1/*
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. All advertising materials mentioning features or use of this software
20 * must display the following acknowledgement:
21 * This product includes software developed by the University of
22 * California, Berkeley and its contributors.
23 * 4. Neither the name of the University nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 *
39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
| 1/*
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. All advertising materials mentioning features or use of this software
20 * must display the following acknowledgement:
21 * This product includes software developed by the University of
22 * California, Berkeley and its contributors.
23 * 4. Neither the name of the University nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 *
39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
|
40 * $FreeBSD: head/sys/kern/kern_prot.c 87220 2001-12-02 15:22:56Z rwatson $
| 40 * $FreeBSD: head/sys/kern/kern_prot.c 87275 2001-12-03 16:12:27Z rwatson $
|
41 */
42
43/*
44 * System calls related to processes and protection
45 */
46
47#include "opt_compat.h"
48#include "opt_global.h"
49
50#include <sys/param.h>
51#include <sys/systm.h>
52#include <sys/acct.h>
53#include <sys/kernel.h>
54#include <sys/lock.h>
55#include <sys/mutex.h>
56#include <sys/proc.h>
57#include <sys/sx.h>
58#include <sys/sysproto.h>
59#include <sys/jail.h>
60#include <sys/malloc.h>
61#include <sys/pioctl.h>
62#include <sys/resourcevar.h>
63#include <sys/sysctl.h>
64
65static MALLOC_DEFINE(M_CRED, "cred", "credentials");
66
67SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0,
68 "Kernel security policy");
69SYSCTL_NODE(_kern_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
70 "BSD security policy");
71
72#ifndef _SYS_SYSPROTO_H_
73struct getpid_args {
74 int dummy;
75};
76#endif
77/*
78 * MPSAFE
79 */
80/* ARGSUSED */
81int
82getpid(td, uap)
83 struct thread *td;
84 struct getpid_args *uap;
85{
86 struct proc *p = td->td_proc;
87 int s;
88
89 s = mtx_lock_giant(kern_giant_proc);
90 td->td_retval[0] = p->p_pid;
91#if defined(COMPAT_43) || defined(COMPAT_SUNOS)
92 PROC_LOCK(p);
93 td->td_retval[1] = p->p_pptr->p_pid;
94 PROC_UNLOCK(p);
95#endif
96 mtx_unlock_giant(s);
97 return (0);
98}
99
100#ifndef _SYS_SYSPROTO_H_
101struct getppid_args {
102 int dummy;
103};
104#endif
105/*
106 * MPSAFE
107 */
108/* ARGSUSED */
109int
110getppid(td, uap)
111 struct thread *td;
112 struct getppid_args *uap;
113{
114 struct proc *p = td->td_proc;
115 int s;
116
117 s = mtx_lock_giant(kern_giant_proc);
118 PROC_LOCK(p);
119 td->td_retval[0] = p->p_pptr->p_pid;
120 PROC_UNLOCK(p);
121 mtx_unlock_giant(s);
122 return (0);
123}
124
125/*
126 * Get process group ID; note that POSIX getpgrp takes no parameter.
127 */
128#ifndef _SYS_SYSPROTO_H_
129struct getpgrp_args {
130 int dummy;
131};
132#endif
133/*
134 * MPSAFE
135 */
136int
137getpgrp(td, uap)
138 struct thread *td;
139 struct getpgrp_args *uap;
140{
141 struct proc *p = td->td_proc;
142
143 mtx_lock(&Giant);
144 td->td_retval[0] = p->p_pgrp->pg_id;
145 mtx_unlock(&Giant);
146 return (0);
147}
148
149/* Get an arbitary pid's process group id */
150#ifndef _SYS_SYSPROTO_H_
151struct getpgid_args {
152 pid_t pid;
153};
154#endif
155/*
156 * MPSAFE
157 */
158int
159getpgid(td, uap)
160 struct thread *td;
161 struct getpgid_args *uap;
162{
163 struct proc *p = td->td_proc;
164 struct proc *pt;
165 int error, s;
166
167 s = mtx_lock_giant(kern_giant_proc);
168 error = 0;
169 if (uap->pid == 0)
170 td->td_retval[0] = p->p_pgrp->pg_id;
171 else if ((pt = pfind(uap->pid)) == NULL)
172 error = ESRCH;
173 else {
174 error = p_cansee(p, pt);
175 if (error == 0)
176 td->td_retval[0] = pt->p_pgrp->pg_id;
177 PROC_UNLOCK(pt);
178 }
179 mtx_unlock_giant(s);
180 return (error);
181}
182
183/*
184 * Get an arbitary pid's session id.
185 */
186#ifndef _SYS_SYSPROTO_H_
187struct getsid_args {
188 pid_t pid;
189};
190#endif
191/*
192 * MPSAFE
193 */
194int
195getsid(td, uap)
196 struct thread *td;
197 struct getsid_args *uap;
198{
199 struct proc *p = td->td_proc;
200 struct proc *pt;
201 int error;
202
203 mtx_lock(&Giant);
204 error = 0;
205 if (uap->pid == 0)
206 td->td_retval[0] = p->p_session->s_sid;
207 else if ((pt = pfind(uap->pid)) == NULL)
208 error = ESRCH;
209 else {
210 error = p_cansee(p, pt);
211 if (error == 0)
212 td->td_retval[0] = pt->p_session->s_sid;
213 PROC_UNLOCK(pt);
214 }
215 mtx_unlock(&Giant);
216 return (error);
217}
218
219#ifndef _SYS_SYSPROTO_H_
220struct getuid_args {
221 int dummy;
222};
223#endif
224/*
225 * MPSAFE
226 */
227/* ARGSUSED */
228int
229getuid(td, uap)
230 struct thread *td;
231 struct getuid_args *uap;
232{
233 struct proc *p = td->td_proc;
234
235 mtx_lock(&Giant);
236 td->td_retval[0] = p->p_ucred->cr_ruid;
237#if defined(COMPAT_43) || defined(COMPAT_SUNOS)
238 td->td_retval[1] = p->p_ucred->cr_uid;
239#endif
240 mtx_unlock(&Giant);
241 return (0);
242}
243
244#ifndef _SYS_SYSPROTO_H_
245struct geteuid_args {
246 int dummy;
247};
248#endif
249/*
250 * MPSAFE
251 */
252/* ARGSUSED */
253int
254geteuid(td, uap)
255 struct thread *td;
256 struct geteuid_args *uap;
257{
258 mtx_lock(&Giant);
259 td->td_retval[0] = td->td_proc->p_ucred->cr_uid;
260 mtx_unlock(&Giant);
261 return (0);
262}
263
264#ifndef _SYS_SYSPROTO_H_
265struct getgid_args {
266 int dummy;
267};
268#endif
269/*
270 * MPSAFE
271 */
272/* ARGSUSED */
273int
274getgid(td, uap)
275 struct thread *td;
276 struct getgid_args *uap;
277{
278 struct proc *p = td->td_proc;
279
280 mtx_lock(&Giant);
281 td->td_retval[0] = p->p_ucred->cr_rgid;
282#if defined(COMPAT_43) || defined(COMPAT_SUNOS)
283 td->td_retval[1] = p->p_ucred->cr_groups[0];
284#endif
285 mtx_unlock(&Giant);
286 return (0);
287}
288
289/*
290 * Get effective group ID. The "egid" is groups[0], and could be obtained
291 * via getgroups. This syscall exists because it is somewhat painful to do
292 * correctly in a library function.
293 */
294#ifndef _SYS_SYSPROTO_H_
295struct getegid_args {
296 int dummy;
297};
298#endif
299/*
300 * MPSAFE
301 */
302/* ARGSUSED */
303int
304getegid(td, uap)
305 struct thread *td;
306 struct getegid_args *uap;
307{
308 struct proc *p = td->td_proc;
309
310 mtx_lock(&Giant);
311 td->td_retval[0] = p->p_ucred->cr_groups[0];
312 mtx_unlock(&Giant);
313 return (0);
314}
315
316#ifndef _SYS_SYSPROTO_H_
317struct getgroups_args {
318 u_int gidsetsize;
319 gid_t *gidset;
320};
321#endif
322/*
323 * MPSAFE
324 */
325int
326getgroups(td, uap)
327 struct thread *td;
328 register struct getgroups_args *uap;
329{
330 struct ucred *cred;
331 struct proc *p = td->td_proc;
332 u_int ngrp;
333 int error;
334
335 mtx_lock(&Giant);
336 error = 0;
337 cred = p->p_ucred;
338 if ((ngrp = uap->gidsetsize) == 0) {
339 td->td_retval[0] = cred->cr_ngroups;
340 goto done2;
341 }
342 if (ngrp < cred->cr_ngroups) {
343 error = EINVAL;
344 goto done2;
345 }
346 ngrp = cred->cr_ngroups;
347 if ((error = copyout((caddr_t)cred->cr_groups,
348 (caddr_t)uap->gidset, ngrp * sizeof(gid_t))))
349 goto done2;
350 td->td_retval[0] = ngrp;
351done2:
352 mtx_unlock(&Giant);
353 return (error);
354}
355
356#ifndef _SYS_SYSPROTO_H_
357struct setsid_args {
358 int dummy;
359};
360#endif
361/*
362 * MPSAFE
363 */
364/* ARGSUSED */
365int
366setsid(td, uap)
367 register struct thread *td;
368 struct setsid_args *uap;
369{
370 int error;
371 struct proc *p = td->td_proc;
372
373 mtx_lock(&Giant);
374 if (p->p_pgid == p->p_pid || pgfind(p->p_pid))
375 error = EPERM;
376 else {
377 (void)enterpgrp(p, p->p_pid, 1);
378 td->td_retval[0] = p->p_pid;
379 error = 0;
380 }
381 mtx_unlock(&Giant);
382 return (error);
383}
384
385/*
386 * set process group (setpgid/old setpgrp)
387 *
388 * caller does setpgid(targpid, targpgid)
389 *
390 * pid must be caller or child of caller (ESRCH)
391 * if a child
392 * pid must be in same session (EPERM)
393 * pid can't have done an exec (EACCES)
394 * if pgid != pid
395 * there must exist some pid in same session having pgid (EPERM)
396 * pid must not be session leader (EPERM)
397 */
398#ifndef _SYS_SYSPROTO_H_
399struct setpgid_args {
400 int pid; /* target process id */
401 int pgid; /* target pgrp id */
402};
403#endif
404/*
405 * MPSAFE
406 */
407/* ARGSUSED */
408int
409setpgid(td, uap)
410 struct thread *td;
411 register struct setpgid_args *uap;
412{
413 struct proc *curp = td->td_proc;
414 register struct proc *targp; /* target process */
415 register struct pgrp *pgrp; /* target pgrp */
416 int error;
417
418 if (uap->pgid < 0)
419 return (EINVAL);
420 mtx_lock(&Giant);
421 sx_slock(&proctree_lock);
422 if (uap->pid != 0 && uap->pid != curp->p_pid) {
423 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) {
424 if (targp)
425 PROC_UNLOCK(targp);
426 error = ESRCH;
427 goto done2;
428 }
429 if ((error = p_cansee(curproc, targp))) {
430 PROC_UNLOCK(targp);
431 goto done2;
432 }
433 if (targp->p_pgrp == NULL ||
434 targp->p_session != curp->p_session) {
435 PROC_UNLOCK(targp);
436 error = EPERM;
437 goto done2;
438 }
439 if (targp->p_flag & P_EXEC) {
440 PROC_UNLOCK(targp);
441 error = EACCES;
442 goto done2;
443 }
444 } else {
445 targp = curp;
446 PROC_LOCK(curp); /* XXX: not needed */
447 }
448 if (SESS_LEADER(targp)) {
449 PROC_UNLOCK(targp);
450 error = EPERM;
451 goto done2;
452 }
453 if (uap->pgid == 0)
454 uap->pgid = targp->p_pid;
455 else if (uap->pgid != targp->p_pid) {
456 if ((pgrp = pgfind(uap->pgid)) == 0 ||
457 pgrp->pg_session != curp->p_session) {
458 PROC_UNLOCK(targp);
459 error = EPERM;
460 goto done2;
461 }
462 }
463 /* XXX: We should probably hold the lock across enterpgrp. */
464 PROC_UNLOCK(targp);
465 error = enterpgrp(targp, uap->pgid, 0);
466done2:
467 sx_sunlock(&proctree_lock);
468 mtx_unlock(&Giant);
469 return (error);
470}
471
472/*
473 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
474 * compatible. It says that setting the uid/gid to euid/egid is a special
475 * case of "appropriate privilege". Once the rules are expanded out, this
476 * basically means that setuid(nnn) sets all three id's, in all permitted
477 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
478 * does not set the saved id - this is dangerous for traditional BSD
479 * programs. For this reason, we *really* do not want to set
480 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
481 */
482#define POSIX_APPENDIX_B_4_2_2
483
484#ifndef _SYS_SYSPROTO_H_
485struct setuid_args {
486 uid_t uid;
487};
488#endif
489/*
490 * MPSAFE
491 */
492/* ARGSUSED */
493int
494setuid(td, uap)
495 struct thread *td;
496 struct setuid_args *uap;
497{
498 struct proc *p = td->td_proc;
499 struct ucred *newcred, *oldcred;
500 uid_t uid;
501 int error;
502
503 uid = uap->uid;
504 mtx_lock(&Giant);
505 error = 0;
506 oldcred = p->p_ucred;
507 /*
508 * See if we have "permission" by POSIX 1003.1 rules.
509 *
510 * Note that setuid(geteuid()) is a special case of
511 * "appropriate privileges" in appendix B.4.2.2. We need
512 * to use this clause to be compatible with traditional BSD
513 * semantics. Basically, it means that "setuid(xx)" sets all
514 * three id's (assuming you have privs).
515 *
516 * Notes on the logic. We do things in three steps.
517 * 1: We determine if the euid is going to change, and do EPERM
518 * right away. We unconditionally change the euid later if this
519 * test is satisfied, simplifying that part of the logic.
520 * 2: We determine if the real and/or saved uids are going to
521 * change. Determined by compile options.
522 * 3: Change euid last. (after tests in #2 for "appropriate privs")
523 */
524 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
525#ifdef _POSIX_SAVED_IDS
526 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
527#endif
528#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
529 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
530#endif
531 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
532 goto done2;
533
534 newcred = crdup(oldcred);
535#ifdef _POSIX_SAVED_IDS
536 /*
537 * Do we have "appropriate privileges" (are we root or uid == euid)
538 * If so, we are changing the real uid and/or saved uid.
539 */
540 if (
541#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
542 uid == oldcred->cr_uid ||
543#endif
544 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
545#endif
546 {
547 /*
548 * Set the real uid and transfer proc count to new user.
549 */
550 if (uid != oldcred->cr_ruid) {
551 change_ruid(newcred, uid);
552 setsugid(p);
553 }
554 /*
555 * Set saved uid
556 *
557 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
558 * the security of seteuid() depends on it. B.4.2.2 says it
559 * is important that we should do this.
560 */
561 if (uid != oldcred->cr_svuid) {
562 change_svuid(newcred, uid);
563 setsugid(p);
564 }
565 }
566
567 /*
568 * In all permitted cases, we are changing the euid.
569 * Copy credentials so other references do not see our changes.
570 */
571 if (uid != oldcred->cr_uid) {
572 change_euid(newcred, uid);
573 setsugid(p);
574 }
575 p->p_ucred = newcred;
576 crfree(oldcred);
577done2:
578 mtx_unlock(&Giant);
579 return (error);
580}
581
582#ifndef _SYS_SYSPROTO_H_
583struct seteuid_args {
584 uid_t euid;
585};
586#endif
587/*
588 * MPSAFE
589 */
590/* ARGSUSED */
591int
592seteuid(td, uap)
593 struct thread *td;
594 struct seteuid_args *uap;
595{
596 struct proc *p = td->td_proc;
597 struct ucred *newcred, *oldcred;
598 uid_t euid;
599 int error;
600
601 euid = uap->euid;
602 mtx_lock(&Giant);
603 error = 0;
604 oldcred = p->p_ucred;
605 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
606 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
607 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
608 goto done2;
609 /*
610 * Everything's okay, do it. Copy credentials so other references do
611 * not see our changes.
612 */
613 newcred = crdup(oldcred);
614 if (oldcred->cr_uid != euid) {
615 change_euid(newcred, euid);
616 setsugid(p);
617 }
618 p->p_ucred = newcred;
619 crfree(oldcred);
620done2:
621 mtx_unlock(&Giant);
622 return (error);
623}
624
625#ifndef _SYS_SYSPROTO_H_
626struct setgid_args {
627 gid_t gid;
628};
629#endif
630/*
631 * MPSAFE
632 */
633/* ARGSUSED */
634int
635setgid(td, uap)
636 struct thread *td;
637 struct setgid_args *uap;
638{
639 struct proc *p = td->td_proc;
640 struct ucred *newcred, *oldcred;
641 gid_t gid;
642 int error;
643
644 gid = uap->gid;
645 mtx_lock(&Giant);
646 error = 0;
647 oldcred = p->p_ucred;
648 /*
649 * See if we have "permission" by POSIX 1003.1 rules.
650 *
651 * Note that setgid(getegid()) is a special case of
652 * "appropriate privileges" in appendix B.4.2.2. We need
653 * to use this clause to be compatible with traditional BSD
654 * semantics. Basically, it means that "setgid(xx)" sets all
655 * three id's (assuming you have privs).
656 *
657 * For notes on the logic here, see setuid() above.
658 */
659 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
660#ifdef _POSIX_SAVED_IDS
661 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
662#endif
663#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
664 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
665#endif
666 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
667 goto done2;
668
669 newcred = crdup(oldcred);
670#ifdef _POSIX_SAVED_IDS
671 /*
672 * Do we have "appropriate privileges" (are we root or gid == egid)
673 * If so, we are changing the real uid and saved gid.
674 */
675 if (
676#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
677 gid == oldcred->cr_groups[0] ||
678#endif
679 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
680#endif
681 {
682 /*
683 * Set real gid
684 */
685 if (oldcred->cr_rgid != gid) {
686 change_rgid(newcred, gid);
687 setsugid(p);
688 }
689 /*
690 * Set saved gid
691 *
692 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
693 * the security of setegid() depends on it. B.4.2.2 says it
694 * is important that we should do this.
695 */
696 if (oldcred->cr_svgid != gid) {
697 change_svgid(newcred, gid);
698 setsugid(p);
699 }
700 }
701 /*
702 * In all cases permitted cases, we are changing the egid.
703 * Copy credentials so other references do not see our changes.
704 */
705 if (oldcred->cr_groups[0] != gid) {
706 change_egid(newcred, gid);
707 setsugid(p);
708 }
709 p->p_ucred = newcred;
710 crfree(oldcred);
711done2:
712 mtx_unlock(&Giant);
713 return (error);
714}
715
716#ifndef _SYS_SYSPROTO_H_
717struct setegid_args {
718 gid_t egid;
719};
720#endif
721/*
722 * MPSAFE
723 */
724/* ARGSUSED */
725int
726setegid(td, uap)
727 struct thread *td;
728 struct setegid_args *uap;
729{
730 struct proc *p = td->td_proc;
731 struct ucred *newcred, *oldcred;
732 gid_t egid;
733 int error;
734
735 egid = uap->egid;
736 mtx_lock(&Giant);
737 error = 0;
738 oldcred = p->p_ucred;
739 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
740 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
741 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
742 goto done2;
743 newcred = crdup(oldcred);
744 if (oldcred->cr_groups[0] != egid) {
745 change_egid(newcred, egid);
746 setsugid(p);
747 }
748 p->p_ucred = newcred;
749 crfree(oldcred);
750done2:
751 mtx_unlock(&Giant);
752 return (error);
753}
754
755#ifndef _SYS_SYSPROTO_H_
756struct setgroups_args {
757 u_int gidsetsize;
758 gid_t *gidset;
759};
760#endif
761/*
762 * MPSAFE
763 */
764/* ARGSUSED */
765int
766setgroups(td, uap)
767 struct thread *td;
768 struct setgroups_args *uap;
769{
770 struct proc *p = td->td_proc;
771 struct ucred *newcred, *oldcred;
772 u_int ngrp;
773 int error;
774
775 ngrp = uap->gidsetsize;
776 mtx_lock(&Giant);
777 oldcred = p->p_ucred;
778 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
779 goto done2;
780 if (ngrp > NGROUPS) {
781 error = EINVAL;
782 goto done2;
783 }
784 /*
785 * XXX A little bit lazy here. We could test if anything has
786 * changed before crcopy() and setting P_SUGID.
787 */
788 newcred = crdup(oldcred);
789 if (ngrp < 1) {
790 /*
791 * setgroups(0, NULL) is a legitimate way of clearing the
792 * groups vector on non-BSD systems (which generally do not
793 * have the egid in the groups[0]). We risk security holes
794 * when running non-BSD software if we do not do the same.
795 */
796 newcred->cr_ngroups = 1;
797 } else {
798 if ((error = copyin((caddr_t)uap->gidset,
799 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) {
800 crfree(newcred);
801 goto done2;
802 }
803 newcred->cr_ngroups = ngrp;
804 }
805 setsugid(p);
806 p->p_ucred = newcred;
807 crfree(oldcred);
808done2:
809 mtx_unlock(&Giant);
810 return (error);
811}
812
813#ifndef _SYS_SYSPROTO_H_
814struct setreuid_args {
815 uid_t ruid;
816 uid_t euid;
817};
818#endif
819/*
820 * MPSAFE
821 */
822/* ARGSUSED */
823int
824setreuid(td, uap)
825 register struct thread *td;
826 struct setreuid_args *uap;
827{
828 struct proc *p = td->td_proc;
829 struct ucred *newcred, *oldcred;
830 uid_t euid, ruid;
831 int error;
832
833 euid = uap->euid;
834 ruid = uap->ruid;
835 mtx_lock(&Giant);
836 error = 0;
837 oldcred = p->p_ucred;
838 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
839 ruid != oldcred->cr_svuid) ||
840 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
841 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
842 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
843 goto done2;
844 newcred = crdup(oldcred);
845 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
846 change_euid(newcred, euid);
847 setsugid(p);
848 }
849 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
850 change_ruid(newcred, ruid);
851 setsugid(p);
852 }
853 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
854 newcred->cr_svuid != newcred->cr_uid) {
855 change_svuid(newcred, newcred->cr_uid);
856 setsugid(p);
857 }
858 p->p_ucred = newcred;
859 crfree(oldcred);
860done2:
861 mtx_unlock(&Giant);
862 return (error);
863}
864
865#ifndef _SYS_SYSPROTO_H_
866struct setregid_args {
867 gid_t rgid;
868 gid_t egid;
869};
870#endif
871/*
872 * MPSAFE
873 */
874/* ARGSUSED */
875int
876setregid(td, uap)
877 register struct thread *td;
878 struct setregid_args *uap;
879{
880 struct proc *p = td->td_proc;
881 struct ucred *newcred, *oldcred;
882 gid_t egid, rgid;
883 int error;
884
885 egid = uap->egid;
886 rgid = uap->rgid;
887 mtx_lock(&Giant);
888 error = 0;
889 oldcred = p->p_ucred;
890 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
891 rgid != oldcred->cr_svgid) ||
892 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
893 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
894 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
895 goto done2;
896 newcred = crdup(oldcred);
897 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
898 change_egid(newcred, egid);
899 setsugid(p);
900 }
901 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
902 change_rgid(newcred, rgid);
903 setsugid(p);
904 }
905 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
906 newcred->cr_svgid != newcred->cr_groups[0]) {
907 change_svgid(newcred, newcred->cr_groups[0]);
908 setsugid(p);
909 }
910 p->p_ucred = newcred;
911 crfree(oldcred);
912done2:
913 mtx_unlock(&Giant);
914 return (error);
915}
916
917/*
918 * setresuid(ruid, euid, suid) is like setreuid except control over the
919 * saved uid is explicit.
920 */
921
922#ifndef _SYS_SYSPROTO_H_
923struct setresuid_args {
924 uid_t ruid;
925 uid_t euid;
926 uid_t suid;
927};
928#endif
929/*
930 * MPSAFE
931 */
932/* ARGSUSED */
933int
934setresuid(td, uap)
935 register struct thread *td;
936 struct setresuid_args *uap;
937{
938 struct proc *p = td->td_proc;
939 struct ucred *newcred, *oldcred;
940 uid_t euid, ruid, suid;
941 int error;
942
943 euid = uap->euid;
944 ruid = uap->ruid;
945 suid = uap->suid;
946 mtx_lock(&Giant);
947 oldcred = p->p_ucred;
948 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
949 ruid != oldcred->cr_svuid &&
950 ruid != oldcred->cr_uid) ||
951 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
952 euid != oldcred->cr_svuid &&
953 euid != oldcred->cr_uid) ||
954 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
955 suid != oldcred->cr_svuid &&
956 suid != oldcred->cr_uid)) &&
957 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
958 goto done2;
959 newcred = crdup(oldcred);
960 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
961 change_euid(newcred, euid);
962 setsugid(p);
963 }
964 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
965 change_ruid(newcred, ruid);
966 setsugid(p);
967 }
968 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
969 change_svuid(newcred, suid);
970 setsugid(p);
971 }
972 p->p_ucred = newcred;
973 crfree(oldcred);
974 error = 0;
975done2:
976 mtx_unlock(&Giant);
977 return (error);
978}
979
980/*
981 * setresgid(rgid, egid, sgid) is like setregid except control over the
982 * saved gid is explicit.
983 */
984
985#ifndef _SYS_SYSPROTO_H_
986struct setresgid_args {
987 gid_t rgid;
988 gid_t egid;
989 gid_t sgid;
990};
991#endif
992/*
993 * MPSAFE
994 */
995/* ARGSUSED */
996int
997setresgid(td, uap)
998 register struct thread *td;
999 struct setresgid_args *uap;
1000{
1001 struct proc *p = td->td_proc;
1002 struct ucred *newcred, *oldcred;
1003 gid_t egid, rgid, sgid;
1004 int error;
1005
1006 egid = uap->egid;
1007 rgid = uap->rgid;
1008 sgid = uap->sgid;
1009 mtx_lock(&Giant);
1010 oldcred = p->p_ucred;
1011 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1012 rgid != oldcred->cr_svgid &&
1013 rgid != oldcred->cr_groups[0]) ||
1014 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1015 egid != oldcred->cr_svgid &&
1016 egid != oldcred->cr_groups[0]) ||
1017 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1018 sgid != oldcred->cr_svgid &&
1019 sgid != oldcred->cr_groups[0])) &&
1020 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
1021 goto done2;
1022 }
1023 newcred = crdup(oldcred);
1024 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1025 change_egid(newcred, egid);
1026 setsugid(p);
1027 }
1028 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1029 change_rgid(newcred, rgid);
1030 setsugid(p);
1031 }
1032 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1033 change_svgid(newcred, sgid);
1034 setsugid(p);
1035 }
1036 p->p_ucred = newcred;
1037 crfree(oldcred);
1038 error = 0;
1039done2:
1040 mtx_unlock(&Giant);
1041 return (error);
1042}
1043
1044#ifndef _SYS_SYSPROTO_H_
1045struct getresuid_args {
1046 uid_t *ruid;
1047 uid_t *euid;
1048 uid_t *suid;
1049};
1050#endif
1051/*
1052 * MPSAFE
1053 */
1054/* ARGSUSED */
1055int
1056getresuid(td, uap)
1057 register struct thread *td;
1058 struct getresuid_args *uap;
1059{
1060 struct ucred *cred;
1061 struct proc *p = td->td_proc;
1062 int error1 = 0, error2 = 0, error3 = 0;
1063
1064 mtx_lock(&Giant);
1065 cred = p->p_ucred;
1066 if (uap->ruid)
1067 error1 = copyout((caddr_t)&cred->cr_ruid,
1068 (caddr_t)uap->ruid, sizeof(cred->cr_ruid));
1069 if (uap->euid)
1070 error2 = copyout((caddr_t)&cred->cr_uid,
1071 (caddr_t)uap->euid, sizeof(cred->cr_uid));
1072 if (uap->suid)
1073 error3 = copyout((caddr_t)&cred->cr_svuid,
1074 (caddr_t)uap->suid, sizeof(cred->cr_svuid));
1075 mtx_unlock(&Giant);
1076 return (error1 ? error1 : error2 ? error2 : error3);
1077}
1078
1079#ifndef _SYS_SYSPROTO_H_
1080struct getresgid_args {
1081 gid_t *rgid;
1082 gid_t *egid;
1083 gid_t *sgid;
1084};
1085#endif
1086/*
1087 * MPSAFE
1088 */
1089/* ARGSUSED */
1090int
1091getresgid(td, uap)
1092 register struct thread *td;
1093 struct getresgid_args *uap;
1094{
1095 struct ucred *cred;
1096 struct proc *p = td->td_proc;
1097 int error1 = 0, error2 = 0, error3 = 0;
1098
1099 mtx_lock(&Giant);
1100 cred = p->p_ucred;
1101 if (uap->rgid)
1102 error1 = copyout((caddr_t)&cred->cr_rgid,
1103 (caddr_t)uap->rgid, sizeof(cred->cr_rgid));
1104 if (uap->egid)
1105 error2 = copyout((caddr_t)&cred->cr_groups[0],
1106 (caddr_t)uap->egid, sizeof(cred->cr_groups[0]));
1107 if (uap->sgid)
1108 error3 = copyout((caddr_t)&cred->cr_svgid,
1109 (caddr_t)uap->sgid, sizeof(cred->cr_svgid));
1110 mtx_unlock(&Giant);
1111 return (error1 ? error1 : error2 ? error2 : error3);
1112}
1113
1114#ifndef _SYS_SYSPROTO_H_
1115struct issetugid_args {
1116 int dummy;
1117};
1118#endif
1119/*
1120 * NOT MPSAFE?
1121 */
1122/* ARGSUSED */
1123int
1124issetugid(td, uap)
1125 register struct thread *td;
1126 struct issetugid_args *uap;
1127{
1128 struct proc *p = td->td_proc;
1129
1130 /*
1131 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1132 * we use P_SUGID because we consider changing the owners as
1133 * "tainting" as well.
1134 * This is significant for procs that start as root and "become"
1135 * a user without an exec - programs cannot know *everything*
1136 * that libc *might* have put in their data segment.
1137 */
1138 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1139 return (0);
1140}
1141
1142/*
1143 * MPSAFE
1144 */
1145int
1146__setugid(td, uap)
1147 struct thread *td;
1148 struct __setugid_args *uap;
1149{
1150#ifdef REGRESSION
1151 int error;
1152
1153 mtx_lock(&Giant);
1154 error = 0;
1155 switch (uap->flag) {
1156 case 0:
1157 td->td_proc->p_flag &= ~P_SUGID;
1158 break;
1159 case 1:
1160 td->td_proc->p_flag |= P_SUGID;
1161 break;
1162 default:
1163 error = EINVAL;
1164 break;
1165 }
1166 mtx_unlock(&Giant);
1167 return (error);
1168#else /* !REGRESSION */
1169
1170 return (ENOSYS);
1171#endif /* REGRESSION */
1172}
1173
1174/*
1175 * Check if gid is a member of the group set.
1176 */
1177int
1178groupmember(gid, cred)
1179 gid_t gid;
1180 struct ucred *cred;
1181{
1182 register gid_t *gp;
1183 gid_t *egp;
1184
1185 egp = &(cred->cr_groups[cred->cr_ngroups]);
1186 for (gp = cred->cr_groups; gp < egp; gp++)
1187 if (*gp == gid)
1188 return (1);
1189 return (0);
1190}
1191
1192/*
1193 * `suser_enabled' (which can be set by the kern.security.suser_enabled
1194 * sysctl) determines whether the system 'super-user' policy is in effect.
1195 * If it is nonzero, an effective uid of 0 connotes special privilege,
1196 * overriding many mandatory and discretionary protections. If it is zero,
1197 * uid 0 is offered no special privilege in the kernel security policy.
1198 * Setting it to zero may seriously impact the functionality of many
1199 * existing userland programs, and should not be done without careful
1200 * consideration of the consequences.
1201 */
1202int suser_enabled = 1;
1203SYSCTL_INT(_kern_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1204 &suser_enabled, 0, "processes with uid 0 have privilege");
1205
1206/*
1207 * Test whether the specified credentials imply "super-user" privilege.
1208 * Return 0 or EPERM.
1209 */
1210int
1211suser(p)
1212 struct proc *p;
1213{
1214
1215 return (suser_xxx(0, p, 0));
1216}
1217
1218/*
1219 * version for when the thread pointer is available and not the proc.
1220 * (saves having to include proc.h into every file that needs to do the change.)
1221 */
1222int
1223suser_td(td)
1224 struct thread *td;
1225{
1226 return suser_xxx(0, td->td_proc, 0);
1227}
1228
1229/*
1230 * wrapper to use if you have the thread on hand but not the proc.
1231 */
1232int
1233suser_xxx_td(cred, td, flag)
1234 struct ucred *cred;
1235 struct thread *td;
1236 int flag;
1237{
1238 return(suser_xxx(cred, td->td_proc, flag));
1239}
1240
1241int
1242suser_xxx(cred, proc, flag)
1243 struct ucred *cred;
1244 struct proc *proc;
1245 int flag;
1246{
1247 if (!suser_enabled)
1248 return (EPERM);
1249 if (!cred && !proc) {
1250 printf("suser_xxx(): THINK!\n");
1251 return (EPERM);
1252 }
1253 if (cred == NULL)
1254 cred = proc->p_ucred;
1255 if (cred->cr_uid != 0)
1256 return (EPERM);
1257 if (jailed(cred) && !(flag & PRISON_ROOT))
1258 return (EPERM);
1259 return (0);
1260}
1261
1262/*
1263 * Test the active securelevel against a given level. securelevel_gt()
1264 * implements (securelevel > level). securelevel_ge() implements
1265 * (securelevel >= level). Note that the logic is inverted -- these
1266 * functions return EPERM on "success" and 0 on "failure".
1267 *
1268 * cr is permitted to be NULL for the time being, as there were some
1269 * existing securelevel checks that occurred without a process/credential
1270 * context. In the future this will be disallowed, so a kernel message
1271 * is displayed.
1272 */
1273int
1274securelevel_gt(struct ucred *cr, int level)
1275{
1276 int active_securelevel;
1277
1278 active_securelevel = securelevel;
1279 if (cr == NULL)
1280 printf("securelevel_gt: cr is NULL\n");
| 41 */
42
43/*
44 * System calls related to processes and protection
45 */
46
47#include "opt_compat.h"
48#include "opt_global.h"
49
50#include <sys/param.h>
51#include <sys/systm.h>
52#include <sys/acct.h>
53#include <sys/kernel.h>
54#include <sys/lock.h>
55#include <sys/mutex.h>
56#include <sys/proc.h>
57#include <sys/sx.h>
58#include <sys/sysproto.h>
59#include <sys/jail.h>
60#include <sys/malloc.h>
61#include <sys/pioctl.h>
62#include <sys/resourcevar.h>
63#include <sys/sysctl.h>
64
65static MALLOC_DEFINE(M_CRED, "cred", "credentials");
66
67SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0,
68 "Kernel security policy");
69SYSCTL_NODE(_kern_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
70 "BSD security policy");
71
72#ifndef _SYS_SYSPROTO_H_
73struct getpid_args {
74 int dummy;
75};
76#endif
77/*
78 * MPSAFE
79 */
80/* ARGSUSED */
81int
82getpid(td, uap)
83 struct thread *td;
84 struct getpid_args *uap;
85{
86 struct proc *p = td->td_proc;
87 int s;
88
89 s = mtx_lock_giant(kern_giant_proc);
90 td->td_retval[0] = p->p_pid;
91#if defined(COMPAT_43) || defined(COMPAT_SUNOS)
92 PROC_LOCK(p);
93 td->td_retval[1] = p->p_pptr->p_pid;
94 PROC_UNLOCK(p);
95#endif
96 mtx_unlock_giant(s);
97 return (0);
98}
99
100#ifndef _SYS_SYSPROTO_H_
101struct getppid_args {
102 int dummy;
103};
104#endif
105/*
106 * MPSAFE
107 */
108/* ARGSUSED */
109int
110getppid(td, uap)
111 struct thread *td;
112 struct getppid_args *uap;
113{
114 struct proc *p = td->td_proc;
115 int s;
116
117 s = mtx_lock_giant(kern_giant_proc);
118 PROC_LOCK(p);
119 td->td_retval[0] = p->p_pptr->p_pid;
120 PROC_UNLOCK(p);
121 mtx_unlock_giant(s);
122 return (0);
123}
124
125/*
126 * Get process group ID; note that POSIX getpgrp takes no parameter.
127 */
128#ifndef _SYS_SYSPROTO_H_
129struct getpgrp_args {
130 int dummy;
131};
132#endif
133/*
134 * MPSAFE
135 */
136int
137getpgrp(td, uap)
138 struct thread *td;
139 struct getpgrp_args *uap;
140{
141 struct proc *p = td->td_proc;
142
143 mtx_lock(&Giant);
144 td->td_retval[0] = p->p_pgrp->pg_id;
145 mtx_unlock(&Giant);
146 return (0);
147}
148
149/* Get an arbitary pid's process group id */
150#ifndef _SYS_SYSPROTO_H_
151struct getpgid_args {
152 pid_t pid;
153};
154#endif
155/*
156 * MPSAFE
157 */
158int
159getpgid(td, uap)
160 struct thread *td;
161 struct getpgid_args *uap;
162{
163 struct proc *p = td->td_proc;
164 struct proc *pt;
165 int error, s;
166
167 s = mtx_lock_giant(kern_giant_proc);
168 error = 0;
169 if (uap->pid == 0)
170 td->td_retval[0] = p->p_pgrp->pg_id;
171 else if ((pt = pfind(uap->pid)) == NULL)
172 error = ESRCH;
173 else {
174 error = p_cansee(p, pt);
175 if (error == 0)
176 td->td_retval[0] = pt->p_pgrp->pg_id;
177 PROC_UNLOCK(pt);
178 }
179 mtx_unlock_giant(s);
180 return (error);
181}
182
183/*
184 * Get an arbitary pid's session id.
185 */
186#ifndef _SYS_SYSPROTO_H_
187struct getsid_args {
188 pid_t pid;
189};
190#endif
191/*
192 * MPSAFE
193 */
194int
195getsid(td, uap)
196 struct thread *td;
197 struct getsid_args *uap;
198{
199 struct proc *p = td->td_proc;
200 struct proc *pt;
201 int error;
202
203 mtx_lock(&Giant);
204 error = 0;
205 if (uap->pid == 0)
206 td->td_retval[0] = p->p_session->s_sid;
207 else if ((pt = pfind(uap->pid)) == NULL)
208 error = ESRCH;
209 else {
210 error = p_cansee(p, pt);
211 if (error == 0)
212 td->td_retval[0] = pt->p_session->s_sid;
213 PROC_UNLOCK(pt);
214 }
215 mtx_unlock(&Giant);
216 return (error);
217}
218
219#ifndef _SYS_SYSPROTO_H_
220struct getuid_args {
221 int dummy;
222};
223#endif
224/*
225 * MPSAFE
226 */
227/* ARGSUSED */
228int
229getuid(td, uap)
230 struct thread *td;
231 struct getuid_args *uap;
232{
233 struct proc *p = td->td_proc;
234
235 mtx_lock(&Giant);
236 td->td_retval[0] = p->p_ucred->cr_ruid;
237#if defined(COMPAT_43) || defined(COMPAT_SUNOS)
238 td->td_retval[1] = p->p_ucred->cr_uid;
239#endif
240 mtx_unlock(&Giant);
241 return (0);
242}
243
244#ifndef _SYS_SYSPROTO_H_
245struct geteuid_args {
246 int dummy;
247};
248#endif
249/*
250 * MPSAFE
251 */
252/* ARGSUSED */
253int
254geteuid(td, uap)
255 struct thread *td;
256 struct geteuid_args *uap;
257{
258 mtx_lock(&Giant);
259 td->td_retval[0] = td->td_proc->p_ucred->cr_uid;
260 mtx_unlock(&Giant);
261 return (0);
262}
263
264#ifndef _SYS_SYSPROTO_H_
265struct getgid_args {
266 int dummy;
267};
268#endif
269/*
270 * MPSAFE
271 */
272/* ARGSUSED */
273int
274getgid(td, uap)
275 struct thread *td;
276 struct getgid_args *uap;
277{
278 struct proc *p = td->td_proc;
279
280 mtx_lock(&Giant);
281 td->td_retval[0] = p->p_ucred->cr_rgid;
282#if defined(COMPAT_43) || defined(COMPAT_SUNOS)
283 td->td_retval[1] = p->p_ucred->cr_groups[0];
284#endif
285 mtx_unlock(&Giant);
286 return (0);
287}
288
289/*
290 * Get effective group ID. The "egid" is groups[0], and could be obtained
291 * via getgroups. This syscall exists because it is somewhat painful to do
292 * correctly in a library function.
293 */
294#ifndef _SYS_SYSPROTO_H_
295struct getegid_args {
296 int dummy;
297};
298#endif
299/*
300 * MPSAFE
301 */
302/* ARGSUSED */
303int
304getegid(td, uap)
305 struct thread *td;
306 struct getegid_args *uap;
307{
308 struct proc *p = td->td_proc;
309
310 mtx_lock(&Giant);
311 td->td_retval[0] = p->p_ucred->cr_groups[0];
312 mtx_unlock(&Giant);
313 return (0);
314}
315
316#ifndef _SYS_SYSPROTO_H_
317struct getgroups_args {
318 u_int gidsetsize;
319 gid_t *gidset;
320};
321#endif
322/*
323 * MPSAFE
324 */
325int
326getgroups(td, uap)
327 struct thread *td;
328 register struct getgroups_args *uap;
329{
330 struct ucred *cred;
331 struct proc *p = td->td_proc;
332 u_int ngrp;
333 int error;
334
335 mtx_lock(&Giant);
336 error = 0;
337 cred = p->p_ucred;
338 if ((ngrp = uap->gidsetsize) == 0) {
339 td->td_retval[0] = cred->cr_ngroups;
340 goto done2;
341 }
342 if (ngrp < cred->cr_ngroups) {
343 error = EINVAL;
344 goto done2;
345 }
346 ngrp = cred->cr_ngroups;
347 if ((error = copyout((caddr_t)cred->cr_groups,
348 (caddr_t)uap->gidset, ngrp * sizeof(gid_t))))
349 goto done2;
350 td->td_retval[0] = ngrp;
351done2:
352 mtx_unlock(&Giant);
353 return (error);
354}
355
356#ifndef _SYS_SYSPROTO_H_
357struct setsid_args {
358 int dummy;
359};
360#endif
361/*
362 * MPSAFE
363 */
364/* ARGSUSED */
365int
366setsid(td, uap)
367 register struct thread *td;
368 struct setsid_args *uap;
369{
370 int error;
371 struct proc *p = td->td_proc;
372
373 mtx_lock(&Giant);
374 if (p->p_pgid == p->p_pid || pgfind(p->p_pid))
375 error = EPERM;
376 else {
377 (void)enterpgrp(p, p->p_pid, 1);
378 td->td_retval[0] = p->p_pid;
379 error = 0;
380 }
381 mtx_unlock(&Giant);
382 return (error);
383}
384
385/*
386 * set process group (setpgid/old setpgrp)
387 *
388 * caller does setpgid(targpid, targpgid)
389 *
390 * pid must be caller or child of caller (ESRCH)
391 * if a child
392 * pid must be in same session (EPERM)
393 * pid can't have done an exec (EACCES)
394 * if pgid != pid
395 * there must exist some pid in same session having pgid (EPERM)
396 * pid must not be session leader (EPERM)
397 */
398#ifndef _SYS_SYSPROTO_H_
399struct setpgid_args {
400 int pid; /* target process id */
401 int pgid; /* target pgrp id */
402};
403#endif
404/*
405 * MPSAFE
406 */
407/* ARGSUSED */
408int
409setpgid(td, uap)
410 struct thread *td;
411 register struct setpgid_args *uap;
412{
413 struct proc *curp = td->td_proc;
414 register struct proc *targp; /* target process */
415 register struct pgrp *pgrp; /* target pgrp */
416 int error;
417
418 if (uap->pgid < 0)
419 return (EINVAL);
420 mtx_lock(&Giant);
421 sx_slock(&proctree_lock);
422 if (uap->pid != 0 && uap->pid != curp->p_pid) {
423 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) {
424 if (targp)
425 PROC_UNLOCK(targp);
426 error = ESRCH;
427 goto done2;
428 }
429 if ((error = p_cansee(curproc, targp))) {
430 PROC_UNLOCK(targp);
431 goto done2;
432 }
433 if (targp->p_pgrp == NULL ||
434 targp->p_session != curp->p_session) {
435 PROC_UNLOCK(targp);
436 error = EPERM;
437 goto done2;
438 }
439 if (targp->p_flag & P_EXEC) {
440 PROC_UNLOCK(targp);
441 error = EACCES;
442 goto done2;
443 }
444 } else {
445 targp = curp;
446 PROC_LOCK(curp); /* XXX: not needed */
447 }
448 if (SESS_LEADER(targp)) {
449 PROC_UNLOCK(targp);
450 error = EPERM;
451 goto done2;
452 }
453 if (uap->pgid == 0)
454 uap->pgid = targp->p_pid;
455 else if (uap->pgid != targp->p_pid) {
456 if ((pgrp = pgfind(uap->pgid)) == 0 ||
457 pgrp->pg_session != curp->p_session) {
458 PROC_UNLOCK(targp);
459 error = EPERM;
460 goto done2;
461 }
462 }
463 /* XXX: We should probably hold the lock across enterpgrp. */
464 PROC_UNLOCK(targp);
465 error = enterpgrp(targp, uap->pgid, 0);
466done2:
467 sx_sunlock(&proctree_lock);
468 mtx_unlock(&Giant);
469 return (error);
470}
471
472/*
473 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
474 * compatible. It says that setting the uid/gid to euid/egid is a special
475 * case of "appropriate privilege". Once the rules are expanded out, this
476 * basically means that setuid(nnn) sets all three id's, in all permitted
477 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
478 * does not set the saved id - this is dangerous for traditional BSD
479 * programs. For this reason, we *really* do not want to set
480 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
481 */
482#define POSIX_APPENDIX_B_4_2_2
483
484#ifndef _SYS_SYSPROTO_H_
485struct setuid_args {
486 uid_t uid;
487};
488#endif
489/*
490 * MPSAFE
491 */
492/* ARGSUSED */
493int
494setuid(td, uap)
495 struct thread *td;
496 struct setuid_args *uap;
497{
498 struct proc *p = td->td_proc;
499 struct ucred *newcred, *oldcred;
500 uid_t uid;
501 int error;
502
503 uid = uap->uid;
504 mtx_lock(&Giant);
505 error = 0;
506 oldcred = p->p_ucred;
507 /*
508 * See if we have "permission" by POSIX 1003.1 rules.
509 *
510 * Note that setuid(geteuid()) is a special case of
511 * "appropriate privileges" in appendix B.4.2.2. We need
512 * to use this clause to be compatible with traditional BSD
513 * semantics. Basically, it means that "setuid(xx)" sets all
514 * three id's (assuming you have privs).
515 *
516 * Notes on the logic. We do things in three steps.
517 * 1: We determine if the euid is going to change, and do EPERM
518 * right away. We unconditionally change the euid later if this
519 * test is satisfied, simplifying that part of the logic.
520 * 2: We determine if the real and/or saved uids are going to
521 * change. Determined by compile options.
522 * 3: Change euid last. (after tests in #2 for "appropriate privs")
523 */
524 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
525#ifdef _POSIX_SAVED_IDS
526 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
527#endif
528#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
529 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
530#endif
531 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
532 goto done2;
533
534 newcred = crdup(oldcred);
535#ifdef _POSIX_SAVED_IDS
536 /*
537 * Do we have "appropriate privileges" (are we root or uid == euid)
538 * If so, we are changing the real uid and/or saved uid.
539 */
540 if (
541#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
542 uid == oldcred->cr_uid ||
543#endif
544 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
545#endif
546 {
547 /*
548 * Set the real uid and transfer proc count to new user.
549 */
550 if (uid != oldcred->cr_ruid) {
551 change_ruid(newcred, uid);
552 setsugid(p);
553 }
554 /*
555 * Set saved uid
556 *
557 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
558 * the security of seteuid() depends on it. B.4.2.2 says it
559 * is important that we should do this.
560 */
561 if (uid != oldcred->cr_svuid) {
562 change_svuid(newcred, uid);
563 setsugid(p);
564 }
565 }
566
567 /*
568 * In all permitted cases, we are changing the euid.
569 * Copy credentials so other references do not see our changes.
570 */
571 if (uid != oldcred->cr_uid) {
572 change_euid(newcred, uid);
573 setsugid(p);
574 }
575 p->p_ucred = newcred;
576 crfree(oldcred);
577done2:
578 mtx_unlock(&Giant);
579 return (error);
580}
581
582#ifndef _SYS_SYSPROTO_H_
583struct seteuid_args {
584 uid_t euid;
585};
586#endif
587/*
588 * MPSAFE
589 */
590/* ARGSUSED */
591int
592seteuid(td, uap)
593 struct thread *td;
594 struct seteuid_args *uap;
595{
596 struct proc *p = td->td_proc;
597 struct ucred *newcred, *oldcred;
598 uid_t euid;
599 int error;
600
601 euid = uap->euid;
602 mtx_lock(&Giant);
603 error = 0;
604 oldcred = p->p_ucred;
605 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
606 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
607 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
608 goto done2;
609 /*
610 * Everything's okay, do it. Copy credentials so other references do
611 * not see our changes.
612 */
613 newcred = crdup(oldcred);
614 if (oldcred->cr_uid != euid) {
615 change_euid(newcred, euid);
616 setsugid(p);
617 }
618 p->p_ucred = newcred;
619 crfree(oldcred);
620done2:
621 mtx_unlock(&Giant);
622 return (error);
623}
624
625#ifndef _SYS_SYSPROTO_H_
626struct setgid_args {
627 gid_t gid;
628};
629#endif
630/*
631 * MPSAFE
632 */
633/* ARGSUSED */
634int
635setgid(td, uap)
636 struct thread *td;
637 struct setgid_args *uap;
638{
639 struct proc *p = td->td_proc;
640 struct ucred *newcred, *oldcred;
641 gid_t gid;
642 int error;
643
644 gid = uap->gid;
645 mtx_lock(&Giant);
646 error = 0;
647 oldcred = p->p_ucred;
648 /*
649 * See if we have "permission" by POSIX 1003.1 rules.
650 *
651 * Note that setgid(getegid()) is a special case of
652 * "appropriate privileges" in appendix B.4.2.2. We need
653 * to use this clause to be compatible with traditional BSD
654 * semantics. Basically, it means that "setgid(xx)" sets all
655 * three id's (assuming you have privs).
656 *
657 * For notes on the logic here, see setuid() above.
658 */
659 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
660#ifdef _POSIX_SAVED_IDS
661 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
662#endif
663#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
664 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
665#endif
666 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
667 goto done2;
668
669 newcred = crdup(oldcred);
670#ifdef _POSIX_SAVED_IDS
671 /*
672 * Do we have "appropriate privileges" (are we root or gid == egid)
673 * If so, we are changing the real uid and saved gid.
674 */
675 if (
676#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
677 gid == oldcred->cr_groups[0] ||
678#endif
679 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */
680#endif
681 {
682 /*
683 * Set real gid
684 */
685 if (oldcred->cr_rgid != gid) {
686 change_rgid(newcred, gid);
687 setsugid(p);
688 }
689 /*
690 * Set saved gid
691 *
692 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
693 * the security of setegid() depends on it. B.4.2.2 says it
694 * is important that we should do this.
695 */
696 if (oldcred->cr_svgid != gid) {
697 change_svgid(newcred, gid);
698 setsugid(p);
699 }
700 }
701 /*
702 * In all cases permitted cases, we are changing the egid.
703 * Copy credentials so other references do not see our changes.
704 */
705 if (oldcred->cr_groups[0] != gid) {
706 change_egid(newcred, gid);
707 setsugid(p);
708 }
709 p->p_ucred = newcred;
710 crfree(oldcred);
711done2:
712 mtx_unlock(&Giant);
713 return (error);
714}
715
716#ifndef _SYS_SYSPROTO_H_
717struct setegid_args {
718 gid_t egid;
719};
720#endif
721/*
722 * MPSAFE
723 */
724/* ARGSUSED */
725int
726setegid(td, uap)
727 struct thread *td;
728 struct setegid_args *uap;
729{
730 struct proc *p = td->td_proc;
731 struct ucred *newcred, *oldcred;
732 gid_t egid;
733 int error;
734
735 egid = uap->egid;
736 mtx_lock(&Giant);
737 error = 0;
738 oldcred = p->p_ucred;
739 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
740 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
741 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
742 goto done2;
743 newcred = crdup(oldcred);
744 if (oldcred->cr_groups[0] != egid) {
745 change_egid(newcred, egid);
746 setsugid(p);
747 }
748 p->p_ucred = newcred;
749 crfree(oldcred);
750done2:
751 mtx_unlock(&Giant);
752 return (error);
753}
754
755#ifndef _SYS_SYSPROTO_H_
756struct setgroups_args {
757 u_int gidsetsize;
758 gid_t *gidset;
759};
760#endif
761/*
762 * MPSAFE
763 */
764/* ARGSUSED */
765int
766setgroups(td, uap)
767 struct thread *td;
768 struct setgroups_args *uap;
769{
770 struct proc *p = td->td_proc;
771 struct ucred *newcred, *oldcred;
772 u_int ngrp;
773 int error;
774
775 ngrp = uap->gidsetsize;
776 mtx_lock(&Giant);
777 oldcred = p->p_ucred;
778 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
779 goto done2;
780 if (ngrp > NGROUPS) {
781 error = EINVAL;
782 goto done2;
783 }
784 /*
785 * XXX A little bit lazy here. We could test if anything has
786 * changed before crcopy() and setting P_SUGID.
787 */
788 newcred = crdup(oldcred);
789 if (ngrp < 1) {
790 /*
791 * setgroups(0, NULL) is a legitimate way of clearing the
792 * groups vector on non-BSD systems (which generally do not
793 * have the egid in the groups[0]). We risk security holes
794 * when running non-BSD software if we do not do the same.
795 */
796 newcred->cr_ngroups = 1;
797 } else {
798 if ((error = copyin((caddr_t)uap->gidset,
799 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) {
800 crfree(newcred);
801 goto done2;
802 }
803 newcred->cr_ngroups = ngrp;
804 }
805 setsugid(p);
806 p->p_ucred = newcred;
807 crfree(oldcred);
808done2:
809 mtx_unlock(&Giant);
810 return (error);
811}
812
813#ifndef _SYS_SYSPROTO_H_
814struct setreuid_args {
815 uid_t ruid;
816 uid_t euid;
817};
818#endif
819/*
820 * MPSAFE
821 */
822/* ARGSUSED */
823int
824setreuid(td, uap)
825 register struct thread *td;
826 struct setreuid_args *uap;
827{
828 struct proc *p = td->td_proc;
829 struct ucred *newcred, *oldcred;
830 uid_t euid, ruid;
831 int error;
832
833 euid = uap->euid;
834 ruid = uap->ruid;
835 mtx_lock(&Giant);
836 error = 0;
837 oldcred = p->p_ucred;
838 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
839 ruid != oldcred->cr_svuid) ||
840 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
841 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
842 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
843 goto done2;
844 newcred = crdup(oldcred);
845 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
846 change_euid(newcred, euid);
847 setsugid(p);
848 }
849 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
850 change_ruid(newcred, ruid);
851 setsugid(p);
852 }
853 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
854 newcred->cr_svuid != newcred->cr_uid) {
855 change_svuid(newcred, newcred->cr_uid);
856 setsugid(p);
857 }
858 p->p_ucred = newcred;
859 crfree(oldcred);
860done2:
861 mtx_unlock(&Giant);
862 return (error);
863}
864
865#ifndef _SYS_SYSPROTO_H_
866struct setregid_args {
867 gid_t rgid;
868 gid_t egid;
869};
870#endif
871/*
872 * MPSAFE
873 */
874/* ARGSUSED */
875int
876setregid(td, uap)
877 register struct thread *td;
878 struct setregid_args *uap;
879{
880 struct proc *p = td->td_proc;
881 struct ucred *newcred, *oldcred;
882 gid_t egid, rgid;
883 int error;
884
885 egid = uap->egid;
886 rgid = uap->rgid;
887 mtx_lock(&Giant);
888 error = 0;
889 oldcred = p->p_ucred;
890 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
891 rgid != oldcred->cr_svgid) ||
892 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
893 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
894 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
895 goto done2;
896 newcred = crdup(oldcred);
897 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
898 change_egid(newcred, egid);
899 setsugid(p);
900 }
901 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
902 change_rgid(newcred, rgid);
903 setsugid(p);
904 }
905 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
906 newcred->cr_svgid != newcred->cr_groups[0]) {
907 change_svgid(newcred, newcred->cr_groups[0]);
908 setsugid(p);
909 }
910 p->p_ucred = newcred;
911 crfree(oldcred);
912done2:
913 mtx_unlock(&Giant);
914 return (error);
915}
916
917/*
918 * setresuid(ruid, euid, suid) is like setreuid except control over the
919 * saved uid is explicit.
920 */
921
922#ifndef _SYS_SYSPROTO_H_
923struct setresuid_args {
924 uid_t ruid;
925 uid_t euid;
926 uid_t suid;
927};
928#endif
929/*
930 * MPSAFE
931 */
932/* ARGSUSED */
933int
934setresuid(td, uap)
935 register struct thread *td;
936 struct setresuid_args *uap;
937{
938 struct proc *p = td->td_proc;
939 struct ucred *newcred, *oldcred;
940 uid_t euid, ruid, suid;
941 int error;
942
943 euid = uap->euid;
944 ruid = uap->ruid;
945 suid = uap->suid;
946 mtx_lock(&Giant);
947 oldcred = p->p_ucred;
948 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
949 ruid != oldcred->cr_svuid &&
950 ruid != oldcred->cr_uid) ||
951 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
952 euid != oldcred->cr_svuid &&
953 euid != oldcred->cr_uid) ||
954 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
955 suid != oldcred->cr_svuid &&
956 suid != oldcred->cr_uid)) &&
957 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0)
958 goto done2;
959 newcred = crdup(oldcred);
960 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
961 change_euid(newcred, euid);
962 setsugid(p);
963 }
964 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
965 change_ruid(newcred, ruid);
966 setsugid(p);
967 }
968 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
969 change_svuid(newcred, suid);
970 setsugid(p);
971 }
972 p->p_ucred = newcred;
973 crfree(oldcred);
974 error = 0;
975done2:
976 mtx_unlock(&Giant);
977 return (error);
978}
979
980/*
981 * setresgid(rgid, egid, sgid) is like setregid except control over the
982 * saved gid is explicit.
983 */
984
985#ifndef _SYS_SYSPROTO_H_
986struct setresgid_args {
987 gid_t rgid;
988 gid_t egid;
989 gid_t sgid;
990};
991#endif
992/*
993 * MPSAFE
994 */
995/* ARGSUSED */
996int
997setresgid(td, uap)
998 register struct thread *td;
999 struct setresgid_args *uap;
1000{
1001 struct proc *p = td->td_proc;
1002 struct ucred *newcred, *oldcred;
1003 gid_t egid, rgid, sgid;
1004 int error;
1005
1006 egid = uap->egid;
1007 rgid = uap->rgid;
1008 sgid = uap->sgid;
1009 mtx_lock(&Giant);
1010 oldcred = p->p_ucred;
1011 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1012 rgid != oldcred->cr_svgid &&
1013 rgid != oldcred->cr_groups[0]) ||
1014 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1015 egid != oldcred->cr_svgid &&
1016 egid != oldcred->cr_groups[0]) ||
1017 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1018 sgid != oldcred->cr_svgid &&
1019 sgid != oldcred->cr_groups[0])) &&
1020 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) {
1021 goto done2;
1022 }
1023 newcred = crdup(oldcred);
1024 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1025 change_egid(newcred, egid);
1026 setsugid(p);
1027 }
1028 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1029 change_rgid(newcred, rgid);
1030 setsugid(p);
1031 }
1032 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1033 change_svgid(newcred, sgid);
1034 setsugid(p);
1035 }
1036 p->p_ucred = newcred;
1037 crfree(oldcred);
1038 error = 0;
1039done2:
1040 mtx_unlock(&Giant);
1041 return (error);
1042}
1043
1044#ifndef _SYS_SYSPROTO_H_
1045struct getresuid_args {
1046 uid_t *ruid;
1047 uid_t *euid;
1048 uid_t *suid;
1049};
1050#endif
1051/*
1052 * MPSAFE
1053 */
1054/* ARGSUSED */
1055int
1056getresuid(td, uap)
1057 register struct thread *td;
1058 struct getresuid_args *uap;
1059{
1060 struct ucred *cred;
1061 struct proc *p = td->td_proc;
1062 int error1 = 0, error2 = 0, error3 = 0;
1063
1064 mtx_lock(&Giant);
1065 cred = p->p_ucred;
1066 if (uap->ruid)
1067 error1 = copyout((caddr_t)&cred->cr_ruid,
1068 (caddr_t)uap->ruid, sizeof(cred->cr_ruid));
1069 if (uap->euid)
1070 error2 = copyout((caddr_t)&cred->cr_uid,
1071 (caddr_t)uap->euid, sizeof(cred->cr_uid));
1072 if (uap->suid)
1073 error3 = copyout((caddr_t)&cred->cr_svuid,
1074 (caddr_t)uap->suid, sizeof(cred->cr_svuid));
1075 mtx_unlock(&Giant);
1076 return (error1 ? error1 : error2 ? error2 : error3);
1077}
1078
1079#ifndef _SYS_SYSPROTO_H_
1080struct getresgid_args {
1081 gid_t *rgid;
1082 gid_t *egid;
1083 gid_t *sgid;
1084};
1085#endif
1086/*
1087 * MPSAFE
1088 */
1089/* ARGSUSED */
1090int
1091getresgid(td, uap)
1092 register struct thread *td;
1093 struct getresgid_args *uap;
1094{
1095 struct ucred *cred;
1096 struct proc *p = td->td_proc;
1097 int error1 = 0, error2 = 0, error3 = 0;
1098
1099 mtx_lock(&Giant);
1100 cred = p->p_ucred;
1101 if (uap->rgid)
1102 error1 = copyout((caddr_t)&cred->cr_rgid,
1103 (caddr_t)uap->rgid, sizeof(cred->cr_rgid));
1104 if (uap->egid)
1105 error2 = copyout((caddr_t)&cred->cr_groups[0],
1106 (caddr_t)uap->egid, sizeof(cred->cr_groups[0]));
1107 if (uap->sgid)
1108 error3 = copyout((caddr_t)&cred->cr_svgid,
1109 (caddr_t)uap->sgid, sizeof(cred->cr_svgid));
1110 mtx_unlock(&Giant);
1111 return (error1 ? error1 : error2 ? error2 : error3);
1112}
1113
1114#ifndef _SYS_SYSPROTO_H_
1115struct issetugid_args {
1116 int dummy;
1117};
1118#endif
1119/*
1120 * NOT MPSAFE?
1121 */
1122/* ARGSUSED */
1123int
1124issetugid(td, uap)
1125 register struct thread *td;
1126 struct issetugid_args *uap;
1127{
1128 struct proc *p = td->td_proc;
1129
1130 /*
1131 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1132 * we use P_SUGID because we consider changing the owners as
1133 * "tainting" as well.
1134 * This is significant for procs that start as root and "become"
1135 * a user without an exec - programs cannot know *everything*
1136 * that libc *might* have put in their data segment.
1137 */
1138 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1139 return (0);
1140}
1141
1142/*
1143 * MPSAFE
1144 */
1145int
1146__setugid(td, uap)
1147 struct thread *td;
1148 struct __setugid_args *uap;
1149{
1150#ifdef REGRESSION
1151 int error;
1152
1153 mtx_lock(&Giant);
1154 error = 0;
1155 switch (uap->flag) {
1156 case 0:
1157 td->td_proc->p_flag &= ~P_SUGID;
1158 break;
1159 case 1:
1160 td->td_proc->p_flag |= P_SUGID;
1161 break;
1162 default:
1163 error = EINVAL;
1164 break;
1165 }
1166 mtx_unlock(&Giant);
1167 return (error);
1168#else /* !REGRESSION */
1169
1170 return (ENOSYS);
1171#endif /* REGRESSION */
1172}
1173
1174/*
1175 * Check if gid is a member of the group set.
1176 */
1177int
1178groupmember(gid, cred)
1179 gid_t gid;
1180 struct ucred *cred;
1181{
1182 register gid_t *gp;
1183 gid_t *egp;
1184
1185 egp = &(cred->cr_groups[cred->cr_ngroups]);
1186 for (gp = cred->cr_groups; gp < egp; gp++)
1187 if (*gp == gid)
1188 return (1);
1189 return (0);
1190}
1191
1192/*
1193 * `suser_enabled' (which can be set by the kern.security.suser_enabled
1194 * sysctl) determines whether the system 'super-user' policy is in effect.
1195 * If it is nonzero, an effective uid of 0 connotes special privilege,
1196 * overriding many mandatory and discretionary protections. If it is zero,
1197 * uid 0 is offered no special privilege in the kernel security policy.
1198 * Setting it to zero may seriously impact the functionality of many
1199 * existing userland programs, and should not be done without careful
1200 * consideration of the consequences.
1201 */
1202int suser_enabled = 1;
1203SYSCTL_INT(_kern_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1204 &suser_enabled, 0, "processes with uid 0 have privilege");
1205
1206/*
1207 * Test whether the specified credentials imply "super-user" privilege.
1208 * Return 0 or EPERM.
1209 */
1210int
1211suser(p)
1212 struct proc *p;
1213{
1214
1215 return (suser_xxx(0, p, 0));
1216}
1217
1218/*
1219 * version for when the thread pointer is available and not the proc.
1220 * (saves having to include proc.h into every file that needs to do the change.)
1221 */
1222int
1223suser_td(td)
1224 struct thread *td;
1225{
1226 return suser_xxx(0, td->td_proc, 0);
1227}
1228
1229/*
1230 * wrapper to use if you have the thread on hand but not the proc.
1231 */
1232int
1233suser_xxx_td(cred, td, flag)
1234 struct ucred *cred;
1235 struct thread *td;
1236 int flag;
1237{
1238 return(suser_xxx(cred, td->td_proc, flag));
1239}
1240
1241int
1242suser_xxx(cred, proc, flag)
1243 struct ucred *cred;
1244 struct proc *proc;
1245 int flag;
1246{
1247 if (!suser_enabled)
1248 return (EPERM);
1249 if (!cred && !proc) {
1250 printf("suser_xxx(): THINK!\n");
1251 return (EPERM);
1252 }
1253 if (cred == NULL)
1254 cred = proc->p_ucred;
1255 if (cred->cr_uid != 0)
1256 return (EPERM);
1257 if (jailed(cred) && !(flag & PRISON_ROOT))
1258 return (EPERM);
1259 return (0);
1260}
1261
1262/*
1263 * Test the active securelevel against a given level. securelevel_gt()
1264 * implements (securelevel > level). securelevel_ge() implements
1265 * (securelevel >= level). Note that the logic is inverted -- these
1266 * functions return EPERM on "success" and 0 on "failure".
1267 *
1268 * cr is permitted to be NULL for the time being, as there were some
1269 * existing securelevel checks that occurred without a process/credential
1270 * context. In the future this will be disallowed, so a kernel message
1271 * is displayed.
1272 */
1273int
1274securelevel_gt(struct ucred *cr, int level)
1275{
1276 int active_securelevel;
1277
1278 active_securelevel = securelevel;
1279 if (cr == NULL)
1280 printf("securelevel_gt: cr is NULL\n");
|
1281 if (cr->cr_prison != NULL)
| 1281 if (cr->cr_prison != NULL) {
1282 mtx_lock(&cr->cr_prison->pr_mtx);
|
1282 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1283 active_securelevel);
| 1283 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1284 active_securelevel);
|
| 1285 mtx_unlock(&cr->cr_prison->pr_mtx);
1286 }
|
1284 return (active_securelevel > level ? EPERM : 0);
1285}
1286
1287int
1288securelevel_ge(struct ucred *cr, int level)
1289{
1290 int active_securelevel;
1291
1292 active_securelevel = securelevel;
1293 if (cr == NULL)
1294 printf("securelevel_gt: cr is NULL\n");
| 1287 return (active_securelevel > level ? EPERM : 0);
1288}
1289
1290int
1291securelevel_ge(struct ucred *cr, int level)
1292{
1293 int active_securelevel;
1294
1295 active_securelevel = securelevel;
1296 if (cr == NULL)
1297 printf("securelevel_gt: cr is NULL\n");
|
1295 if (cr->cr_prison != NULL)
| 1298 if (cr->cr_prison != NULL) {
1299 mtx_lock(&cr->cr_prison->pr_mtx);
|
1296 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1297 active_securelevel);
| 1300 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1301 active_securelevel);
|
| 1302 mtx_unlock(&cr->cr_prison->pr_mtx);
1303 }
|
1298 return (active_securelevel >= level ? EPERM : 0);
1299}
1300
1301/*
1302 * 'see_other_uids' determines whether or not visibility of processes
1303 * and sockets with credentials holding different real uids is possible
1304 * using a variety of system MIBs.
1305 * XXX: data declarations should be together near the beginning of the file.
1306 */
1307static int see_other_uids = 1;
1308SYSCTL_INT(_kern_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1309 &see_other_uids, 0,
1310 "Unprivileged processes may see subjects/objects with different real uid");
1311
1312/*-
1313 * Determine if u1 "can see" the subject specified by u2.
1314 * Returns: 0 for permitted, an errno value otherwise
1315 * Locks: none
1316 * References: *u1 and *u2 must not change during the call
1317 * u1 may equal u2, in which case only one reference is required
1318 */
1319int
1320cr_cansee(struct ucred *u1, struct ucred *u2)
1321{
1322 int error;
1323
1324 if ((error = prison_check(u1, u2)))
1325 return (error);
1326 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1327 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0)
1328 return (ESRCH);
1329 }
1330 return (0);
1331}
1332
1333/*-
1334 * Determine if p1 "can see" the subject specified by p2.
1335 * Returns: 0 for permitted, an errno value otherwise
1336 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must
1337 * be held. Normally, p1 will be curproc, and a lock must be held
1338 * for p2.
1339 * References: p1 and p2 must be valid for the lifetime of the call
1340 */
1341int
1342p_cansee(struct proc *p1, struct proc *p2)
1343{
1344
1345 /* Wrap cr_cansee() for all functionality. */
1346 return (cr_cansee(p1->p_ucred, p2->p_ucred));
1347}
1348
1349/*-
1350 * Determine whether p1 may deliver the specified signal to p2.
1351 * Returns: 0 for permitted, an errno value otherwise
1352 * Locks: Sufficient locks to protect various components of p1 and p2
1353 * must be held. Normally, p1 will be curproc, and a lock must
1354 * be held for p2.
1355 * References: p1 and p2 must be valid for the lifetime of the call
1356 */
1357int
1358p_cansignal(struct proc *p1, struct proc *p2, int signum)
1359{
1360 int error;
1361
1362 if (p1 == p2)
1363 return (0);
1364
1365 /*
1366 * Jail semantics limit the scope of signalling to p2 in the same
1367 * jail as p1, if p1 is in jail.
1368 */
1369 if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1370 return (error);
1371
1372 /*
1373 * UNIX signalling semantics require that processes in the same
1374 * session always be able to deliver SIGCONT to one another,
1375 * overriding the remaining protections.
1376 */
1377 if (signum == SIGCONT && p1->p_session == p2->p_session)
1378 return (0);
1379
1380 /*
1381 * UNIX signal semantics depend on the status of the P_SUGID
1382 * bit on the target process. If the bit is set, then additional
1383 * restrictions are placed on the set of available signals.
1384 */
1385 if (p2->p_flag & P_SUGID) {
1386 switch (signum) {
1387 case 0:
1388 case SIGKILL:
1389 case SIGINT:
1390 case SIGTERM:
1391 case SIGSTOP:
1392 case SIGTTIN:
1393 case SIGTTOU:
1394 case SIGTSTP:
1395 case SIGHUP:
1396 case SIGUSR1:
1397 case SIGUSR2:
1398 /*
1399 * Generally, permit job and terminal control
1400 * signals.
1401 */
1402 break;
1403 default:
1404 /* Not permitted, privilege is required. */
1405 error = suser_xxx(NULL, p1, PRISON_ROOT);
1406 if (error)
1407 return (error);
1408 }
1409 }
1410
1411 /*
1412 * Generally, the target credential's ruid or svuid must match the
1413 * subject credential's ruid or euid.
1414 */
1415 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid &&
1416 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid &&
1417 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid &&
1418 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) {
1419 /* Not permitted, try privilege. */
1420 error = suser_xxx(NULL, p1, PRISON_ROOT);
1421 if (error)
1422 return (error);
1423 }
1424
1425 return (0);
1426}
1427
1428/*-
1429 * Determine whether p1 may reschedule p2.
1430 * Returns: 0 for permitted, an errno value otherwise
1431 * Locks: Sufficient locks to protect various components of p1 and p2
1432 * must be held. Normally, p1 will be curproc, and a lock must
1433 * be held for p2.
1434 * References: p1 and p2 must be valid for the lifetime of the call
1435 */
1436int
1437p_cansched(struct proc *p1, struct proc *p2)
1438{
1439 int error;
1440
1441 if (p1 == p2)
1442 return (0);
1443 if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1444 return (error);
1445 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid)
1446 return (0);
1447 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid)
1448 return (0);
1449 if (suser_xxx(0, p1, PRISON_ROOT) == 0)
1450 return (0);
1451
1452#ifdef CAPABILITIES
1453 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT))
1454 return (0);
1455#endif
1456
1457 return (EPERM);
1458}
1459
1460/*
1461 * The 'unprivileged_procdebug_permitted' flag may be used to disable
1462 * a variety of unprivileged inter-process debugging services, including
1463 * some procfs functionality, ptrace(), and ktrace(). In the past,
1464 * inter-process debugging has been involved in a variety of security
1465 * problems, and sites not requiring the service might choose to disable it
1466 * when hardening systems.
1467 *
1468 * XXX: Should modifying and reading this variable require locking?
1469 * XXX: data declarations should be together near the beginning of the file.
1470 */
1471static int unprivileged_proc_debug = 1;
1472SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1473 &unprivileged_proc_debug, 0,
1474 "Unprivileged processes may use process debugging facilities");
1475
1476/*-
1477 * Determine whether p1 may debug p2.
1478 * Returns: 0 for permitted, an errno value otherwise
1479 * Locks: Sufficient locks to protect various components of p1 and p2
1480 * must be held. Normally, p1 will be curproc, and a lock must
1481 * be held for p2.
1482 * References: p1 and p2 must be valid for the lifetime of the call
1483 */
1484int
1485p_candebug(struct proc *p1, struct proc *p2)
1486{
1487 int credentialchanged, error, grpsubset, i, uidsubset;
1488
1489 if (!unprivileged_proc_debug) {
1490 error = suser_xxx(NULL, p1, PRISON_ROOT);
1491 if (error)
1492 return (error);
1493 }
1494 if (p1 == p2)
1495 return (0);
1496 if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1497 return (error);
1498
1499 /*
1500 * Is p2's group set a subset of p1's effective group set? This
1501 * includes p2's egid, group access list, rgid, and svgid.
1502 */
1503 grpsubset = 1;
1504 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) {
1505 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) {
1506 grpsubset = 0;
1507 break;
1508 }
1509 }
1510 grpsubset = grpsubset &&
1511 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) &&
1512 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred);
1513
1514 /*
1515 * Are the uids present in p2's credential equal to p1's
1516 * effective uid? This includes p2's euid, svuid, and ruid.
1517 */
1518 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid &&
1519 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid &&
1520 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid);
1521
1522 /*
1523 * Has the credential of the process changed since the last exec()?
1524 */
1525 credentialchanged = (p2->p_flag & P_SUGID);
1526
1527 /*
1528 * If p2's gids aren't a subset, or the uids aren't a subset,
1529 * or the credential has changed, require appropriate privilege
1530 * for p1 to debug p2. For POSIX.1e capabilities, this will
1531 * require CAP_SYS_PTRACE.
1532 */
1533 if (!grpsubset || !uidsubset || credentialchanged) {
1534 error = suser_xxx(NULL, p1, PRISON_ROOT);
1535 if (error)
1536 return (error);
1537 }
1538
1539 /* Can't trace init when securelevel > 0. */
1540 if (p2 == initproc) {
1541 error = securelevel_gt(p1->p_ucred, 0);
1542 if (error)
1543 return (error);
1544 }
1545
1546 /*
1547 * Can't trace a process that's currently exec'ing.
1548 * XXX: Note, this is not a security policy decision, it's a
1549 * basic correctness/functionality decision. Therefore, this check
1550 * should be moved to the caller's of p_candebug().
1551 */
1552 if ((p2->p_flag & P_INEXEC) != 0)
1553 return (EAGAIN);
1554
1555 return (0);
1556}
1557
1558/*
1559 * Allocate a zeroed cred structure.
1560 */
1561struct ucred *
1562crget()
1563{
1564 register struct ucred *cr;
1565
1566 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1567 cr->cr_ref = 1;
1568 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF);
1569 return (cr);
1570}
1571
1572/*
1573 * Claim another reference to a ucred structure.
1574 */
1575struct ucred *
1576crhold(cr)
1577 struct ucred *cr;
1578{
1579
1580 mtx_lock(&cr->cr_mtx);
1581 cr->cr_ref++;
1582 mtx_unlock(&cr->cr_mtx);
1583 return (cr);
1584}
1585
1586/*
1587 * Free a cred structure.
1588 * Throws away space when ref count gets to 0.
1589 */
1590void
1591crfree(cr)
1592 struct ucred *cr;
1593{
1594
1595 mtx_lock(&cr->cr_mtx);
1596 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1597 if (--cr->cr_ref == 0) {
1598 mtx_destroy(&cr->cr_mtx);
1599 /*
1600 * Some callers of crget(), such as nfs_statfs(),
1601 * allocate a temporary credential, but don't
1602 * allocate a uidinfo structure.
1603 */
1604 if (cr->cr_uidinfo != NULL)
1605 uifree(cr->cr_uidinfo);
1606 if (cr->cr_ruidinfo != NULL)
1607 uifree(cr->cr_ruidinfo);
1608 /*
1609 * Free a prison, if any.
1610 */
1611 if (jailed(cr))
1612 prison_free(cr->cr_prison);
1613 FREE((caddr_t)cr, M_CRED);
1614 } else
1615 mtx_unlock(&cr->cr_mtx);
1616}
1617
1618/*
1619 * Check to see if this ucred is shared.
1620 */
1621int
1622crshared(cr)
1623 struct ucred *cr;
1624{
1625 int shared;
1626
1627 mtx_lock(&cr->cr_mtx);
1628 shared = (cr->cr_ref > 1);
1629 mtx_unlock(&cr->cr_mtx);
1630 return (shared);
1631}
1632
1633/*
1634 * Copy a ucred's contents from a template. Does not block.
1635 */
1636void
1637crcopy(dest, src)
1638 struct ucred *dest, *src;
1639{
1640
1641 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1642 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1643 (unsigned)((caddr_t)&src->cr_endcopy -
1644 (caddr_t)&src->cr_startcopy));
1645 uihold(dest->cr_uidinfo);
1646 uihold(dest->cr_ruidinfo);
1647 if (jailed(dest))
1648 prison_hold(dest->cr_prison);
1649}
1650
1651/*
1652 * Dup cred struct to a new held one.
1653 */
1654struct ucred *
1655crdup(cr)
1656 struct ucred *cr;
1657{
1658 struct ucred *newcr;
1659
1660 newcr = crget();
1661 crcopy(newcr, cr);
1662 return (newcr);
1663}
1664
1665/*
1666 * Get login name, if available.
1667 */
1668#ifndef _SYS_SYSPROTO_H_
1669struct getlogin_args {
1670 char *namebuf;
1671 u_int namelen;
1672};
1673#endif
1674/*
1675 * MPSAFE
1676 */
1677/* ARGSUSED */
1678int
1679getlogin(td, uap)
1680 struct thread *td;
1681 struct getlogin_args *uap;
1682{
1683 int error;
1684 struct proc *p = td->td_proc;
1685
1686 mtx_lock(&Giant);
1687 if (uap->namelen > MAXLOGNAME)
1688 uap->namelen = MAXLOGNAME;
1689 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login,
1690 (caddr_t) uap->namebuf, uap->namelen);
1691 mtx_unlock(&Giant);
1692 return(error);
1693}
1694
1695/*
1696 * Set login name.
1697 */
1698#ifndef _SYS_SYSPROTO_H_
1699struct setlogin_args {
1700 char *namebuf;
1701};
1702#endif
1703/*
1704 * MPSAFE
1705 */
1706/* ARGSUSED */
1707int
1708setlogin(td, uap)
1709 struct thread *td;
1710 struct setlogin_args *uap;
1711{
1712 struct proc *p = td->td_proc;
1713 int error;
1714 char logintmp[MAXLOGNAME];
1715
1716 mtx_lock(&Giant);
1717 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0)
1718 goto done2;
1719 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp,
1720 sizeof(logintmp), (size_t *)0);
1721 if (error == ENAMETOOLONG)
1722 error = EINVAL;
1723 else if (!error)
1724 (void)memcpy(p->p_pgrp->pg_session->s_login, logintmp,
1725 sizeof(logintmp));
1726done2:
1727 mtx_unlock(&Giant);
1728 return (error);
1729}
1730
1731void
1732setsugid(p)
1733 struct proc *p;
1734{
1735 p->p_flag |= P_SUGID;
1736 if (!(p->p_pfsflags & PF_ISUGID))
1737 p->p_stops = 0;
1738}
1739
1740/*-
1741 * Change a process's effective uid.
1742 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1743 * References: newcred must be an exclusive credential reference for the
1744 * duration of the call.
1745 */
1746void
1747change_euid(newcred, euid)
1748 struct ucred *newcred;
1749 uid_t euid;
1750{
1751
1752 newcred->cr_uid = euid;
1753 uifree(newcred->cr_uidinfo);
1754 newcred->cr_uidinfo = uifind(euid);
1755}
1756
1757/*-
1758 * Change a process's effective gid.
1759 * Side effects: newcred->cr_gid will be modified.
1760 * References: newcred must be an exclusive credential reference for the
1761 * duration of the call.
1762 */
1763void
1764change_egid(newcred, egid)
1765 struct ucred *newcred;
1766 gid_t egid;
1767{
1768
1769 newcred->cr_groups[0] = egid;
1770}
1771
1772/*-
1773 * Change a process's real uid.
1774 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1775 * will be updated, and the old and new cr_ruidinfo proc
1776 * counts will be updated.
1777 * References: newcred must be an exclusive credential reference for the
1778 * duration of the call.
1779 */
1780void
1781change_ruid(newcred, ruid)
1782 struct ucred *newcred;
1783 uid_t ruid;
1784{
1785
1786 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1787 newcred->cr_ruid = ruid;
1788 uifree(newcred->cr_ruidinfo);
1789 newcred->cr_ruidinfo = uifind(ruid);
1790 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1791}
1792
1793/*-
1794 * Change a process's real gid.
1795 * Side effects: newcred->cr_rgid will be updated.
1796 * References: newcred must be an exclusive credential reference for the
1797 * duration of the call.
1798 */
1799void
1800change_rgid(newcred, rgid)
1801 struct ucred *newcred;
1802 gid_t rgid;
1803{
1804
1805 newcred->cr_rgid = rgid;
1806}
1807
1808/*-
1809 * Change a process's saved uid.
1810 * Side effects: newcred->cr_svuid will be updated.
1811 * References: newcred must be an exclusive credential reference for the
1812 * duration of the call.
1813 */
1814void
1815change_svuid(newcred, svuid)
1816 struct ucred *newcred;
1817 uid_t svuid;
1818{
1819
1820 newcred->cr_svuid = svuid;
1821}
1822
1823/*-
1824 * Change a process's saved gid.
1825 * Side effects: newcred->cr_svgid will be updated.
1826 * References: newcred must be an exclusive credential reference for the
1827 * duration of the call.
1828 */
1829void
1830change_svgid(newcred, svgid)
1831 struct ucred *newcred;
1832 gid_t svgid;
1833{
1834
1835 newcred->cr_svgid = svgid;
1836}
| 1304 return (active_securelevel >= level ? EPERM : 0);
1305}
1306
1307/*
1308 * 'see_other_uids' determines whether or not visibility of processes
1309 * and sockets with credentials holding different real uids is possible
1310 * using a variety of system MIBs.
1311 * XXX: data declarations should be together near the beginning of the file.
1312 */
1313static int see_other_uids = 1;
1314SYSCTL_INT(_kern_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1315 &see_other_uids, 0,
1316 "Unprivileged processes may see subjects/objects with different real uid");
1317
1318/*-
1319 * Determine if u1 "can see" the subject specified by u2.
1320 * Returns: 0 for permitted, an errno value otherwise
1321 * Locks: none
1322 * References: *u1 and *u2 must not change during the call
1323 * u1 may equal u2, in which case only one reference is required
1324 */
1325int
1326cr_cansee(struct ucred *u1, struct ucred *u2)
1327{
1328 int error;
1329
1330 if ((error = prison_check(u1, u2)))
1331 return (error);
1332 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1333 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0)
1334 return (ESRCH);
1335 }
1336 return (0);
1337}
1338
1339/*-
1340 * Determine if p1 "can see" the subject specified by p2.
1341 * Returns: 0 for permitted, an errno value otherwise
1342 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must
1343 * be held. Normally, p1 will be curproc, and a lock must be held
1344 * for p2.
1345 * References: p1 and p2 must be valid for the lifetime of the call
1346 */
1347int
1348p_cansee(struct proc *p1, struct proc *p2)
1349{
1350
1351 /* Wrap cr_cansee() for all functionality. */
1352 return (cr_cansee(p1->p_ucred, p2->p_ucred));
1353}
1354
1355/*-
1356 * Determine whether p1 may deliver the specified signal to p2.
1357 * Returns: 0 for permitted, an errno value otherwise
1358 * Locks: Sufficient locks to protect various components of p1 and p2
1359 * must be held. Normally, p1 will be curproc, and a lock must
1360 * be held for p2.
1361 * References: p1 and p2 must be valid for the lifetime of the call
1362 */
1363int
1364p_cansignal(struct proc *p1, struct proc *p2, int signum)
1365{
1366 int error;
1367
1368 if (p1 == p2)
1369 return (0);
1370
1371 /*
1372 * Jail semantics limit the scope of signalling to p2 in the same
1373 * jail as p1, if p1 is in jail.
1374 */
1375 if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1376 return (error);
1377
1378 /*
1379 * UNIX signalling semantics require that processes in the same
1380 * session always be able to deliver SIGCONT to one another,
1381 * overriding the remaining protections.
1382 */
1383 if (signum == SIGCONT && p1->p_session == p2->p_session)
1384 return (0);
1385
1386 /*
1387 * UNIX signal semantics depend on the status of the P_SUGID
1388 * bit on the target process. If the bit is set, then additional
1389 * restrictions are placed on the set of available signals.
1390 */
1391 if (p2->p_flag & P_SUGID) {
1392 switch (signum) {
1393 case 0:
1394 case SIGKILL:
1395 case SIGINT:
1396 case SIGTERM:
1397 case SIGSTOP:
1398 case SIGTTIN:
1399 case SIGTTOU:
1400 case SIGTSTP:
1401 case SIGHUP:
1402 case SIGUSR1:
1403 case SIGUSR2:
1404 /*
1405 * Generally, permit job and terminal control
1406 * signals.
1407 */
1408 break;
1409 default:
1410 /* Not permitted, privilege is required. */
1411 error = suser_xxx(NULL, p1, PRISON_ROOT);
1412 if (error)
1413 return (error);
1414 }
1415 }
1416
1417 /*
1418 * Generally, the target credential's ruid or svuid must match the
1419 * subject credential's ruid or euid.
1420 */
1421 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid &&
1422 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid &&
1423 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid &&
1424 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) {
1425 /* Not permitted, try privilege. */
1426 error = suser_xxx(NULL, p1, PRISON_ROOT);
1427 if (error)
1428 return (error);
1429 }
1430
1431 return (0);
1432}
1433
1434/*-
1435 * Determine whether p1 may reschedule p2.
1436 * Returns: 0 for permitted, an errno value otherwise
1437 * Locks: Sufficient locks to protect various components of p1 and p2
1438 * must be held. Normally, p1 will be curproc, and a lock must
1439 * be held for p2.
1440 * References: p1 and p2 must be valid for the lifetime of the call
1441 */
1442int
1443p_cansched(struct proc *p1, struct proc *p2)
1444{
1445 int error;
1446
1447 if (p1 == p2)
1448 return (0);
1449 if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1450 return (error);
1451 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid)
1452 return (0);
1453 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid)
1454 return (0);
1455 if (suser_xxx(0, p1, PRISON_ROOT) == 0)
1456 return (0);
1457
1458#ifdef CAPABILITIES
1459 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT))
1460 return (0);
1461#endif
1462
1463 return (EPERM);
1464}
1465
1466/*
1467 * The 'unprivileged_procdebug_permitted' flag may be used to disable
1468 * a variety of unprivileged inter-process debugging services, including
1469 * some procfs functionality, ptrace(), and ktrace(). In the past,
1470 * inter-process debugging has been involved in a variety of security
1471 * problems, and sites not requiring the service might choose to disable it
1472 * when hardening systems.
1473 *
1474 * XXX: Should modifying and reading this variable require locking?
1475 * XXX: data declarations should be together near the beginning of the file.
1476 */
1477static int unprivileged_proc_debug = 1;
1478SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1479 &unprivileged_proc_debug, 0,
1480 "Unprivileged processes may use process debugging facilities");
1481
1482/*-
1483 * Determine whether p1 may debug p2.
1484 * Returns: 0 for permitted, an errno value otherwise
1485 * Locks: Sufficient locks to protect various components of p1 and p2
1486 * must be held. Normally, p1 will be curproc, and a lock must
1487 * be held for p2.
1488 * References: p1 and p2 must be valid for the lifetime of the call
1489 */
1490int
1491p_candebug(struct proc *p1, struct proc *p2)
1492{
1493 int credentialchanged, error, grpsubset, i, uidsubset;
1494
1495 if (!unprivileged_proc_debug) {
1496 error = suser_xxx(NULL, p1, PRISON_ROOT);
1497 if (error)
1498 return (error);
1499 }
1500 if (p1 == p2)
1501 return (0);
1502 if ((error = prison_check(p1->p_ucred, p2->p_ucred)))
1503 return (error);
1504
1505 /*
1506 * Is p2's group set a subset of p1's effective group set? This
1507 * includes p2's egid, group access list, rgid, and svgid.
1508 */
1509 grpsubset = 1;
1510 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) {
1511 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) {
1512 grpsubset = 0;
1513 break;
1514 }
1515 }
1516 grpsubset = grpsubset &&
1517 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) &&
1518 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred);
1519
1520 /*
1521 * Are the uids present in p2's credential equal to p1's
1522 * effective uid? This includes p2's euid, svuid, and ruid.
1523 */
1524 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid &&
1525 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid &&
1526 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid);
1527
1528 /*
1529 * Has the credential of the process changed since the last exec()?
1530 */
1531 credentialchanged = (p2->p_flag & P_SUGID);
1532
1533 /*
1534 * If p2's gids aren't a subset, or the uids aren't a subset,
1535 * or the credential has changed, require appropriate privilege
1536 * for p1 to debug p2. For POSIX.1e capabilities, this will
1537 * require CAP_SYS_PTRACE.
1538 */
1539 if (!grpsubset || !uidsubset || credentialchanged) {
1540 error = suser_xxx(NULL, p1, PRISON_ROOT);
1541 if (error)
1542 return (error);
1543 }
1544
1545 /* Can't trace init when securelevel > 0. */
1546 if (p2 == initproc) {
1547 error = securelevel_gt(p1->p_ucred, 0);
1548 if (error)
1549 return (error);
1550 }
1551
1552 /*
1553 * Can't trace a process that's currently exec'ing.
1554 * XXX: Note, this is not a security policy decision, it's a
1555 * basic correctness/functionality decision. Therefore, this check
1556 * should be moved to the caller's of p_candebug().
1557 */
1558 if ((p2->p_flag & P_INEXEC) != 0)
1559 return (EAGAIN);
1560
1561 return (0);
1562}
1563
1564/*
1565 * Allocate a zeroed cred structure.
1566 */
1567struct ucred *
1568crget()
1569{
1570 register struct ucred *cr;
1571
1572 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1573 cr->cr_ref = 1;
1574 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF);
1575 return (cr);
1576}
1577
1578/*
1579 * Claim another reference to a ucred structure.
1580 */
1581struct ucred *
1582crhold(cr)
1583 struct ucred *cr;
1584{
1585
1586 mtx_lock(&cr->cr_mtx);
1587 cr->cr_ref++;
1588 mtx_unlock(&cr->cr_mtx);
1589 return (cr);
1590}
1591
1592/*
1593 * Free a cred structure.
1594 * Throws away space when ref count gets to 0.
1595 */
1596void
1597crfree(cr)
1598 struct ucred *cr;
1599{
1600
1601 mtx_lock(&cr->cr_mtx);
1602 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1603 if (--cr->cr_ref == 0) {
1604 mtx_destroy(&cr->cr_mtx);
1605 /*
1606 * Some callers of crget(), such as nfs_statfs(),
1607 * allocate a temporary credential, but don't
1608 * allocate a uidinfo structure.
1609 */
1610 if (cr->cr_uidinfo != NULL)
1611 uifree(cr->cr_uidinfo);
1612 if (cr->cr_ruidinfo != NULL)
1613 uifree(cr->cr_ruidinfo);
1614 /*
1615 * Free a prison, if any.
1616 */
1617 if (jailed(cr))
1618 prison_free(cr->cr_prison);
1619 FREE((caddr_t)cr, M_CRED);
1620 } else
1621 mtx_unlock(&cr->cr_mtx);
1622}
1623
1624/*
1625 * Check to see if this ucred is shared.
1626 */
1627int
1628crshared(cr)
1629 struct ucred *cr;
1630{
1631 int shared;
1632
1633 mtx_lock(&cr->cr_mtx);
1634 shared = (cr->cr_ref > 1);
1635 mtx_unlock(&cr->cr_mtx);
1636 return (shared);
1637}
1638
1639/*
1640 * Copy a ucred's contents from a template. Does not block.
1641 */
1642void
1643crcopy(dest, src)
1644 struct ucred *dest, *src;
1645{
1646
1647 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1648 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1649 (unsigned)((caddr_t)&src->cr_endcopy -
1650 (caddr_t)&src->cr_startcopy));
1651 uihold(dest->cr_uidinfo);
1652 uihold(dest->cr_ruidinfo);
1653 if (jailed(dest))
1654 prison_hold(dest->cr_prison);
1655}
1656
1657/*
1658 * Dup cred struct to a new held one.
1659 */
1660struct ucred *
1661crdup(cr)
1662 struct ucred *cr;
1663{
1664 struct ucred *newcr;
1665
1666 newcr = crget();
1667 crcopy(newcr, cr);
1668 return (newcr);
1669}
1670
1671/*
1672 * Get login name, if available.
1673 */
1674#ifndef _SYS_SYSPROTO_H_
1675struct getlogin_args {
1676 char *namebuf;
1677 u_int namelen;
1678};
1679#endif
1680/*
1681 * MPSAFE
1682 */
1683/* ARGSUSED */
1684int
1685getlogin(td, uap)
1686 struct thread *td;
1687 struct getlogin_args *uap;
1688{
1689 int error;
1690 struct proc *p = td->td_proc;
1691
1692 mtx_lock(&Giant);
1693 if (uap->namelen > MAXLOGNAME)
1694 uap->namelen = MAXLOGNAME;
1695 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login,
1696 (caddr_t) uap->namebuf, uap->namelen);
1697 mtx_unlock(&Giant);
1698 return(error);
1699}
1700
1701/*
1702 * Set login name.
1703 */
1704#ifndef _SYS_SYSPROTO_H_
1705struct setlogin_args {
1706 char *namebuf;
1707};
1708#endif
1709/*
1710 * MPSAFE
1711 */
1712/* ARGSUSED */
1713int
1714setlogin(td, uap)
1715 struct thread *td;
1716 struct setlogin_args *uap;
1717{
1718 struct proc *p = td->td_proc;
1719 int error;
1720 char logintmp[MAXLOGNAME];
1721
1722 mtx_lock(&Giant);
1723 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0)
1724 goto done2;
1725 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp,
1726 sizeof(logintmp), (size_t *)0);
1727 if (error == ENAMETOOLONG)
1728 error = EINVAL;
1729 else if (!error)
1730 (void)memcpy(p->p_pgrp->pg_session->s_login, logintmp,
1731 sizeof(logintmp));
1732done2:
1733 mtx_unlock(&Giant);
1734 return (error);
1735}
1736
1737void
1738setsugid(p)
1739 struct proc *p;
1740{
1741 p->p_flag |= P_SUGID;
1742 if (!(p->p_pfsflags & PF_ISUGID))
1743 p->p_stops = 0;
1744}
1745
1746/*-
1747 * Change a process's effective uid.
1748 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1749 * References: newcred must be an exclusive credential reference for the
1750 * duration of the call.
1751 */
1752void
1753change_euid(newcred, euid)
1754 struct ucred *newcred;
1755 uid_t euid;
1756{
1757
1758 newcred->cr_uid = euid;
1759 uifree(newcred->cr_uidinfo);
1760 newcred->cr_uidinfo = uifind(euid);
1761}
1762
1763/*-
1764 * Change a process's effective gid.
1765 * Side effects: newcred->cr_gid will be modified.
1766 * References: newcred must be an exclusive credential reference for the
1767 * duration of the call.
1768 */
1769void
1770change_egid(newcred, egid)
1771 struct ucred *newcred;
1772 gid_t egid;
1773{
1774
1775 newcred->cr_groups[0] = egid;
1776}
1777
1778/*-
1779 * Change a process's real uid.
1780 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1781 * will be updated, and the old and new cr_ruidinfo proc
1782 * counts will be updated.
1783 * References: newcred must be an exclusive credential reference for the
1784 * duration of the call.
1785 */
1786void
1787change_ruid(newcred, ruid)
1788 struct ucred *newcred;
1789 uid_t ruid;
1790{
1791
1792 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1793 newcred->cr_ruid = ruid;
1794 uifree(newcred->cr_ruidinfo);
1795 newcred->cr_ruidinfo = uifind(ruid);
1796 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1797}
1798
1799/*-
1800 * Change a process's real gid.
1801 * Side effects: newcred->cr_rgid will be updated.
1802 * References: newcred must be an exclusive credential reference for the
1803 * duration of the call.
1804 */
1805void
1806change_rgid(newcred, rgid)
1807 struct ucred *newcred;
1808 gid_t rgid;
1809{
1810
1811 newcred->cr_rgid = rgid;
1812}
1813
1814/*-
1815 * Change a process's saved uid.
1816 * Side effects: newcred->cr_svuid will be updated.
1817 * References: newcred must be an exclusive credential reference for the
1818 * duration of the call.
1819 */
1820void
1821change_svuid(newcred, svuid)
1822 struct ucred *newcred;
1823 uid_t svuid;
1824{
1825
1826 newcred->cr_svuid = svuid;
1827}
1828
1829/*-
1830 * Change a process's saved gid.
1831 * Side effects: newcred->cr_svgid will be updated.
1832 * References: newcred must be an exclusive credential reference for the
1833 * duration of the call.
1834 */
1835void
1836change_svgid(newcred, svgid)
1837 struct ucred *newcred;
1838 gid_t svgid;
1839{
1840
1841 newcred->cr_svgid = svgid;
1842}
|