
1080 * MPSAFE
1081 */
1082/* ARGSUSED */
1083int
1084getresuid(register struct thread *td, struct getresuid_args *uap)
1085{
1086 struct ucred *cred;
1087 int error1 = 0, error2 = 0, error3 = 0;
1088
1089 cred = td->td_ucred;
1090 if (uap->ruid)
1091 error1 = copyout(&cred->cr_ruid,
1092 uap->ruid, sizeof(cred->cr_ruid));
1093 if (uap->euid)
1094 error2 = copyout(&cred->cr_uid,
1095 uap->euid, sizeof(cred->cr_uid));
1096 if (uap->suid)
1097 error3 = copyout(&cred->cr_svuid,
1098 uap->suid, sizeof(cred->cr_svuid));
1099 return (error1 ? error1 : error2 ? error2 : error3);
1100}
1101
1102#ifndef _SYS_SYSPROTO_H_
1103struct getresgid_args {
1104 gid_t *rgid;
1105 gid_t *egid;
1106 gid_t *sgid;
1107};
1108#endif
1109/*
1110 * MPSAFE
1111 */
1112/* ARGSUSED */
1113int
1114getresgid(register struct thread *td, struct getresgid_args *uap)
1115{
1116 struct ucred *cred;
1117 int error1 = 0, error2 = 0, error3 = 0;
1118
1119 cred = td->td_ucred;
1120 if (uap->rgid)
1121 error1 = copyout(&cred->cr_rgid,
1122 uap->rgid, sizeof(cred->cr_rgid));
1123 if (uap->egid)
1124 error2 = copyout(&cred->cr_groups[0],
1125 uap->egid, sizeof(cred->cr_groups[0]));
1126 if (uap->sgid)
1127 error3 = copyout(&cred->cr_svgid,
1128 uap->sgid, sizeof(cred->cr_svgid));
1129 return (error1 ? error1 : error2 ? error2 : error3);
1130}
1131
1132#ifndef _SYS_SYSPROTO_H_
1133struct issetugid_args {
1134 int dummy;
1135};
1136#endif
1137/*
1138 * MPSAFE
1139 */
1140/* ARGSUSED */
1141int
1142issetugid(register struct thread *td, struct issetugid_args *uap)
1143{
1144 struct proc *p = td->td_proc;
1145
1146 /*
1147 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1148 * we use P_SUGID because we consider changing the owners as
1149 * "tainting" as well.
1150 * This is significant for procs that start as root and "become"
1151 * a user without an exec - programs cannot know *everything*
1152 * that libc *might* have put in their data segment.
1153 */
1154 PROC_LOCK(p);
1155 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1156 PROC_UNLOCK(p);
1157 return (0);
1158}
1159
1160/*
1161 * MPSAFE
1162 */
1163int
1164__setugid(struct thread *td, struct __setugid_args *uap)
1165{
1166#ifdef REGRESSION
1167 struct proc *p;
1168
1169 p = td->td_proc;
1170 switch (uap->flag) {
1171 case 0:
1172 PROC_LOCK(p);
1173 p->p_flag &= ~P_SUGID;
1174 PROC_UNLOCK(p);
1175 return (0);
1176 case 1:
1177 PROC_LOCK(p);
1178 p->p_flag |= P_SUGID;
1179 PROC_UNLOCK(p);
1180 return (0);
1181 default:
1182 return (EINVAL);
1183 }
1184#else /* !REGRESSION */
1185
1186 return (ENOSYS);
1187#endif /* REGRESSION */
1188}
1189
1190/*
1191 * Check if gid is a member of the group set.
1192 *
1193 * MPSAFE (cred must be held)
1194 */
1195int
1196groupmember(gid_t gid, struct ucred *cred)
1197{
1198 register gid_t *gp;
1199 gid_t *egp;
1200
1201 egp = &(cred->cr_groups[cred->cr_ngroups]);
1202 for (gp = cred->cr_groups; gp < egp; gp++)
1203 if (*gp == gid)
1204 return (1);
1205 return (0);
1206}
1207
1208/*
1209 * `suser_enabled' (which can be set by the security.suser_enabled
1210 * sysctl) determines whether the system 'super-user' policy is in effect.
1211 * If it is nonzero, an effective uid of 0 connotes special privilege,
1212 * overriding many mandatory and discretionary protections. If it is zero,
1213 * uid 0 is offered no special privilege in the kernel security policy.
1214 * Setting it to zero may seriously impact the functionality of many
1215 * existing userland programs, and should not be done without careful
1216 * consideration of the consequences.
1217 */
1218int suser_enabled = 1;
1219SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1220 &suser_enabled, 0, "processes with uid 0 have privilege");
1221TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
1222
1223/*
1224 * Test whether the specified credentials imply "super-user" privilege.
1225 * Return 0 or EPERM. The flag argument is currently used only to
1226 * specify jail interaction.
1227 */
1228int
1229suser_cred(struct ucred *cred, int flag)
1230{
1231
1232 if (!suser_enabled)
1233 return (EPERM);
1234 if (cred->cr_uid != 0)
1235 return (EPERM);
1236 if (jailed(cred) && !(flag & PRISON_ROOT))
1237 return (EPERM);
1238 return (0);
1239}
1240
1241/*
1242 * Shortcut to hide contents of struct td and struct proc from the
1243 * caller, promoting binary compatibility.
1244 */
1245int
1246suser(struct thread *td)
1247{
1248
1249 return (suser_cred(td->td_ucred, 0));
1250}
1251
1252/*
1253 * Test the active securelevel against a given level. securelevel_gt()
1254 * implements (securelevel > level). securelevel_ge() implements
1255 * (securelevel >= level). Note that the logic is inverted -- these
1256 * functions return EPERM on "success" and 0 on "failure".
1257 *
1258 * MPSAFE
1259 */
1260int
1261securelevel_gt(struct ucred *cr, int level)
1262{
1263 int active_securelevel;
1264
1265 active_securelevel = securelevel;
1266 KASSERT(cr != NULL, ("securelevel_gt: null cr"));
1267 if (cr->cr_prison != NULL) {
1268 mtx_lock(&cr->cr_prison->pr_mtx);
1269 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1270 active_securelevel);
1271 mtx_unlock(&cr->cr_prison->pr_mtx);
1272 }
1273 return (active_securelevel > level ? EPERM : 0);
1274}
1275
1276int
1277securelevel_ge(struct ucred *cr, int level)
1278{
1279 int active_securelevel;
1280
1281 active_securelevel = securelevel;
1282 KASSERT(cr != NULL, ("securelevel_ge: null cr"));
1283 if (cr->cr_prison != NULL) {
1284 mtx_lock(&cr->cr_prison->pr_mtx);
1285 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1286 active_securelevel);
1287 mtx_unlock(&cr->cr_prison->pr_mtx);
1288 }
1289 return (active_securelevel >= level ? EPERM : 0);
1290}
1291
1292/*
1293 * 'see_other_uids' determines whether or not visibility of processes
1294 * and sockets with credentials holding different real uids is possible
1295 * using a variety of system MIBs.
1296 * XXX: data declarations should be together near the beginning of the file.
1297 */
1298static int see_other_uids = 1;
1299SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1300 &see_other_uids, 0,
1301 "Unprivileged processes may see subjects/objects with different real uid");
1302
1303/*-
1304 * Determine if u1 "can see" the subject specified by u2, according to the
1305 * 'see_other_uids' policy.
1306 * Returns: 0 for permitted, ESRCH otherwise
1307 * Locks: none
1308 * References: *u1 and *u2 must not change during the call
1309 * u1 may equal u2, in which case only one reference is required
1310 */
1311static int
1312cr_seeotheruids(struct ucred *u1, struct ucred *u2)
1313{
1314
1315 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1316 if (suser_cred(u1, PRISON_ROOT) != 0)
1317 return (ESRCH);
1318 }
1319 return (0);
1320}
1321
1322/*
1323 * 'see_other_gids' determines whether or not visibility of processes
1324 * and sockets with credentials holding different real gids is possible
1325 * using a variety of system MIBs.
1326 * XXX: data declarations should be together near the beginning of the file.
1327 */
1328static int see_other_gids = 1;
1329SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1330 &see_other_gids, 0,
1331 "Unprivileged processes may see subjects/objects with different real gid");
1332
1333/*
1334 * Determine if u1 can "see" the subject specified by u2, according to the
1335 * 'see_other_gids' policy.
1336 * Returns: 0 for permitted, ESRCH otherwise
1337 * Locks: none
1338 * References: *u1 and *u2 must not change during the call
1339 * u1 may equal u2, in which case only one reference is required
1340 */
1341static int
1342cr_seeothergids(struct ucred *u1, struct ucred *u2)
1343{
1344 int i, match;
1345
1346 if (!see_other_gids) {
1347 match = 0;
1348 for (i = 0; i < u1->cr_ngroups; i++) {
1349 if (groupmember(u1->cr_groups[i], u2))
1350 match = 1;
1351 if (match)
1352 break;
1353 }
1354 if (!match) {
1355 if (suser_cred(u1, PRISON_ROOT) != 0)
1356 return (ESRCH);
1357 }
1358 }
1359 return (0);
1360}
1361
1362/*-
1363 * Determine if u1 "can see" the subject specified by u2.
1364 * Returns: 0 for permitted, an errno value otherwise
1365 * Locks: none
1366 * References: *u1 and *u2 must not change during the call
1367 * u1 may equal u2, in which case only one reference is required
1368 */
1369int
1370cr_cansee(struct ucred *u1, struct ucred *u2)
1371{
1372 int error;
1373
1374 if ((error = prison_check(u1, u2)))
1375 return (error);
1376#ifdef MAC
1377 if ((error = mac_check_cred_visible(u1, u2)))
1378 return (error);
1379#endif
1380 if ((error = cr_seeotheruids(u1, u2)))
1381 return (error);
1382 if ((error = cr_seeothergids(u1, u2)))
1383 return (error);
1384 return (0);
1385}
1386
1387/*-
1388 * Determine if td "can see" the subject specified by p.
1389 * Returns: 0 for permitted, an errno value otherwise
1390 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1391 * should be curthread.
1392 * References: td and p must be valid for the lifetime of the call
1393 */
1394int
1395p_cansee(struct thread *td, struct proc *p)
1396{
1397
1398 /* Wrap cr_cansee() for all functionality. */
1399 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1400 PROC_LOCK_ASSERT(p, MA_OWNED);
1401 return (cr_cansee(td->td_ucred, p->p_ucred));
1402}
1403
1404/*
1405 * 'conservative_signals' prevents the delivery of a broad class of
1406 * signals by unprivileged processes to processes that have changed their
1407 * credentials since the last invocation of execve(). This can prevent
1408 * the leakage of cached information or retained privileges as a result
1409 * of a common class of signal-related vulnerabilities. However, this
1410 * may interfere with some applications that expect to be able to
1411 * deliver these signals to peer processes after having given up
1412 * privilege.
1413 */
1414static int conservative_signals = 1;
1415SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1416 &conservative_signals, 0, "Unprivileged processes prevented from "
1417 "sending certain signals to processes whose credentials have changed");
1418/*-
1419 * Determine whether cred may deliver the specified signal to proc.
1420 * Returns: 0 for permitted, an errno value otherwise.
1421 * Locks: A lock must be held for proc.
1422 * References: cred and proc must be valid for the lifetime of the call.
1423 */
1424int
1425cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1426{
1427 int error;
1428
1429 PROC_LOCK_ASSERT(proc, MA_OWNED);
1430 /*
1431 * Jail semantics limit the scope of signalling to proc in the
1432 * same jail as cred, if cred is in jail.
1433 */
1434 error = prison_check(cred, proc->p_ucred);
1435 if (error)
1436 return (error);
1437#ifdef MAC
1438 if ((error = mac_check_proc_signal(cred, proc, signum)))
1439 return (error);
1440#endif
1441 if ((error = cr_seeotheruids(cred, proc->p_ucred)))
1442 return (error);
1443 if ((error = cr_seeothergids(cred, proc->p_ucred)))
1444 return (error);
1445
1446 /*
1447 * UNIX signal semantics depend on the status of the P_SUGID
1448 * bit on the target process. If the bit is set, then additional
1449 * restrictions are placed on the set of available signals.
1450 */
1451 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1452 switch (signum) {
1453 case 0:
1454 case SIGKILL:
1455 case SIGINT:
1456 case SIGTERM:
1457 case SIGALRM:
1458 case SIGSTOP:
1459 case SIGTTIN:
1460 case SIGTTOU:
1461 case SIGTSTP:
1462 case SIGHUP:
1463 case SIGUSR1:
1464 case SIGUSR2:
1465 /*
1466 * Generally, permit job and terminal control
1467 * signals.
1468 */
1469 break;
1470 default:
1471 /* Not permitted without privilege. */
1472 error = suser_cred(cred, PRISON_ROOT);
1473 if (error)
1474 return (error);
1475 }
1476 }
1477
1478 /*
1479 * Generally, the target credential's ruid or svuid must match the
1480 * subject credential's ruid or euid.
1481 */
1482 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1483 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1484 cred->cr_uid != proc->p_ucred->cr_ruid &&
1485 cred->cr_uid != proc->p_ucred->cr_svuid) {
1486 /* Not permitted without privilege. */
1487 error = suser_cred(cred, PRISON_ROOT);
1488 if (error)
1489 return (error);
1490 }
1491
1492 return (0);
1493}
1494
1495
1496/*-
1497 * Determine whether td may deliver the specified signal to p.
1498 * Returns: 0 for permitted, an errno value otherwise
1499 * Locks: Sufficient locks to protect various components of td and p
1500 * must be held. td must be curthread, and a lock must be
1501 * held for p.
1502 * References: td and p must be valid for the lifetime of the call
1503 */
1504int
1505p_cansignal(struct thread *td, struct proc *p, int signum)
1506{
1507
1508 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1509 PROC_LOCK_ASSERT(p, MA_OWNED);
1510 if (td->td_proc == p)
1511 return (0);
1512
1513 /*
1514 * UNIX signalling semantics require that processes in the same
1515 * session always be able to deliver SIGCONT to one another,
1516 * overriding the remaining protections.
1517 */
1518 /* XXX: This will require an additional lock of some sort. */
1519 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1520 return (0);
1521
1522 return (cr_cansignal(td->td_ucred, p, signum));
1523}
1524
1525/*-
1526 * Determine whether td may reschedule p.
1527 * Returns: 0 for permitted, an errno value otherwise
1528 * Locks: Sufficient locks to protect various components of td and p
1529 * must be held. td must be curthread, and a lock must
1530 * be held for p.
1531 * References: td and p must be valid for the lifetime of the call
1532 */
1533int
1534p_cansched(struct thread *td, struct proc *p)
1535{
1536 int error;
1537
1538 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1539 PROC_LOCK_ASSERT(p, MA_OWNED);
1540 if (td->td_proc == p)
1541 return (0);
1542 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1543 return (error);
1544#ifdef MAC
1545 if ((error = mac_check_proc_sched(td->td_ucred, p)))
1546 return (error);
1547#endif
1548 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1549 return (error);
1550 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1551 return (error);
1552 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
1553 return (0);
1554 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
1555 return (0);
1556 if (suser_cred(td->td_ucred, PRISON_ROOT) == 0)
1557 return (0);
1558
1559#ifdef CAPABILITIES
1560 if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT))
1561 return (0);
1562#endif
1563
1564 return (EPERM);
1565}
1566
1567/*
1568 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1569 * unprivileged inter-process debugging services, including some procfs
1570 * functionality, ptrace(), and ktrace(). In the past, inter-process
1571 * debugging has been involved in a variety of security problems, and sites
1572 * not requiring the service might choose to disable it when hardening
1573 * systems.
1574 *
1575 * XXX: Should modifying and reading this variable require locking?
1576 * XXX: data declarations should be together near the beginning of the file.
1577 */
1578static int unprivileged_proc_debug = 1;
1579SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1580 &unprivileged_proc_debug, 0,
1581 "Unprivileged processes may use process debugging facilities");
1582
1583/*-
1584 * Determine whether td may debug p.
1585 * Returns: 0 for permitted, an errno value otherwise
1586 * Locks: Sufficient locks to protect various components of td and p
1587 * must be held. td must be curthread, and a lock must
1588 * be held for p.
1589 * References: td and p must be valid for the lifetime of the call
1590 */
1591int
1592p_candebug(struct thread *td, struct proc *p)
1593{
1594 int credentialchanged, error, grpsubset, i, uidsubset;
1595
1596 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1597 PROC_LOCK_ASSERT(p, MA_OWNED);
1598 if (!unprivileged_proc_debug) {
1599 error = suser_cred(td->td_ucred, PRISON_ROOT);
1600 if (error)
1601 return (error);
1602 }
1603 if (td->td_proc == p)
1604 return (0);
1605 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1606 return (error);
1607#ifdef MAC
1608 if ((error = mac_check_proc_debug(td->td_ucred, p)))
1609 return (error);
1610#endif
1611 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1612 return (error);
1613 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1614 return (error);
1615
1616 /*
1617 * Is p's group set a subset of td's effective group set? This
1618 * includes p's egid, group access list, rgid, and svgid.
1619 */
1620 grpsubset = 1;
1621 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1622 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1623 grpsubset = 0;
1624 break;
1625 }
1626 }
1627 grpsubset = grpsubset &&
1628 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1629 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1630
1631 /*
1632 * Are the uids present in p's credential equal to td's
1633 * effective uid? This includes p's euid, svuid, and ruid.
1634 */
1635 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1636 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1637 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1638
1639 /*
1640 * Has the credential of the process changed since the last exec()?
1641 */
1642 credentialchanged = (p->p_flag & P_SUGID);
1643
1644 /*
1645 * If p's gids aren't a subset, or the uids aren't a subset,
1646 * or the credential has changed, require appropriate privilege
1647 * for td to debug p. For POSIX.1e capabilities, this will
1648 * require CAP_SYS_PTRACE.
1649 */
1650 if (!grpsubset || !uidsubset || credentialchanged) {
1651 error = suser_cred(td->td_ucred, PRISON_ROOT);
1652 if (error)
1653 return (error);
1654 }
1655
1656 /* Can't trace init when securelevel > 0. */
1657 if (p == initproc) {
1658 error = securelevel_gt(td->td_ucred, 0);
1659 if (error)
1660 return (error);
1661 }
1662
1663 /*
1664 * Can't trace a process that's currently exec'ing.
1665 * XXX: Note, this is not a security policy decision, it's a
1666 * basic correctness/functionality decision. Therefore, this check
1667 * should be moved to the caller's of p_candebug().
1668 */
1669 if ((p->p_flag & P_INEXEC) != 0)
1670 return (EAGAIN);
1671
1672 return (0);
1673}
1674
1675/*-
1676 * Determine whether the subject represented by cred can "see" a socket.
1677 * Returns: 0 for permitted, ENOENT otherwise.
1678 */
1679int
1680cr_canseesocket(struct ucred *cred, struct socket *so)
1681{
1682 int error;
1683
1684 error = prison_check(cred, so->so_cred);
1685 if (error)
1686 return (ENOENT);
1687#ifdef MAC
1688 error = mac_check_socket_visible(cred, so);
1689 if (error)
1690 return (error);
1691#endif
1692 if (cr_seeotheruids(cred, so->so_cred))
1693 return (ENOENT);
1694 if (cr_seeothergids(cred, so->so_cred))
1695 return (ENOENT);
1696
1697 return (0);
1698}
1699
1700/*
1701 * Allocate a zeroed cred structure.
1702 * MPSAFE
1703 */
1704struct ucred *
1705crget(void)
1706{
1707 register struct ucred *cr;
1708
1709 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1710 cr->cr_ref = 1;
1711 cr->cr_mtxp = mtx_pool_find(mtxpool_sleep, cr);
1712#ifdef MAC
1713 mac_init_cred(cr);
1714#endif
1715 return (cr);
1716}
1717
1718/*
1719 * Claim another reference to a ucred structure.
1720 * MPSAFE
1721 */
1722struct ucred *
1723crhold(struct ucred *cr)
1724{
1725
1726 mtx_lock(cr->cr_mtxp);
1727 cr->cr_ref++;
1728 mtx_unlock(cr->cr_mtxp);
1729 return (cr);
1730}
1731
1732/*
1733 * Free a cred structure.
1734 * Throws away space when ref count gets to 0.
1735 * MPSAFE
1736 */
1737void
1738crfree(struct ucred *cr)
1739{
1740 struct mtx *mtxp = cr->cr_mtxp;
1741
1742 mtx_lock(mtxp);
1743 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1744 if (--cr->cr_ref == 0) {
1745 mtx_unlock(mtxp);
1746 /*
1747 * Some callers of crget(), such as nfs_statfs(),
1748 * allocate a temporary credential, but don't
1749 * allocate a uidinfo structure.
1750 */
1751 if (cr->cr_uidinfo != NULL)
1752 uifree(cr->cr_uidinfo);
1753 if (cr->cr_ruidinfo != NULL)
1754 uifree(cr->cr_ruidinfo);
1755 /*
1756 * Free a prison, if any.
1757 */
1758 if (jailed(cr))
1759 prison_free(cr->cr_prison);
1760#ifdef MAC
1761 mac_destroy_cred(cr);
1762#endif
1763 FREE(cr, M_CRED);
1764 } else {
1765 mtx_unlock(mtxp);
1766 }
1767}
1768
1769/*
1770 * Check to see if this ucred is shared.
1771 * MPSAFE
1772 */
1773int
1774crshared(struct ucred *cr)
1775{
1776 int shared;
1777
1778 mtx_lock(cr->cr_mtxp);
1779 shared = (cr->cr_ref > 1);
1780 mtx_unlock(cr->cr_mtxp);
1781 return (shared);
1782}
1783
1784/*
1785 * Copy a ucred's contents from a template. Does not block.
1786 * MPSAFE
1787 */
1788void
1789crcopy(struct ucred *dest, struct ucred *src)
1790{
1791
1792 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1793 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1794 (unsigned)((caddr_t)&src->cr_endcopy -
1795 (caddr_t)&src->cr_startcopy));
1796 uihold(dest->cr_uidinfo);
1797 uihold(dest->cr_ruidinfo);
1798 if (jailed(dest))
1799 prison_hold(dest->cr_prison);
1800#ifdef MAC
1801 mac_copy_cred(src, dest);
1802#endif
1803}
1804
1805/*
1806 * Dup cred struct to a new held one.
1807 * MPSAFE
1808 */
1809struct ucred *
1810crdup(struct ucred *cr)
1811{
1812 struct ucred *newcr;
1813
1814 newcr = crget();
1815 crcopy(newcr, cr);
1816 return (newcr);
1817}
1818
1819#ifdef DIAGNOSTIC
1820void
1821cred_free_thread(struct thread *td)
1822{
1823 struct ucred *cred;
1824
1825 cred = td->td_ucred;
1826 td->td_ucred = NULL;
1827 if (cred != NULL)
1828 crfree(cred);
1829}
1830#endif
1831
1832/*
1833 * Fill in a struct xucred based on a struct ucred.
1834 * MPSAFE
1835 */
1836void
1837cru2x(struct ucred *cr, struct xucred *xcr)
1838{
1839
1840 bzero(xcr, sizeof(*xcr));
1841 xcr->cr_version = XUCRED_VERSION;
1842 xcr->cr_uid = cr->cr_uid;
1843 xcr->cr_ngroups = cr->cr_ngroups;
1844 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1845}
1846
1847/*
1848 * small routine to swap a thread's current ucred for the correct one
1849 * taken from the process.
1850 * MPSAFE
1851 */
1852void
1853cred_update_thread(struct thread *td)
1854{
1855 struct proc *p;
1856 struct ucred *cred;
1857
1858 p = td->td_proc;
1859 cred = td->td_ucred;
1860 PROC_LOCK(p);
1861 td->td_ucred = crhold(p->p_ucred);
1862 PROC_UNLOCK(p);
1863 if (cred != NULL)
1864 crfree(cred);
1865}
1866
1867/*
1868 * Get login name, if available.
1869 */
1870#ifndef _SYS_SYSPROTO_H_
1871struct getlogin_args {
1872 char *namebuf;
1873 u_int namelen;
1874};
1875#endif
1876/*
1877 * MPSAFE
1878 */
1879/* ARGSUSED */
1880int
1881getlogin(struct thread *td, struct getlogin_args *uap)
1882{
1883 int error;
1884 char login[MAXLOGNAME];
1885 struct proc *p = td->td_proc;
1886
1887 if (uap->namelen > MAXLOGNAME)
1888 uap->namelen = MAXLOGNAME;
1889 PROC_LOCK(p);
1890 SESS_LOCK(p->p_session);
1891 bcopy(p->p_session->s_login, login, uap->namelen);
1892 SESS_UNLOCK(p->p_session);
1893 PROC_UNLOCK(p);
1894 error = copyout(login, uap->namebuf, uap->namelen);
1895 return(error);
1896}
1897
1898/*
1899 * Set login name.
1900 */
1901#ifndef _SYS_SYSPROTO_H_
1902struct setlogin_args {
1903 char *namebuf;
1904};
1905#endif
1906/*
1907 * MPSAFE
1908 */
1909/* ARGSUSED */
1910int
1911setlogin(struct thread *td, struct setlogin_args *uap)
1912{
1913 struct proc *p = td->td_proc;
1914 int error;
1915 char logintmp[MAXLOGNAME];
1916
1917 error = suser_cred(td->td_ucred, PRISON_ROOT);
1918 if (error)
1919 return (error);
1920 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
1921 if (error == ENAMETOOLONG)
1922 error = EINVAL;
1923 else if (!error) {
1924 PROC_LOCK(p);
1925 SESS_LOCK(p->p_session);
1926 (void) memcpy(p->p_session->s_login, logintmp,
1927 sizeof(logintmp));
1928 SESS_UNLOCK(p->p_session);
1929 PROC_UNLOCK(p);
1930 }
1931 return (error);
1932}
1933
1934void
1935setsugid(struct proc *p)
1936{
1937
1938 PROC_LOCK_ASSERT(p, MA_OWNED);
1939 p->p_flag |= P_SUGID;
1940 if (!(p->p_pfsflags & PF_ISUGID))
1941 p->p_stops = 0;
1942}
1943
1944/*-
1945 * Change a process's effective uid.
1946 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1947 * References: newcred must be an exclusive credential reference for the
1948 * duration of the call.
1949 */
1950void
1951change_euid(struct ucred *newcred, struct uidinfo *euip)
1952{
1953
1954 newcred->cr_uid = euip->ui_uid;
1955 uihold(euip);
1956 uifree(newcred->cr_uidinfo);
1957 newcred->cr_uidinfo = euip;
1958}
1959
1960/*-
1961 * Change a process's effective gid.
1962 * Side effects: newcred->cr_gid will be modified.
1963 * References: newcred must be an exclusive credential reference for the
1964 * duration of the call.
1965 */
1966void
1967change_egid(struct ucred *newcred, gid_t egid)
1968{
1969
1970 newcred->cr_groups[0] = egid;
1971}
1972
1973/*-
1974 * Change a process's real uid.
1975 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1976 * will be updated, and the old and new cr_ruidinfo proc
1977 * counts will be updated.
1978 * References: newcred must be an exclusive credential reference for the
1979 * duration of the call.
1980 */
1981void
1982change_ruid(struct ucred *newcred, struct uidinfo *ruip)
1983{
1984
1985 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1986 newcred->cr_ruid = ruip->ui_uid;
1987 uihold(ruip);
1988 uifree(newcred->cr_ruidinfo);
1989 newcred->cr_ruidinfo = ruip;
1990 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1991}
1992
1993/*-
1994 * Change a process's real gid.
1995 * Side effects: newcred->cr_rgid will be updated.
1996 * References: newcred must be an exclusive credential reference for the
1997 * duration of the call.
1998 */
1999void
2000change_rgid(struct ucred *newcred, gid_t rgid)
2001{
2002
2003 newcred->cr_rgid = rgid;
2004}
2005
2006/*-
2007 * Change a process's saved uid.
2008 * Side effects: newcred->cr_svuid will be updated.
2009 * References: newcred must be an exclusive credential reference for the
2010 * duration of the call.
2011 */
2012void
2013change_svuid(struct ucred *newcred, uid_t svuid)
2014{
2015
2016 newcred->cr_svuid = svuid;
2017}
2018
2019/*-
2020 * Change a process's saved gid.
2021 * Side effects: newcred->cr_svgid will be updated.
2022 * References: newcred must be an exclusive credential reference for the
2023 * duration of the call.
2024 */
2025void
2026change_svgid(struct ucred *newcred, gid_t svgid)
2027{
2028
2029 newcred->cr_svgid = svgid;
2030}
|