713 	kauth_cred_t my_cred, my_new_cred;
718 	my_cred = kauth_cred_proc_ref(p);
720 	DEBUG_CRED_ENTER("setuid (%d/%d): %p %d\n", p->p_pid, (p->p_pptr ? p->p_pptr->p_pid : 0), my_cred, uap->uid);
723 	if (uid != my_cred->cr_ruid &&	/* allow setuid(getuid()) */
724 	    uid != my_cred->cr_svuid &&	/* allow setuid(saved uid) */
725 	    (error = suser(my_cred, &p->p_acflag))) {
726 		kauth_cred_unref(&my_cred);
737 	if (suser(my_cred, &p->p_acflag) == 0) {
759 		if (!(my_cred->cr_flags & CRF_NOMEMBERD))
769 		my_new_cred = kauth_cred_setresuid(my_cred, ruid, uid, svuid, gmuid);
770 		if (my_cred != my_new_cred) {
772 			DEBUG_CRED_CHANGE("setuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
781 			if (p->p_ucred != my_cred) {
784 				my_cred = kauth_cred_proc_ref(p);
795 	kauth_cred_unref(&my_cred);
825 	kauth_cred_t my_cred, my_new_cred;
832 	my_cred = kauth_cred_proc_ref(p);
834 	if (euid != my_cred->cr_ruid && euid != my_cred->cr_svuid &&
835 	    (error = suser(my_cred, &p->p_acflag))) {
836 		kauth_cred_unref(&my_cred);
853 		my_new_cred = kauth_cred_setresuid(my_cred, KAUTH_UID_NONE, euid, KAUTH_UID_NONE, my_cred->cr_gmuid);
855 		if (my_cred != my_new_cred) {
857 			DEBUG_CRED_CHANGE("seteuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
866 			if (p->p_ucred != my_cred) {
869 				my_cred = kauth_cred_proc_ref(p);
880 	kauth_cred_unref(&my_cred);
923 	kauth_cred_t my_cred, my_new_cred;
935 	my_cred = kauth_cred_proc_ref(p);
938 	      ruid != my_cred->cr_ruid &&	/* allow ruid = ruid */
939 	      ruid != my_cred->cr_uid &&	/* allow ruid = euid */
940 	      ruid != my_cred->cr_svuid) ||	/* allow ruid = svuid */
942 	      euid != my_cred->cr_uid &&	/* allow euid = euid */
943 	      euid != my_cred->cr_ruid &&	/* allow euid = ruid */
944 	      euid != my_cred->cr_svuid)) &&	/* allow euid = svui */
945 	    (error = suser(my_cred, &p->p_acflag))) { /* allow root user any */
946 		kauth_cred_unref(&my_cred);
960 		new_euid = my_cred->cr_uid;
961 		new_ruid = my_cred->cr_ruid;
970 		if (euid == KAUTH_UID_NONE && my_cred->cr_uid != euid) {
975 		if (ruid != KAUTH_UID_NONE && my_cred->cr_ruid != ruid) {
979 			(void)chgproccnt(my_cred->cr_ruid, -1);
989 		if (my_cred->cr_svuid != uap->ruid &&
990 		    my_cred->cr_svuid != uap->euid) {
995 		my_new_cred = kauth_cred_setresuid(my_cred, ruid, euid, svuid, my_cred->cr_gmuid);
997 		if (my_cred != my_new_cred) {
999 			DEBUG_CRED_CHANGE("setreuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
1008 			if (p->p_ucred != my_cred) {
1011 				my_cred = kauth_cred_proc_ref(p);
1022 	kauth_cred_unref(&my_cred);
1061 	kauth_cred_t my_cred, my_new_cred;
1068 	my_cred = kauth_cred_proc_ref(p);
1070 	if (gid != my_cred->cr_rgid &&	/* allow setgid(getgid()) */
1071 	    gid != my_cred->cr_svgid &&	/* allow setgid(saved gid) */
1072 	    (error = suser(my_cred, &p->p_acflag))) {
1073 		kauth_cred_unref(&my_cred);
1081 	if (suser(my_cred,  &p->p_acflag) == 0) {
1096 		my_new_cred = kauth_cred_setresgid(my_cred, rgid, gid, svgid);
1097 		if (my_cred != my_new_cred) {
1099 			DEBUG_CRED_CHANGE("setgid(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
1108 			if (p->p_ucred != my_cred) {
1112 				my_cred = kauth_cred_proc_ref(p);
1122 	kauth_cred_unref(&my_cred);
1157 	kauth_cred_t my_cred, my_new_cred;
1164 	my_cred = kauth_cred_proc_ref(p);
1166 	if (egid != my_cred->cr_rgid &&
1167 	    egid != my_cred->cr_svgid &&
1168 	    (error = suser(my_cred, &p->p_acflag))) {
1169 		kauth_cred_unref(&my_cred);
1182 		my_new_cred = kauth_cred_setresgid(my_cred, KAUTH_GID_NONE, egid, KAUTH_GID_NONE);
1183 		if (my_cred != my_new_cred) {
1185 			DEBUG_CRED_CHANGE("setegid(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
1194 			if (p->p_ucred != my_cred) {
1198 				my_cred = kauth_cred_proc_ref(p);
1209 	kauth_cred_unref(&my_cred);
1257 	kauth_cred_t my_cred, my_new_cred;
1270 	my_cred = kauth_cred_proc_ref(p);
1273 	      rgid != my_cred->cr_rgid &&	/* allow rgid = rgid */
1274 	      rgid != my_cred->cr_gid &&	/* allow rgid = egid */
1275 	      rgid != my_cred->cr_svgid) ||	/* allow rgid = svgid */
1277 	      egid != my_cred->cr_groups[0] &&	/* allow no change of egid */
1278 	      egid != my_cred->cr_gid &&	/* allow egid = egid */
1279 	      egid != my_cred->cr_rgid &&	/* allow egid = rgid */
1280 	      egid != my_cred->cr_svgid)) &&	/* allow egid = svgid */
1281 	    (error = suser(my_cred, &p->p_acflag))) { /* allow root user any */
1282 		kauth_cred_unref(&my_cred);
1288 		uid_t new_egid = my_cred->cr_gid;
1289 		uid_t new_rgid = my_cred->cr_rgid;
1300 		if (egid == KAUTH_UID_NONE && my_cred->cr_groups[0] != egid) {
1305 		if (rgid != KAUTH_UID_NONE && my_cred->cr_rgid != rgid) {
1316 		if (my_cred->cr_svgid != uap->rgid &&
1317 		    my_cred->cr_svgid != uap->egid) {
1322 		my_new_cred = kauth_cred_setresgid(my_cred, rgid, egid, svgid);
1323 		if (my_cred != my_new_cred) {
1325 			DEBUG_CRED_CHANGE("setregid(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
1333 			if (p->p_ucred != my_cred) {
1337 				my_cred = kauth_cred_proc_ref(p);
1347 	kauth_cred_unref(&my_cred);
1389 		kauth_cred_t my_cred, my_new_cred;
1404 		my_cred = uthread->uu_ucred;
1405 		my_new_cred = kauth_cred_setuidgid(my_cred, uid, gid);
1406 		if (my_cred != my_new_cred)
1411 		kauth_cred_unref(&my_cred);
1438 	kauth_cred_t my_cred, my_target_cred, my_new_cred;
1484 		my_cred = uthread->uu_ucred;
1486 		my_new_cred = kauth_cred_setuidgid(my_cred, my_target_cred->cr_uid, my_target_cred->cr_gid);
1487 		if (my_cred != my_new_cred)
1494 		kauth_cred_unref(&my_cred);
1559 	kauth_cred_t my_cred, my_new_cred;
1578 	my_cred = kauth_cred_proc_ref(p);
1579 	if ((error = suser(my_cred, &p->p_acflag))) {
1580 		kauth_cred_unref(&my_cred);
1588 		kauth_cred_unref(&my_cred);
1599 		my_cred = uthread->uu_ucred;
1600 		uthread->uu_ucred = kauth_cred_setgroups(my_cred, &newgroups[0], ngrp, gmuid);
1602 		if (my_cred != uthread->uu_ucred) {
1603 			DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred_flags, uthread->uu_ucred , uthread->uu_ucred ->cr_flags);
1621 			my_new_cred = kauth_cred_setgroups(my_cred, &newgroups[0], ngrp, gmuid);
1622 			if (my_cred != my_new_cred) {
1624 				DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
1634 				if (p->p_ucred != my_cred) {
1637 					my_cred = kauth_cred_proc_ref(p);
1648 		AUDIT_ARG(groupset, my_cred->cr_groups, ngrp);
1649 		kauth_cred_unref(&my_cred);
1823 	kauth_cred_t my_cred;
1829 	my_cred = kauth_cred_proc_ref(p);
1831 	err =  (suser(my_cred, &p->p_acflag) == 0 ||
1832 			my_cred->cr_ruid == 0 || my_cred->cr_svuid == 0);
1833 	kauth_cred_unref(&my_cred);
1947 	kauth_cred_t my_cred;
1963 	my_cred = kauth_cred_proc_ref(p);
1965 	if (IS_VALID_CRED(my_cred)) {
1966 		sec_token.val[0] = kauth_cred_getuid(my_cred);
1967 		sec_token.val[1] = my_cred->cr_gid;
1982 	audit_token.val[0] = my_cred->cr_au.ai_auid;
1983 	audit_token.val[1] = my_cred->cr_uid;
1984 	audit_token.val[2] = my_cred->cr_gid;
1985 	audit_token.val[3] = my_cred->cr_ruid;
1986 	audit_token.val[4] = my_cred->cr_rgid;
1988 	audit_token.val[6] = my_cred->cr_au.ai_asid;
1992 	mac_task_label_update_cred(my_cred, p->task);
1997 	if (host_priv != HOST_PRIV_NULL && mac_system_check_host_priv(my_cred))
2000 	kauth_cred_unref(&my_cred);

Indexes created Sat Jul 13 22:46:07 MDT 2024