kern_prot.c revision 87218
1/* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD: head/sys/kern/kern_prot.c 87218 2001-12-02 15:07:10Z rwatson $ 41 */ 42 43/* 44 * System calls related to processes and protection 45 */ 46 47#include "opt_compat.h" 48#include "opt_global.h" 49 50#include <sys/param.h> 51#include <sys/systm.h> 52#include <sys/acct.h> 53#include <sys/kernel.h> 54#include <sys/lock.h> 55#include <sys/mutex.h> 56#include <sys/proc.h> 57#include <sys/sx.h> 58#include <sys/sysproto.h> 59#include <sys/jail.h> 60#include <sys/malloc.h> 61#include <sys/pioctl.h> 62#include <sys/resourcevar.h> 63#include <sys/sysctl.h> 64 65static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 66 67SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, 68 "Kernel security policy"); 69SYSCTL_NODE(_kern_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 70 "BSD security policy"); 71 72#ifndef _SYS_SYSPROTO_H_ 73struct getpid_args { 74 int dummy; 75}; 76#endif 77/* 78 * MPSAFE 79 */ 80/* ARGSUSED */ 81int 82getpid(td, uap) 83 struct thread *td; 84 struct getpid_args *uap; 85{ 86 struct proc *p = td->td_proc; 87 int s; 88 89 s = mtx_lock_giant(kern_giant_proc); 90 td->td_retval[0] = p->p_pid; 91#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 92 PROC_LOCK(p); 93 td->td_retval[1] = p->p_pptr->p_pid; 94 PROC_UNLOCK(p); 95#endif 96 mtx_unlock_giant(s); 97 return (0); 98} 99 100#ifndef _SYS_SYSPROTO_H_ 101struct getppid_args { 102 int dummy; 103}; 104#endif 105/* 106 * MPSAFE 107 */ 108/* ARGSUSED */ 109int 110getppid(td, uap) 111 struct thread *td; 112 struct getppid_args *uap; 113{ 114 struct proc *p = td->td_proc; 115 int s; 116 117 s = mtx_lock_giant(kern_giant_proc); 118 PROC_LOCK(p); 119 td->td_retval[0] = p->p_pptr->p_pid; 120 PROC_UNLOCK(p); 121 mtx_unlock_giant(s); 122 return (0); 123} 124 125/* 126 * Get process group ID; note that POSIX getpgrp takes no parameter. 127 */ 128#ifndef _SYS_SYSPROTO_H_ 129struct getpgrp_args { 130 int dummy; 131}; 132#endif 133/* 134 * MPSAFE 135 */ 136int 137getpgrp(td, uap) 138 struct thread *td; 139 struct getpgrp_args *uap; 140{ 141 struct proc *p = td->td_proc; 142 143 mtx_lock(&Giant); 144 td->td_retval[0] = p->p_pgrp->pg_id; 145 mtx_unlock(&Giant); 146 return (0); 147} 148 149/* Get an arbitary pid's process group id */ 150#ifndef _SYS_SYSPROTO_H_ 151struct getpgid_args { 152 pid_t pid; 153}; 154#endif 155/* 156 * MPSAFE 157 */ 158int 159getpgid(td, uap) 160 struct thread *td; 161 struct getpgid_args *uap; 162{ 163 struct proc *p = td->td_proc; 164 struct proc *pt; 165 int error, s; 166 167 s = mtx_lock_giant(kern_giant_proc); 168 error = 0; 169 if (uap->pid == 0) 170 td->td_retval[0] = p->p_pgrp->pg_id; 171 else if ((pt = pfind(uap->pid)) == NULL) 172 error = ESRCH; 173 else { 174 error = p_cansee(p, pt); 175 if (error == 0) 176 td->td_retval[0] = pt->p_pgrp->pg_id; 177 PROC_UNLOCK(pt); 178 } 179 mtx_unlock_giant(s); 180 return (error); 181} 182 183/* 184 * Get an arbitary pid's session id. 185 */ 186#ifndef _SYS_SYSPROTO_H_ 187struct getsid_args { 188 pid_t pid; 189}; 190#endif 191/* 192 * MPSAFE 193 */ 194int 195getsid(td, uap) 196 struct thread *td; 197 struct getsid_args *uap; 198{ 199 struct proc *p = td->td_proc; 200 struct proc *pt; 201 int error; 202 203 mtx_lock(&Giant); 204 error = 0; 205 if (uap->pid == 0) 206 td->td_retval[0] = p->p_session->s_sid; 207 else if ((pt = pfind(uap->pid)) == NULL) 208 error = ESRCH; 209 else { 210 error = p_cansee(p, pt); 211 if (error == 0) 212 td->td_retval[0] = pt->p_session->s_sid; 213 PROC_UNLOCK(pt); 214 } 215 mtx_unlock(&Giant); 216 return (error); 217} 218 219#ifndef _SYS_SYSPROTO_H_ 220struct getuid_args { 221 int dummy; 222}; 223#endif 224/* 225 * MPSAFE 226 */ 227/* ARGSUSED */ 228int 229getuid(td, uap) 230 struct thread *td; 231 struct getuid_args *uap; 232{ 233 struct proc *p = td->td_proc; 234 235 mtx_lock(&Giant); 236 td->td_retval[0] = p->p_ucred->cr_ruid; 237#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 238 td->td_retval[1] = p->p_ucred->cr_uid; 239#endif 240 mtx_unlock(&Giant); 241 return (0); 242} 243 244#ifndef _SYS_SYSPROTO_H_ 245struct geteuid_args { 246 int dummy; 247}; 248#endif 249/* 250 * MPSAFE 251 */ 252/* ARGSUSED */ 253int 254geteuid(td, uap) 255 struct thread *td; 256 struct geteuid_args *uap; 257{ 258 mtx_lock(&Giant); 259 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 260 mtx_unlock(&Giant); 261 return (0); 262} 263 264#ifndef _SYS_SYSPROTO_H_ 265struct getgid_args { 266 int dummy; 267}; 268#endif 269/* 270 * MPSAFE 271 */ 272/* ARGSUSED */ 273int 274getgid(td, uap) 275 struct thread *td; 276 struct getgid_args *uap; 277{ 278 struct proc *p = td->td_proc; 279 280 mtx_lock(&Giant); 281 td->td_retval[0] = p->p_ucred->cr_rgid; 282#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 283 td->td_retval[1] = p->p_ucred->cr_groups[0]; 284#endif 285 mtx_unlock(&Giant); 286 return (0); 287} 288 289/* 290 * Get effective group ID. The "egid" is groups[0], and could be obtained 291 * via getgroups. This syscall exists because it is somewhat painful to do 292 * correctly in a library function. 293 */ 294#ifndef _SYS_SYSPROTO_H_ 295struct getegid_args { 296 int dummy; 297}; 298#endif 299/* 300 * MPSAFE 301 */ 302/* ARGSUSED */ 303int 304getegid(td, uap) 305 struct thread *td; 306 struct getegid_args *uap; 307{ 308 struct proc *p = td->td_proc; 309 310 mtx_lock(&Giant); 311 td->td_retval[0] = p->p_ucred->cr_groups[0]; 312 mtx_unlock(&Giant); 313 return (0); 314} 315 316#ifndef _SYS_SYSPROTO_H_ 317struct getgroups_args { 318 u_int gidsetsize; 319 gid_t *gidset; 320}; 321#endif 322/* 323 * MPSAFE 324 */ 325int 326getgroups(td, uap) 327 struct thread *td; 328 register struct getgroups_args *uap; 329{ 330 struct ucred *cred; 331 struct proc *p = td->td_proc; 332 u_int ngrp; 333 int error; 334 335 mtx_lock(&Giant); 336 error = 0; 337 cred = p->p_ucred; 338 if ((ngrp = uap->gidsetsize) == 0) { 339 td->td_retval[0] = cred->cr_ngroups; 340 goto done2; 341 } 342 if (ngrp < cred->cr_ngroups) { 343 error = EINVAL; 344 goto done2; 345 } 346 ngrp = cred->cr_ngroups; 347 if ((error = copyout((caddr_t)cred->cr_groups, 348 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) 349 goto done2; 350 td->td_retval[0] = ngrp; 351done2: 352 mtx_unlock(&Giant); 353 return (error); 354} 355 356#ifndef _SYS_SYSPROTO_H_ 357struct setsid_args { 358 int dummy; 359}; 360#endif 361/* 362 * MPSAFE 363 */ 364/* ARGSUSED */ 365int 366setsid(td, uap) 367 register struct thread *td; 368 struct setsid_args *uap; 369{ 370 int error; 371 struct proc *p = td->td_proc; 372 373 mtx_lock(&Giant); 374 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) 375 error = EPERM; 376 else { 377 (void)enterpgrp(p, p->p_pid, 1); 378 td->td_retval[0] = p->p_pid; 379 error = 0; 380 } 381 mtx_unlock(&Giant); 382 return (error); 383} 384 385/* 386 * set process group (setpgid/old setpgrp) 387 * 388 * caller does setpgid(targpid, targpgid) 389 * 390 * pid must be caller or child of caller (ESRCH) 391 * if a child 392 * pid must be in same session (EPERM) 393 * pid can't have done an exec (EACCES) 394 * if pgid != pid 395 * there must exist some pid in same session having pgid (EPERM) 396 * pid must not be session leader (EPERM) 397 */ 398#ifndef _SYS_SYSPROTO_H_ 399struct setpgid_args { 400 int pid; /* target process id */ 401 int pgid; /* target pgrp id */ 402}; 403#endif 404/* 405 * MPSAFE 406 */ 407/* ARGSUSED */ 408int 409setpgid(td, uap) 410 struct thread *td; 411 register struct setpgid_args *uap; 412{ 413 struct proc *curp = td->td_proc; 414 register struct proc *targp; /* target process */ 415 register struct pgrp *pgrp; /* target pgrp */ 416 int error; 417 418 if (uap->pgid < 0) 419 return (EINVAL); 420 mtx_lock(&Giant); 421 sx_slock(&proctree_lock); 422 if (uap->pid != 0 && uap->pid != curp->p_pid) { 423 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 424 if (targp) 425 PROC_UNLOCK(targp); 426 error = ESRCH; 427 goto done2; 428 } 429 if ((error = p_cansee(curproc, targp))) { 430 PROC_UNLOCK(targp); 431 goto done2; 432 } 433 if (targp->p_pgrp == NULL || 434 targp->p_session != curp->p_session) { 435 PROC_UNLOCK(targp); 436 error = EPERM; 437 goto done2; 438 } 439 if (targp->p_flag & P_EXEC) { 440 PROC_UNLOCK(targp); 441 error = EACCES; 442 goto done2; 443 } 444 } else { 445 targp = curp; 446 PROC_LOCK(curp); /* XXX: not needed */ 447 } 448 if (SESS_LEADER(targp)) { 449 PROC_UNLOCK(targp); 450 error = EPERM; 451 goto done2; 452 } 453 if (uap->pgid == 0) 454 uap->pgid = targp->p_pid; 455 else if (uap->pgid != targp->p_pid) { 456 if ((pgrp = pgfind(uap->pgid)) == 0 || 457 pgrp->pg_session != curp->p_session) { 458 PROC_UNLOCK(targp); 459 error = EPERM; 460 goto done2; 461 } 462 } 463 /* XXX: We should probably hold the lock across enterpgrp. */ 464 PROC_UNLOCK(targp); 465 error = enterpgrp(targp, uap->pgid, 0); 466done2: 467 sx_sunlock(&proctree_lock); 468 mtx_unlock(&Giant); 469 return (error); 470} 471 472/* 473 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 474 * compatible. It says that setting the uid/gid to euid/egid is a special 475 * case of "appropriate privilege". Once the rules are expanded out, this 476 * basically means that setuid(nnn) sets all three id's, in all permitted 477 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 478 * does not set the saved id - this is dangerous for traditional BSD 479 * programs. For this reason, we *really* do not want to set 480 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 481 */ 482#define POSIX_APPENDIX_B_4_2_2 483 484#ifndef _SYS_SYSPROTO_H_ 485struct setuid_args { 486 uid_t uid; 487}; 488#endif 489/* 490 * MPSAFE 491 */ 492/* ARGSUSED */ 493int 494setuid(td, uap) 495 struct thread *td; 496 struct setuid_args *uap; 497{ 498 struct proc *p = td->td_proc; 499 struct ucred *newcred, *oldcred; 500 uid_t uid; 501 int error; 502 503 oldcred = p->p_ucred; 504 uid = uap->uid; 505 mtx_lock(&Giant); 506 error = 0; 507 /* 508 * See if we have "permission" by POSIX 1003.1 rules. 509 * 510 * Note that setuid(geteuid()) is a special case of 511 * "appropriate privileges" in appendix B.4.2.2. We need 512 * to use this clause to be compatible with traditional BSD 513 * semantics. Basically, it means that "setuid(xx)" sets all 514 * three id's (assuming you have privs). 515 * 516 * Notes on the logic. We do things in three steps. 517 * 1: We determine if the euid is going to change, and do EPERM 518 * right away. We unconditionally change the euid later if this 519 * test is satisfied, simplifying that part of the logic. 520 * 2: We determine if the real and/or saved uids are going to 521 * change. Determined by compile options. 522 * 3: Change euid last. (after tests in #2 for "appropriate privs") 523 */ 524 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 525#ifdef _POSIX_SAVED_IDS 526 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 527#endif 528#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 529 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 530#endif 531 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 532 goto done2; 533 534 newcred = crdup(oldcred); 535#ifdef _POSIX_SAVED_IDS 536 /* 537 * Do we have "appropriate privileges" (are we root or uid == euid) 538 * If so, we are changing the real uid and/or saved uid. 539 */ 540 if ( 541#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 542 uid == oldcred->cr_uid || 543#endif 544 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 545#endif 546 { 547 /* 548 * Set the real uid and transfer proc count to new user. 549 */ 550 if (uid != oldcred->cr_ruid) { 551 change_ruid(newcred, uid); 552 setsugid(p); 553 } 554 /* 555 * Set saved uid 556 * 557 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 558 * the security of seteuid() depends on it. B.4.2.2 says it 559 * is important that we should do this. 560 */ 561 if (uid != oldcred->cr_svuid) { 562 change_svuid(newcred, uid); 563 setsugid(p); 564 } 565 } 566 567 /* 568 * In all permitted cases, we are changing the euid. 569 * Copy credentials so other references do not see our changes. 570 */ 571 if (uid != oldcred->cr_uid) { 572 change_euid(newcred, uid); 573 setsugid(p); 574 } 575 p->p_ucred = newcred; 576 crfree(oldcred); 577done2: 578 mtx_unlock(&Giant); 579 return (error); 580} 581 582#ifndef _SYS_SYSPROTO_H_ 583struct seteuid_args { 584 uid_t euid; 585}; 586#endif 587/* 588 * MPSAFE 589 */ 590/* ARGSUSED */ 591int 592seteuid(td, uap) 593 struct thread *td; 594 struct seteuid_args *uap; 595{ 596 struct proc *p = td->td_proc; 597 struct ucred *newcred, *oldcred; 598 uid_t euid; 599 int error; 600 601 euid = uap->euid; 602 mtx_lock(&Giant); 603 error = 0; 604 oldcred = p->p_ucred; 605 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 606 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 607 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 608 goto done2; 609 /* 610 * Everything's okay, do it. Copy credentials so other references do 611 * not see our changes. 612 */ 613 newcred = crdup(oldcred); 614 if (oldcred->cr_uid != euid) { 615 change_euid(newcred, euid); 616 setsugid(p); 617 } 618 p->p_ucred = newcred; 619 crfree(oldcred); 620done2: 621 mtx_unlock(&Giant); 622 return (error); 623} 624 625#ifndef _SYS_SYSPROTO_H_ 626struct setgid_args { 627 gid_t gid; 628}; 629#endif 630/* 631 * MPSAFE 632 */ 633/* ARGSUSED */ 634int 635setgid(td, uap) 636 struct thread *td; 637 struct setgid_args *uap; 638{ 639 struct proc *p = td->td_proc; 640 struct ucred *newcred, *oldcred; 641 gid_t gid; 642 int error; 643 644 gid = uap->gid; 645 646 mtx_lock(&Giant); 647 error = 0; 648 oldcred = p->p_ucred; 649 /* 650 * See if we have "permission" by POSIX 1003.1 rules. 651 * 652 * Note that setgid(getegid()) is a special case of 653 * "appropriate privileges" in appendix B.4.2.2. We need 654 * to use this clause to be compatible with traditional BSD 655 * semantics. Basically, it means that "setgid(xx)" sets all 656 * three id's (assuming you have privs). 657 * 658 * For notes on the logic here, see setuid() above. 659 */ 660 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 661#ifdef _POSIX_SAVED_IDS 662 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 663#endif 664#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 665 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 666#endif 667 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 668 goto done2; 669 670 newcred = crdup(oldcred); 671#ifdef _POSIX_SAVED_IDS 672 /* 673 * Do we have "appropriate privileges" (are we root or gid == egid) 674 * If so, we are changing the real uid and saved gid. 675 */ 676 if ( 677#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 678 gid == oldcred->cr_groups[0] || 679#endif 680 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 681#endif 682 { 683 /* 684 * Set real gid 685 */ 686 if (oldcred->cr_rgid != gid) { 687 change_rgid(newcred, gid); 688 setsugid(p); 689 } 690 /* 691 * Set saved gid 692 * 693 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 694 * the security of setegid() depends on it. B.4.2.2 says it 695 * is important that we should do this. 696 */ 697 if (oldcred->cr_svgid != gid) { 698 change_svgid(newcred, gid); 699 setsugid(p); 700 } 701 } 702 /* 703 * In all cases permitted cases, we are changing the egid. 704 * Copy credentials so other references do not see our changes. 705 */ 706 if (oldcred->cr_groups[0] != gid) { 707 change_egid(newcred, gid); 708 setsugid(p); 709 } 710 p->p_ucred = newcred; 711 crfree(oldcred); 712done2: 713 mtx_unlock(&Giant); 714 return (error); 715} 716 717#ifndef _SYS_SYSPROTO_H_ 718struct setegid_args { 719 gid_t egid; 720}; 721#endif 722/* 723 * MPSAFE 724 */ 725/* ARGSUSED */ 726int 727setegid(td, uap) 728 struct thread *td; 729 struct setegid_args *uap; 730{ 731 struct proc *p = td->td_proc; 732 struct ucred *newcred, *oldcred; 733 gid_t egid; 734 int error; 735 736 egid = uap->egid; 737 mtx_lock(&Giant); 738 error = 0; 739 oldcred = p->p_ucred; 740 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 741 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 742 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 743 goto done2; 744 newcred = crdup(oldcred); 745 if (oldcred->cr_groups[0] != egid) { 746 change_egid(newcred, egid); 747 setsugid(p); 748 } 749 p->p_ucred = newcred; 750 crfree(oldcred); 751done2: 752 mtx_unlock(&Giant); 753 return (error); 754} 755 756#ifndef _SYS_SYSPROTO_H_ 757struct setgroups_args { 758 u_int gidsetsize; 759 gid_t *gidset; 760}; 761#endif 762/* 763 * MPSAFE 764 */ 765/* ARGSUSED */ 766int 767setgroups(td, uap) 768 struct thread *td; 769 struct setgroups_args *uap; 770{ 771 struct proc *p = td->td_proc; 772 struct ucred *newcred, *oldcred; 773 u_int ngrp; 774 int error; 775 776 mtx_lock(&Giant); 777 ngrp = uap->gidsetsize; 778 oldcred = p->p_ucred; 779 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 780 goto done2; 781 if (ngrp > NGROUPS) { 782 error = EINVAL; 783 goto done2; 784 } 785 /* 786 * XXX A little bit lazy here. We could test if anything has 787 * changed before crcopy() and setting P_SUGID. 788 */ 789 newcred = crdup(oldcred); 790 if (ngrp < 1) { 791 /* 792 * setgroups(0, NULL) is a legitimate way of clearing the 793 * groups vector on non-BSD systems (which generally do not 794 * have the egid in the groups[0]). We risk security holes 795 * when running non-BSD software if we do not do the same. 796 */ 797 newcred->cr_ngroups = 1; 798 } else { 799 if ((error = copyin((caddr_t)uap->gidset, 800 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 801 crfree(newcred); 802 goto done2; 803 } 804 newcred->cr_ngroups = ngrp; 805 } 806 setsugid(p); 807 p->p_ucred = newcred; 808 crfree(oldcred); 809done2: 810 mtx_unlock(&Giant); 811 return (error); 812} 813 814#ifndef _SYS_SYSPROTO_H_ 815struct setreuid_args { 816 uid_t ruid; 817 uid_t euid; 818}; 819#endif 820/* 821 * MPSAFE 822 */ 823/* ARGSUSED */ 824int 825setreuid(td, uap) 826 register struct thread *td; 827 struct setreuid_args *uap; 828{ 829 struct proc *p = td->td_proc; 830 struct ucred *newcred, *oldcred; 831 uid_t euid, ruid; 832 int error; 833 834 euid = uap->euid; 835 ruid = uap->ruid; 836 mtx_lock(&Giant); 837 error = 0; 838 oldcred = p->p_ucred; 839 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 840 ruid != oldcred->cr_svuid) || 841 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 842 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 843 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 844 goto done2; 845 newcred = crdup(oldcred); 846 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 847 change_euid(newcred, euid); 848 setsugid(p); 849 } 850 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 851 change_ruid(newcred, ruid); 852 setsugid(p); 853 } 854 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 855 newcred->cr_svuid != newcred->cr_uid) { 856 change_svuid(newcred, newcred->cr_uid); 857 setsugid(p); 858 } 859 p->p_ucred = newcred; 860 crfree(oldcred); 861done2: 862 mtx_unlock(&Giant); 863 return (error); 864} 865 866#ifndef _SYS_SYSPROTO_H_ 867struct setregid_args { 868 gid_t rgid; 869 gid_t egid; 870}; 871#endif 872/* 873 * MPSAFE 874 */ 875/* ARGSUSED */ 876int 877setregid(td, uap) 878 register struct thread *td; 879 struct setregid_args *uap; 880{ 881 struct proc *p = td->td_proc; 882 struct ucred *newcred, *oldcred; 883 gid_t egid, rgid; 884 int error; 885 886 egid = uap->egid; 887 rgid = uap->rgid; 888 mtx_lock(&Giant); 889 error = 0; 890 oldcred = p->p_ucred; 891 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 892 rgid != oldcred->cr_svgid) || 893 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 894 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 895 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 896 goto done2; 897 newcred = crdup(oldcred); 898 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 899 change_egid(newcred, egid); 900 setsugid(p); 901 } 902 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 903 change_rgid(newcred, rgid); 904 setsugid(p); 905 } 906 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 907 newcred->cr_svgid != newcred->cr_groups[0]) { 908 change_svgid(newcred, newcred->cr_groups[0]); 909 setsugid(p); 910 } 911 p->p_ucred = newcred; 912 crfree(oldcred); 913done2: 914 mtx_unlock(&Giant); 915 return (error); 916} 917 918/* 919 * setresuid(ruid, euid, suid) is like setreuid except control over the 920 * saved uid is explicit. 921 */ 922 923#ifndef _SYS_SYSPROTO_H_ 924struct setresuid_args { 925 uid_t ruid; 926 uid_t euid; 927 uid_t suid; 928}; 929#endif 930/* 931 * MPSAFE 932 */ 933/* ARGSUSED */ 934int 935setresuid(td, uap) 936 register struct thread *td; 937 struct setresuid_args *uap; 938{ 939 struct proc *p = td->td_proc; 940 struct ucred *newcred, *oldcred; 941 uid_t euid, ruid, suid; 942 int error; 943 944 euid = uap->euid; 945 ruid = uap->ruid; 946 suid = uap->suid; 947 mtx_lock(&Giant); 948 oldcred = p->p_ucred; 949 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 950 ruid != oldcred->cr_svuid && 951 ruid != oldcred->cr_uid) || 952 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 953 euid != oldcred->cr_svuid && 954 euid != oldcred->cr_uid) || 955 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 956 suid != oldcred->cr_svuid && 957 suid != oldcred->cr_uid)) && 958 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 959 goto done2; 960 newcred = crdup(oldcred); 961 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 962 change_euid(newcred, euid); 963 setsugid(p); 964 } 965 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 966 change_ruid(newcred, ruid); 967 setsugid(p); 968 } 969 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 970 change_svuid(newcred, suid); 971 setsugid(p); 972 } 973 p->p_ucred = newcred; 974 crfree(oldcred); 975 error = 0; 976done2: 977 mtx_unlock(&Giant); 978 return (error); 979} 980 981/* 982 * setresgid(rgid, egid, sgid) is like setregid except control over the 983 * saved gid is explicit. 984 */ 985 986#ifndef _SYS_SYSPROTO_H_ 987struct setresgid_args { 988 gid_t rgid; 989 gid_t egid; 990 gid_t sgid; 991}; 992#endif 993/* 994 * MPSAFE 995 */ 996/* ARGSUSED */ 997int 998setresgid(td, uap) 999 register struct thread *td; 1000 struct setresgid_args *uap; 1001{ 1002 struct proc *p = td->td_proc; 1003 struct ucred *newcred, *oldcred; 1004 gid_t egid, rgid, sgid; 1005 int error; 1006 1007 egid = uap->egid; 1008 rgid = uap->rgid; 1009 sgid = uap->sgid; 1010 1011 mtx_lock(&Giant); 1012 oldcred = p->p_ucred; 1013 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1014 rgid != oldcred->cr_svgid && 1015 rgid != oldcred->cr_groups[0]) || 1016 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1017 egid != oldcred->cr_svgid && 1018 egid != oldcred->cr_groups[0]) || 1019 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1020 sgid != oldcred->cr_svgid && 1021 sgid != oldcred->cr_groups[0])) && 1022 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 1023 goto done2; 1024 } 1025 newcred = crdup(oldcred); 1026 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1027 change_egid(newcred, egid); 1028 setsugid(p); 1029 } 1030 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1031 change_rgid(newcred, rgid); 1032 setsugid(p); 1033 } 1034 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1035 change_svgid(newcred, sgid); 1036 setsugid(p); 1037 } 1038 p->p_ucred = newcred; 1039 crfree(oldcred); 1040 error = 0; 1041done2: 1042 mtx_unlock(&Giant); 1043 return (error); 1044} 1045 1046#ifndef _SYS_SYSPROTO_H_ 1047struct getresuid_args { 1048 uid_t *ruid; 1049 uid_t *euid; 1050 uid_t *suid; 1051}; 1052#endif 1053/* 1054 * MPSAFE 1055 */ 1056/* ARGSUSED */ 1057int 1058getresuid(td, uap) 1059 register struct thread *td; 1060 struct getresuid_args *uap; 1061{ 1062 struct ucred *cred; 1063 struct proc *p = td->td_proc; 1064 int error1 = 0, error2 = 0, error3 = 0; 1065 1066 mtx_lock(&Giant); 1067 cred = p->p_ucred; 1068 if (uap->ruid) 1069 error1 = copyout((caddr_t)&cred->cr_ruid, 1070 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1071 if (uap->euid) 1072 error2 = copyout((caddr_t)&cred->cr_uid, 1073 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1074 if (uap->suid) 1075 error3 = copyout((caddr_t)&cred->cr_svuid, 1076 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1077 mtx_unlock(&Giant); 1078 return (error1 ? error1 : error2 ? error2 : error3); 1079} 1080 1081#ifndef _SYS_SYSPROTO_H_ 1082struct getresgid_args { 1083 gid_t *rgid; 1084 gid_t *egid; 1085 gid_t *sgid; 1086}; 1087#endif 1088/* 1089 * MPSAFE 1090 */ 1091/* ARGSUSED */ 1092int 1093getresgid(td, uap) 1094 register struct thread *td; 1095 struct getresgid_args *uap; 1096{ 1097 struct ucred *cred; 1098 struct proc *p = td->td_proc; 1099 int error1 = 0, error2 = 0, error3 = 0; 1100 1101 mtx_lock(&Giant); 1102 cred = p->p_ucred; 1103 if (uap->rgid) 1104 error1 = copyout((caddr_t)&cred->cr_rgid, 1105 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1106 if (uap->egid) 1107 error2 = copyout((caddr_t)&cred->cr_groups[0], 1108 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1109 if (uap->sgid) 1110 error3 = copyout((caddr_t)&cred->cr_svgid, 1111 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1112 mtx_unlock(&Giant); 1113 return (error1 ? error1 : error2 ? error2 : error3); 1114} 1115 1116#ifndef _SYS_SYSPROTO_H_ 1117struct issetugid_args { 1118 int dummy; 1119}; 1120#endif 1121/* 1122 * NOT MPSAFE? 1123 */ 1124/* ARGSUSED */ 1125int 1126issetugid(td, uap) 1127 register struct thread *td; 1128 struct issetugid_args *uap; 1129{ 1130 struct proc *p = td->td_proc; 1131 1132 /* 1133 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1134 * we use P_SUGID because we consider changing the owners as 1135 * "tainting" as well. 1136 * This is significant for procs that start as root and "become" 1137 * a user without an exec - programs cannot know *everything* 1138 * that libc *might* have put in their data segment. 1139 */ 1140 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1141 return (0); 1142} 1143 1144/* 1145 * MPSAFE 1146 */ 1147int 1148__setugid(td, uap) 1149 struct thread *td; 1150 struct __setugid_args *uap; 1151{ 1152#ifdef REGRESSION 1153 int error; 1154 1155 mtx_lock(&Giant); 1156 error = 0; 1157 switch (uap->flag) { 1158 case 0: 1159 td->td_proc->p_flag &= ~P_SUGID; 1160 break; 1161 case 1: 1162 td->td_proc->p_flag |= P_SUGID; 1163 break; 1164 default: 1165 error = EINVAL; 1166 break; 1167 } 1168 mtx_unlock(&Giant); 1169 return (error); 1170#else /* !REGRESSION */ 1171 1172 return (ENOSYS); 1173#endif /* REGRESSION */ 1174} 1175 1176/* 1177 * Check if gid is a member of the group set. 1178 */ 1179int 1180groupmember(gid, cred) 1181 gid_t gid; 1182 struct ucred *cred; 1183{ 1184 register gid_t *gp; 1185 gid_t *egp; 1186 1187 egp = &(cred->cr_groups[cred->cr_ngroups]); 1188 for (gp = cred->cr_groups; gp < egp; gp++) 1189 if (*gp == gid) 1190 return (1); 1191 return (0); 1192} 1193 1194/* 1195 * `suser_enabled' (which can be set by the kern.security.suser_enabled 1196 * sysctl) determines whether the system 'super-user' policy is in effect. 1197 * If it is nonzero, an effective uid of 0 connotes special privilege, 1198 * overriding many mandatory and discretionary protections. If it is zero, 1199 * uid 0 is offered no special privilege in the kernel security policy. 1200 * Setting it to zero may seriously impact the functionality of many 1201 * existing userland programs, and should not be done without careful 1202 * consideration of the consequences. 1203 */ 1204int suser_enabled = 1; 1205SYSCTL_INT(_kern_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1206 &suser_enabled, 0, "processes with uid 0 have privilege"); 1207 1208/* 1209 * Test whether the specified credentials imply "super-user" privilege. 1210 * Return 0 or EPERM. 1211 */ 1212int 1213suser(p) 1214 struct proc *p; 1215{ 1216 1217 return (suser_xxx(0, p, 0)); 1218} 1219 1220/* 1221 * version for when the thread pointer is available and not the proc. 1222 * (saves having to include proc.h into every file that needs to do the change.) 1223 */ 1224int 1225suser_td(td) 1226 struct thread *td; 1227{ 1228 return suser_xxx(0, td->td_proc, 0); 1229} 1230 1231/* 1232 * wrapper to use if you have the thread on hand but not the proc. 1233 */ 1234int 1235suser_xxx_td(cred, td, flag) 1236 struct ucred *cred; 1237 struct thread *td; 1238 int flag; 1239{ 1240 return(suser_xxx(cred, td->td_proc, flag)); 1241} 1242 1243int 1244suser_xxx(cred, proc, flag) 1245 struct ucred *cred; 1246 struct proc *proc; 1247 int flag; 1248{ 1249 if (!suser_enabled) 1250 return (EPERM); 1251 if (!cred && !proc) { 1252 printf("suser_xxx(): THINK!\n"); 1253 return (EPERM); 1254 } 1255 if (cred == NULL) 1256 cred = proc->p_ucred; 1257 if (cred->cr_uid != 0) 1258 return (EPERM); 1259 if (jailed(cred) && !(flag & PRISON_ROOT)) 1260 return (EPERM); 1261 return (0); 1262} 1263 1264/* 1265 * Test the active securelevel against a given level. securelevel_gt() 1266 * implements (securelevel > level). securelevel_ge() implements 1267 * (securelevel >= level). Note that the logic is inverted -- these 1268 * functions return EPERM on "success" and 0 on "failure". 1269 * 1270 * cr is permitted to be NULL for the time being, as there were some 1271 * existing securelevel checks that occurred without a process/credential 1272 * context. In the future this will be disallowed, so a kernel message 1273 * is displayed. 1274 */ 1275int 1276securelevel_gt(struct ucred *cr, int level) 1277{ 1278 int active_securelevel; 1279 1280 active_securelevel = securelevel; 1281 if (cr == NULL) 1282 printf("securelevel_gt: cr is NULL\n"); 1283 if (cr->cr_prison != NULL) 1284 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1285 active_securelevel); 1286 return (active_securelevel > level ? EPERM : 0); 1287} 1288 1289int 1290securelevel_ge(struct ucred *cr, int level) 1291{ 1292 int active_securelevel; 1293 1294 active_securelevel = securelevel; 1295 if (cr == NULL) 1296 printf("securelevel_gt: cr is NULL\n"); 1297 if (cr->cr_prison != NULL) 1298 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1299 active_securelevel); 1300 return (active_securelevel >= level ? EPERM : 0); 1301} 1302 1303/* 1304 * 'see_other_uids' determines whether or not visibility of processes 1305 * and sockets with credentials holding different real uids is possible 1306 * using a variety of system MIBs. 1307 * XXX: data declarations should be together near the beginning of the file. 1308 */ 1309static int see_other_uids = 1; 1310SYSCTL_INT(_kern_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1311 &see_other_uids, 0, 1312 "Unprivileged processes may see subjects/objects with different real uid"); 1313 1314/*- 1315 * Determine if u1 "can see" the subject specified by u2. 1316 * Returns: 0 for permitted, an errno value otherwise 1317 * Locks: none 1318 * References: *u1 and *u2 must not change during the call 1319 * u1 may equal u2, in which case only one reference is required 1320 */ 1321int 1322cr_cansee(struct ucred *u1, struct ucred *u2) 1323{ 1324 int error; 1325 1326 if ((error = prison_check(u1, u2))) 1327 return (error); 1328 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1329 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1330 return (ESRCH); 1331 } 1332 return (0); 1333} 1334 1335/*- 1336 * Determine if p1 "can see" the subject specified by p2. 1337 * Returns: 0 for permitted, an errno value otherwise 1338 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1339 * be held. Normally, p1 will be curproc, and a lock must be held 1340 * for p2. 1341 * References: p1 and p2 must be valid for the lifetime of the call 1342 */ 1343int 1344p_cansee(struct proc *p1, struct proc *p2) 1345{ 1346 1347 /* Wrap cr_cansee() for all functionality. */ 1348 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1349} 1350 1351/*- 1352 * Determine whether p1 may deliver the specified signal to p2. 1353 * Returns: 0 for permitted, an errno value otherwise 1354 * Locks: Sufficient locks to protect various components of p1 and p2 1355 * must be held. Normally, p1 will be curproc, and a lock must 1356 * be held for p2. 1357 * References: p1 and p2 must be valid for the lifetime of the call 1358 */ 1359int 1360p_cansignal(struct proc *p1, struct proc *p2, int signum) 1361{ 1362 int error; 1363 1364 if (p1 == p2) 1365 return (0); 1366 1367 /* 1368 * Jail semantics limit the scope of signalling to p2 in the same 1369 * jail as p1, if p1 is in jail. 1370 */ 1371 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1372 return (error); 1373 1374 /* 1375 * UNIX signalling semantics require that processes in the same 1376 * session always be able to deliver SIGCONT to one another, 1377 * overriding the remaining protections. 1378 */ 1379 if (signum == SIGCONT && p1->p_session == p2->p_session) 1380 return (0); 1381 1382 /* 1383 * UNIX signal semantics depend on the status of the P_SUGID 1384 * bit on the target process. If the bit is set, then additional 1385 * restrictions are placed on the set of available signals. 1386 */ 1387 if (p2->p_flag & P_SUGID) { 1388 switch (signum) { 1389 case 0: 1390 case SIGKILL: 1391 case SIGINT: 1392 case SIGTERM: 1393 case SIGSTOP: 1394 case SIGTTIN: 1395 case SIGTTOU: 1396 case SIGTSTP: 1397 case SIGHUP: 1398 case SIGUSR1: 1399 case SIGUSR2: 1400 /* 1401 * Generally, permit job and terminal control 1402 * signals. 1403 */ 1404 break; 1405 default: 1406 /* Not permitted, privilege is required. */ 1407 error = suser_xxx(NULL, p1, PRISON_ROOT); 1408 if (error) 1409 return (error); 1410 } 1411 } 1412 1413 /* 1414 * Generally, the target credential's ruid or svuid must match the 1415 * subject credential's ruid or euid. 1416 */ 1417 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid && 1418 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid && 1419 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid && 1420 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) { 1421 /* Not permitted, try privilege. */ 1422 error = suser_xxx(NULL, p1, PRISON_ROOT); 1423 if (error) 1424 return (error); 1425 } 1426 1427 return (0); 1428} 1429 1430/*- 1431 * Determine whether p1 may reschedule p2. 1432 * Returns: 0 for permitted, an errno value otherwise 1433 * Locks: Sufficient locks to protect various components of p1 and p2 1434 * must be held. Normally, p1 will be curproc, and a lock must 1435 * be held for p2. 1436 * References: p1 and p2 must be valid for the lifetime of the call 1437 */ 1438int 1439p_cansched(struct proc *p1, struct proc *p2) 1440{ 1441 int error; 1442 1443 if (p1 == p2) 1444 return (0); 1445 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1446 return (error); 1447 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1448 return (0); 1449 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1450 return (0); 1451 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1452 return (0); 1453 1454#ifdef CAPABILITIES 1455 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1456 return (0); 1457#endif 1458 1459 return (EPERM); 1460} 1461 1462/* 1463 * The 'unprivileged_procdebug_permitted' flag may be used to disable 1464 * a variety of unprivileged inter-process debugging services, including 1465 * some procfs functionality, ptrace(), and ktrace(). In the past, 1466 * inter-process debugging has been involved in a variety of security 1467 * problems, and sites not requiring the service might choose to disable it 1468 * when hardening systems. 1469 * 1470 * XXX: Should modifying and reading this variable require locking? 1471 * XXX: data declarations should be together near the beginning of the file. 1472 */ 1473static int unprivileged_proc_debug = 1; 1474SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1475 &unprivileged_proc_debug, 0, 1476 "Unprivileged processes may use process debugging facilities"); 1477 1478/*- 1479 * Determine whether p1 may debug p2. 1480 * Returns: 0 for permitted, an errno value otherwise 1481 * Locks: Sufficient locks to protect various components of p1 and p2 1482 * must be held. Normally, p1 will be curproc, and a lock must 1483 * be held for p2. 1484 * References: p1 and p2 must be valid for the lifetime of the call 1485 */ 1486int 1487p_candebug(struct proc *p1, struct proc *p2) 1488{ 1489 int credentialchanged, error, grpsubset, i, uidsubset; 1490 1491 if (!unprivileged_proc_debug) { 1492 error = suser_xxx(NULL, p1, PRISON_ROOT); 1493 if (error) 1494 return (error); 1495 } 1496 if (p1 == p2) 1497 return (0); 1498 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1499 return (error); 1500 1501 /* 1502 * Is p2's group set a subset of p1's effective group set? This 1503 * includes p2's egid, group access list, rgid, and svgid. 1504 */ 1505 grpsubset = 1; 1506 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1507 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1508 grpsubset = 0; 1509 break; 1510 } 1511 } 1512 grpsubset = grpsubset && 1513 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1514 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1515 1516 /* 1517 * Are the uids present in p2's credential equal to p1's 1518 * effective uid? This includes p2's euid, svuid, and ruid. 1519 */ 1520 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1521 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1522 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1523 1524 /* 1525 * Has the credential of the process changed since the last exec()? 1526 */ 1527 credentialchanged = (p2->p_flag & P_SUGID); 1528 1529 /* 1530 * If p2's gids aren't a subset, or the uids aren't a subset, 1531 * or the credential has changed, require appropriate privilege 1532 * for p1 to debug p2. For POSIX.1e capabilities, this will 1533 * require CAP_SYS_PTRACE. 1534 */ 1535 if (!grpsubset || !uidsubset || credentialchanged) { 1536 error = suser_xxx(NULL, p1, PRISON_ROOT); 1537 if (error) 1538 return (error); 1539 } 1540 1541 /* Can't trace init when securelevel > 0. */ 1542 if (p2 == initproc) { 1543 error = securelevel_gt(p1->p_ucred, 0); 1544 if (error) 1545 return (error); 1546 } 1547 1548 /* 1549 * Can't trace a process that's currently exec'ing. 1550 * XXX: Note, this is not a security policy decision, it's a 1551 * basic correctness/functionality decision. Therefore, this check 1552 * should be moved to the caller's of p_candebug(). 1553 */ 1554 if ((p2->p_flag & P_INEXEC) != 0) 1555 return (EAGAIN); 1556 1557 return (0); 1558} 1559 1560/* 1561 * Allocate a zeroed cred structure. 1562 */ 1563struct ucred * 1564crget() 1565{ 1566 register struct ucred *cr; 1567 1568 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1569 cr->cr_ref = 1; 1570 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF); 1571 return (cr); 1572} 1573 1574/* 1575 * Claim another reference to a ucred structure. 1576 */ 1577struct ucred * 1578crhold(cr) 1579 struct ucred *cr; 1580{ 1581 1582 mtx_lock(&cr->cr_mtx); 1583 cr->cr_ref++; 1584 mtx_unlock(&cr->cr_mtx); 1585 return (cr); 1586} 1587 1588/* 1589 * Free a cred structure. 1590 * Throws away space when ref count gets to 0. 1591 */ 1592void 1593crfree(cr) 1594 struct ucred *cr; 1595{ 1596 1597 mtx_lock(&cr->cr_mtx); 1598 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1599 if (--cr->cr_ref == 0) { 1600 mtx_destroy(&cr->cr_mtx); 1601 /* 1602 * Some callers of crget(), such as nfs_statfs(), 1603 * allocate a temporary credential, but don't 1604 * allocate a uidinfo structure. 1605 */ 1606 if (cr->cr_uidinfo != NULL) 1607 uifree(cr->cr_uidinfo); 1608 if (cr->cr_ruidinfo != NULL) 1609 uifree(cr->cr_ruidinfo); 1610 /* 1611 * Free a prison, if any. 1612 */ 1613 if (jailed(cr)) 1614 prison_free(cr->cr_prison); 1615 FREE((caddr_t)cr, M_CRED); 1616 } else 1617 mtx_unlock(&cr->cr_mtx); 1618} 1619 1620/* 1621 * Check to see if this ucred is shared. 1622 */ 1623int 1624crshared(cr) 1625 struct ucred *cr; 1626{ 1627 int shared; 1628 1629 mtx_lock(&cr->cr_mtx); 1630 shared = (cr->cr_ref > 1); 1631 mtx_unlock(&cr->cr_mtx); 1632 return (shared); 1633} 1634 1635/* 1636 * Copy a ucred's contents from a template. Does not block. 1637 */ 1638void 1639crcopy(dest, src) 1640 struct ucred *dest, *src; 1641{ 1642 1643 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1644 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1645 (unsigned)((caddr_t)&src->cr_endcopy - 1646 (caddr_t)&src->cr_startcopy)); 1647 uihold(dest->cr_uidinfo); 1648 uihold(dest->cr_ruidinfo); 1649 if (jailed(dest)) 1650 prison_hold(dest->cr_prison); 1651} 1652 1653/* 1654 * Dup cred struct to a new held one. 1655 */ 1656struct ucred * 1657crdup(cr) 1658 struct ucred *cr; 1659{ 1660 struct ucred *newcr; 1661 1662 newcr = crget(); 1663 crcopy(newcr, cr); 1664 return (newcr); 1665} 1666 1667/* 1668 * Get login name, if available. 1669 */ 1670#ifndef _SYS_SYSPROTO_H_ 1671struct getlogin_args { 1672 char *namebuf; 1673 u_int namelen; 1674}; 1675#endif 1676/* 1677 * MPSAFE 1678 */ 1679/* ARGSUSED */ 1680int 1681getlogin(td, uap) 1682 struct thread *td; 1683 struct getlogin_args *uap; 1684{ 1685 int error; 1686 struct proc *p = td->td_proc; 1687 1688 mtx_lock(&Giant); 1689 if (uap->namelen > MAXLOGNAME) 1690 uap->namelen = MAXLOGNAME; 1691 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1692 (caddr_t) uap->namebuf, uap->namelen); 1693 mtx_unlock(&Giant); 1694 return(error); 1695} 1696 1697/* 1698 * Set login name. 1699 */ 1700#ifndef _SYS_SYSPROTO_H_ 1701struct setlogin_args { 1702 char *namebuf; 1703}; 1704#endif 1705/* 1706 * MPSAFE 1707 */ 1708/* ARGSUSED */ 1709int 1710setlogin(td, uap) 1711 struct thread *td; 1712 struct setlogin_args *uap; 1713{ 1714 struct proc *p = td->td_proc; 1715 int error; 1716 char logintmp[MAXLOGNAME]; 1717 1718 mtx_lock(&Giant); 1719 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0) 1720 goto done2; 1721 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1722 sizeof(logintmp), (size_t *)0); 1723 if (error == ENAMETOOLONG) 1724 error = EINVAL; 1725 else if (!error) 1726 (void)memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1727 sizeof(logintmp)); 1728done2: 1729 mtx_unlock(&Giant); 1730 return (error); 1731} 1732 1733void 1734setsugid(p) 1735 struct proc *p; 1736{ 1737 p->p_flag |= P_SUGID; 1738 if (!(p->p_pfsflags & PF_ISUGID)) 1739 p->p_stops = 0; 1740} 1741 1742/*- 1743 * Change a process's effective uid. 1744 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1745 * References: newcred must be an exclusive credential reference for the 1746 * duration of the call. 1747 */ 1748void 1749change_euid(newcred, euid) 1750 struct ucred *newcred; 1751 uid_t euid; 1752{ 1753 1754 newcred->cr_uid = euid; 1755 uifree(newcred->cr_uidinfo); 1756 newcred->cr_uidinfo = uifind(euid); 1757} 1758 1759/*- 1760 * Change a process's effective gid. 1761 * Side effects: newcred->cr_gid will be modified. 1762 * References: newcred must be an exclusive credential reference for the 1763 * duration of the call. 1764 */ 1765void 1766change_egid(newcred, egid) 1767 struct ucred *newcred; 1768 gid_t egid; 1769{ 1770 1771 newcred->cr_groups[0] = egid; 1772} 1773 1774/*- 1775 * Change a process's real uid. 1776 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1777 * will be updated, and the old and new cr_ruidinfo proc 1778 * counts will be updated. 1779 * References: newcred must be an exclusive credential reference for the 1780 * duration of the call. 1781 */ 1782void 1783change_ruid(newcred, ruid) 1784 struct ucred *newcred; 1785 uid_t ruid; 1786{ 1787 1788 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1789 newcred->cr_ruid = ruid; 1790 uifree(newcred->cr_ruidinfo); 1791 newcred->cr_ruidinfo = uifind(ruid); 1792 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1793} 1794 1795/*- 1796 * Change a process's real gid. 1797 * Side effects: newcred->cr_rgid will be updated. 1798 * References: newcred must be an exclusive credential reference for the 1799 * duration of the call. 1800 */ 1801void 1802change_rgid(newcred, rgid) 1803 struct ucred *newcred; 1804 gid_t rgid; 1805{ 1806 1807 newcred->cr_rgid = rgid; 1808} 1809 1810/*- 1811 * Change a process's saved uid. 1812 * Side effects: newcred->cr_svuid will be updated. 1813 * References: newcred must be an exclusive credential reference for the 1814 * duration of the call. 1815 */ 1816void 1817change_svuid(newcred, svuid) 1818 struct ucred *newcred; 1819 uid_t svuid; 1820{ 1821 1822 newcred->cr_svuid = svuid; 1823} 1824 1825/*- 1826 * Change a process's saved gid. 1827 * Side effects: newcred->cr_svgid will be updated. 1828 * References: newcred must be an exclusive credential reference for the 1829 * duration of the call. 1830 */ 1831void 1832change_svgid(newcred, svgid) 1833 struct ucred *newcred; 1834 gid_t svgid; 1835{ 1836 1837 newcred->cr_svgid = svgid; 1838} 1839