kern_prot.c revision 93580
1/* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD: head/sys/kern/kern_prot.c 93580 2002-04-01 20:13:31Z jhb $ 41 */ 42 43/* 44 * System calls related to processes and protection 45 */ 46 47#include "opt_compat.h" 48 49#include <sys/param.h> 50#include <sys/systm.h> 51#include <sys/acct.h> 52#include <sys/kernel.h> 53#include <sys/lock.h> 54#include <sys/malloc.h> 55#include <sys/mutex.h> 56#include <sys/sx.h> 57#include <sys/proc.h> 58#include <sys/sysproto.h> 59#include <sys/jail.h> 60#include <sys/pioctl.h> 61#include <sys/resourcevar.h> 62#include <sys/socket.h> 63#include <sys/socketvar.h> 64#include <sys/sysctl.h> 65 66static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 67 68SYSCTL_DECL(_security); 69SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 70 "BSD security policy"); 71 72#ifndef _SYS_SYSPROTO_H_ 73struct getpid_args { 74 int dummy; 75}; 76#endif 77/* 78 * MPSAFE 79 */ 80/* ARGSUSED */ 81int 82getpid(struct thread *td, struct getpid_args *uap) 83{ 84 struct proc *p = td->td_proc; 85 int s; 86 87 s = mtx_lock_giant(kern_giant_proc); 88 td->td_retval[0] = p->p_pid; 89#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 90 PROC_LOCK(p); 91 td->td_retval[1] = p->p_pptr->p_pid; 92 PROC_UNLOCK(p); 93#endif 94 mtx_unlock_giant(s); 95 return (0); 96} 97 98#ifndef _SYS_SYSPROTO_H_ 99struct getppid_args { 100 int dummy; 101}; 102#endif 103/* 104 * MPSAFE 105 */ 106/* ARGSUSED */ 107int 108getppid(struct thread *td, struct getppid_args *uap) 109{ 110 struct proc *p = td->td_proc; 111 int s; 112 113 s = mtx_lock_giant(kern_giant_proc); 114 PROC_LOCK(p); 115 td->td_retval[0] = p->p_pptr->p_pid; 116 PROC_UNLOCK(p); 117 mtx_unlock_giant(s); 118 return (0); 119} 120 121/* 122 * Get process group ID; note that POSIX getpgrp takes no parameter. 123 */ 124#ifndef _SYS_SYSPROTO_H_ 125struct getpgrp_args { 126 int dummy; 127}; 128#endif 129/* 130 * MPSAFE 131 */ 132int 133getpgrp(struct thread *td, struct getpgrp_args *uap) 134{ 135 struct proc *p = td->td_proc; 136 int s; 137 138 s = mtx_lock_giant(kern_giant_proc); 139 PROC_LOCK(p); 140 td->td_retval[0] = p->p_pgrp->pg_id; 141 PROC_UNLOCK(p); 142 mtx_unlock_giant(s); 143 return (0); 144} 145 146/* Get an arbitary pid's process group id */ 147#ifndef _SYS_SYSPROTO_H_ 148struct getpgid_args { 149 pid_t pid; 150}; 151#endif 152/* 153 * MPSAFE 154 */ 155int 156getpgid(struct thread *td, struct getpgid_args *uap) 157{ 158 struct proc *p = td->td_proc; 159 struct proc *pt; 160 int error; 161 162 mtx_lock(&Giant); 163 error = 0; 164 if (uap->pid == 0) { 165 PROC_LOCK(p); 166 td->td_retval[0] = p->p_pgrp->pg_id; 167 PROC_UNLOCK(p); 168 } else if ((pt = pfind(uap->pid)) == NULL) 169 error = ESRCH; 170 else { 171 error = p_cansee(p, pt); 172 if (error == 0) 173 td->td_retval[0] = pt->p_pgrp->pg_id; 174 PROC_UNLOCK(pt); 175 } 176 mtx_unlock(&Giant); 177 return (error); 178} 179 180/* 181 * Get an arbitary pid's session id. 182 */ 183#ifndef _SYS_SYSPROTO_H_ 184struct getsid_args { 185 pid_t pid; 186}; 187#endif 188/* 189 * MPSAFE 190 */ 191int 192getsid(struct thread *td, struct getsid_args *uap) 193{ 194 struct proc *p = td->td_proc; 195 struct proc *pt; 196 int error; 197 198 mtx_lock(&Giant); 199 error = 0; 200 if (uap->pid == 0) { 201 PROC_LOCK(p); 202 td->td_retval[0] = p->p_session->s_sid; 203 PROC_UNLOCK(p); 204 } else if ((pt = pfind(uap->pid)) == NULL) 205 error = ESRCH; 206 else { 207 error = p_cansee(p, pt); 208 if (error == 0) 209 td->td_retval[0] = pt->p_session->s_sid; 210 PROC_UNLOCK(pt); 211 } 212 mtx_unlock(&Giant); 213 return (error); 214} 215 216#ifndef _SYS_SYSPROTO_H_ 217struct getuid_args { 218 int dummy; 219}; 220#endif 221/* 222 * MPSAFE 223 */ 224/* ARGSUSED */ 225int 226getuid(struct thread *td, struct getuid_args *uap) 227{ 228 229 td->td_retval[0] = td->td_ucred->cr_ruid; 230#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 231 td->td_retval[1] = td->td_ucred->cr_uid; 232#endif 233 return (0); 234} 235 236#ifndef _SYS_SYSPROTO_H_ 237struct geteuid_args { 238 int dummy; 239}; 240#endif 241/* 242 * MPSAFE 243 */ 244/* ARGSUSED */ 245int 246geteuid(struct thread *td, struct geteuid_args *uap) 247{ 248 249 td->td_retval[0] = td->td_ucred->cr_uid; 250 return (0); 251} 252 253#ifndef _SYS_SYSPROTO_H_ 254struct getgid_args { 255 int dummy; 256}; 257#endif 258/* 259 * MPSAFE 260 */ 261/* ARGSUSED */ 262int 263getgid(struct thread *td, struct getgid_args *uap) 264{ 265 266 td->td_retval[0] = td->td_ucred->cr_rgid; 267#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 268 td->td_retval[1] = td->td_ucred->cr_groups[0]; 269#endif 270 return (0); 271} 272 273/* 274 * Get effective group ID. The "egid" is groups[0], and could be obtained 275 * via getgroups. This syscall exists because it is somewhat painful to do 276 * correctly in a library function. 277 */ 278#ifndef _SYS_SYSPROTO_H_ 279struct getegid_args { 280 int dummy; 281}; 282#endif 283/* 284 * MPSAFE 285 */ 286/* ARGSUSED */ 287int 288getegid(struct thread *td, struct getegid_args *uap) 289{ 290 291 td->td_retval[0] = td->td_ucred->cr_groups[0]; 292 return (0); 293} 294 295#ifndef _SYS_SYSPROTO_H_ 296struct getgroups_args { 297 u_int gidsetsize; 298 gid_t *gidset; 299}; 300#endif 301/* 302 * MPSAFE 303 */ 304int 305getgroups(struct thread *td, register struct getgroups_args *uap) 306{ 307 struct ucred *cred; 308 u_int ngrp; 309 int error; 310 311 cred = td->td_ucred; 312 if ((ngrp = uap->gidsetsize) == 0) { 313 td->td_retval[0] = cred->cr_ngroups; 314 return (0); 315 } 316 if (ngrp < cred->cr_ngroups) 317 return (EINVAL); 318 ngrp = cred->cr_ngroups; 319 error = copyout((caddr_t)cred->cr_groups, (caddr_t)uap->gidset, 320 ngrp * sizeof(gid_t)); 321 if (error == 0) 322 td->td_retval[0] = ngrp; 323 return (error); 324} 325 326#ifndef _SYS_SYSPROTO_H_ 327struct setsid_args { 328 int dummy; 329}; 330#endif 331/* 332 * MPSAFE 333 */ 334/* ARGSUSED */ 335int 336setsid(register struct thread *td, struct setsid_args *uap) 337{ 338 struct pgrp *pgrp; 339 int error; 340 struct proc *p = td->td_proc; 341 struct pgrp *newpgrp; 342 struct session *newsess; 343 344 error = 0; 345 pgrp = NULL; 346 347 mtx_lock(&Giant); 348 349 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 350 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 351 352 PGRPSESS_XLOCK(); 353 354 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 355 if (pgrp != NULL) 356 PGRP_UNLOCK(pgrp); 357 error = EPERM; 358 goto fail; 359 } else { 360 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 361 td->td_retval[0] = p->p_pid; 362 error = 0; 363 } 364 PGRPSESS_XUNLOCK(); 365 mtx_unlock(&Giant); 366 return (0); 367 368fail: 369 PGRPSESS_XUNLOCK(); 370 371 FREE(newpgrp, M_PGRP); 372 FREE(newsess, M_SESSION); 373 374 mtx_unlock(&Giant); 375 return (0); 376} 377 378/* 379 * set process group (setpgid/old setpgrp) 380 * 381 * caller does setpgid(targpid, targpgid) 382 * 383 * pid must be caller or child of caller (ESRCH) 384 * if a child 385 * pid must be in same session (EPERM) 386 * pid can't have done an exec (EACCES) 387 * if pgid != pid 388 * there must exist some pid in same session having pgid (EPERM) 389 * pid must not be session leader (EPERM) 390 */ 391#ifndef _SYS_SYSPROTO_H_ 392struct setpgid_args { 393 int pid; /* target process id */ 394 int pgid; /* target pgrp id */ 395}; 396#endif 397/* 398 * MPSAFE 399 */ 400/* ARGSUSED */ 401int 402setpgid(struct thread *td, register struct setpgid_args *uap) 403{ 404 struct proc *curp = td->td_proc; 405 register struct proc *targp; /* target process */ 406 register struct pgrp *pgrp; /* target pgrp */ 407 int error; 408 struct pgrp *newpgrp; 409 410 if (uap->pgid < 0) 411 return (EINVAL); 412 413 error = 0; 414 415 mtx_lock(&Giant); 416 417 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 418 419 PGRPSESS_XLOCK(); 420 421 if (uap->pid != 0 && uap->pid != curp->p_pid) { 422 sx_slock(&proctree_lock); 423 if ((targp = pfind(uap->pid)) == NULL) { 424 if (targp) 425 PROC_UNLOCK(targp); 426 sx_sunlock(&proctree_lock); 427 error = ESRCH; 428 goto fail; 429 } 430 if (!inferior(targp)) { 431 PROC_UNLOCK(targp); 432 sx_sunlock(&proctree_lock); 433 error = ESRCH; 434 goto fail; 435 } 436 sx_sunlock(&proctree_lock); 437 if ((error = p_cansee(curproc, targp))) { 438 PROC_UNLOCK(targp); 439 goto fail; 440 } 441 if (targp->p_pgrp == NULL || 442 targp->p_session != curp->p_session) { 443 PROC_UNLOCK(targp); 444 error = EPERM; 445 goto fail; 446 } 447 if (targp->p_flag & P_EXEC) { 448 PROC_UNLOCK(targp); 449 error = EACCES; 450 goto fail; 451 } 452 PROC_UNLOCK(targp); 453 } else 454 targp = curp; 455 if (SESS_LEADER(targp)) { 456 error = EPERM; 457 goto fail; 458 } 459 if (uap->pgid == 0) 460 uap->pgid = targp->p_pid; 461 if (uap->pgid == targp->p_pid) { 462 if (targp->p_pgid == uap->pgid) 463 goto done; 464 error = enterpgrp(targp, uap->pgid, newpgrp, NULL); 465 if (error == 0) 466 newpgrp = NULL; 467 } else { 468 if ((pgrp = pgfind(uap->pgid)) == NULL || 469 pgrp->pg_session != curp->p_session) { 470 if (pgrp != NULL) 471 PGRP_UNLOCK(pgrp); 472 error = EPERM; 473 goto fail; 474 } 475 if (pgrp == targp->p_pgrp) { 476 PGRP_UNLOCK(pgrp); 477 goto done; 478 } 479 PGRP_UNLOCK(pgrp); 480 error = enterthispgrp(targp, pgrp); 481 } 482done: 483 PGRPSESS_XUNLOCK(); 484 if (newpgrp != NULL) 485 FREE(newpgrp, M_PGRP); 486 mtx_unlock(&Giant); 487 return (0); 488 489fail: 490 PGRPSESS_XUNLOCK(); 491 492 KASSERT(newpgrp != NULL, ("setpgid failed and newpgrp is null.")); 493 KASSERT(error != 0, ("setpgid successfully failed?")); 494 FREE(newpgrp, M_PGRP); 495 496 mtx_unlock(&Giant); 497 return (error); 498} 499 500/* 501 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 502 * compatible. It says that setting the uid/gid to euid/egid is a special 503 * case of "appropriate privilege". Once the rules are expanded out, this 504 * basically means that setuid(nnn) sets all three id's, in all permitted 505 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 506 * does not set the saved id - this is dangerous for traditional BSD 507 * programs. For this reason, we *really* do not want to set 508 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 509 */ 510#define POSIX_APPENDIX_B_4_2_2 511 512#ifndef _SYS_SYSPROTO_H_ 513struct setuid_args { 514 uid_t uid; 515}; 516#endif 517/* 518 * MPSAFE 519 */ 520/* ARGSUSED */ 521int 522setuid(struct thread *td, struct setuid_args *uap) 523{ 524 struct proc *p = td->td_proc; 525 struct ucred *newcred, *oldcred; 526 uid_t uid; 527 int error; 528 529 uid = uap->uid; 530 mtx_lock(&Giant); 531 error = 0; 532 oldcred = p->p_ucred; 533 534 /* 535 * See if we have "permission" by POSIX 1003.1 rules. 536 * 537 * Note that setuid(geteuid()) is a special case of 538 * "appropriate privileges" in appendix B.4.2.2. We need 539 * to use this clause to be compatible with traditional BSD 540 * semantics. Basically, it means that "setuid(xx)" sets all 541 * three id's (assuming you have privs). 542 * 543 * Notes on the logic. We do things in three steps. 544 * 1: We determine if the euid is going to change, and do EPERM 545 * right away. We unconditionally change the euid later if this 546 * test is satisfied, simplifying that part of the logic. 547 * 2: We determine if the real and/or saved uids are going to 548 * change. Determined by compile options. 549 * 3: Change euid last. (after tests in #2 for "appropriate privs") 550 */ 551 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 552#ifdef _POSIX_SAVED_IDS 553 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 554#endif 555#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 556 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 557#endif 558 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 559 goto done2; 560 561 newcred = crdup(oldcred); 562#ifdef _POSIX_SAVED_IDS 563 /* 564 * Do we have "appropriate privileges" (are we root or uid == euid) 565 * If so, we are changing the real uid and/or saved uid. 566 */ 567 if ( 568#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 569 uid == oldcred->cr_uid || 570#endif 571 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 572#endif 573 { 574 /* 575 * Set the real uid and transfer proc count to new user. 576 */ 577 if (uid != oldcred->cr_ruid) { 578 change_ruid(newcred, uid); 579 setsugid(p); 580 } 581 /* 582 * Set saved uid 583 * 584 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 585 * the security of seteuid() depends on it. B.4.2.2 says it 586 * is important that we should do this. 587 */ 588 if (uid != oldcred->cr_svuid) { 589 change_svuid(newcred, uid); 590 setsugid(p); 591 } 592 } 593 594 /* 595 * In all permitted cases, we are changing the euid. 596 * Copy credentials so other references do not see our changes. 597 */ 598 if (uid != oldcred->cr_uid) { 599 change_euid(newcred, uid); 600 setsugid(p); 601 } 602 p->p_ucred = newcred; 603 crfree(oldcred); 604done2: 605 mtx_unlock(&Giant); 606 return (error); 607} 608 609#ifndef _SYS_SYSPROTO_H_ 610struct seteuid_args { 611 uid_t euid; 612}; 613#endif 614/* 615 * MPSAFE 616 */ 617/* ARGSUSED */ 618int 619seteuid(struct thread *td, struct seteuid_args *uap) 620{ 621 struct proc *p = td->td_proc; 622 struct ucred *newcred, *oldcred; 623 uid_t euid; 624 int error; 625 626 euid = uap->euid; 627 mtx_lock(&Giant); 628 error = 0; 629 oldcred = p->p_ucred; 630 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 631 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 632 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 633 goto done2; 634 /* 635 * Everything's okay, do it. Copy credentials so other references do 636 * not see our changes. 637 */ 638 newcred = crdup(oldcred); 639 if (oldcred->cr_uid != euid) { 640 change_euid(newcred, euid); 641 setsugid(p); 642 } 643 p->p_ucred = newcred; 644 crfree(oldcred); 645done2: 646 mtx_unlock(&Giant); 647 return (error); 648} 649 650#ifndef _SYS_SYSPROTO_H_ 651struct setgid_args { 652 gid_t gid; 653}; 654#endif 655/* 656 * MPSAFE 657 */ 658/* ARGSUSED */ 659int 660setgid(struct thread *td, struct setgid_args *uap) 661{ 662 struct proc *p = td->td_proc; 663 struct ucred *newcred, *oldcred; 664 gid_t gid; 665 int error; 666 667 gid = uap->gid; 668 mtx_lock(&Giant); 669 error = 0; 670 oldcred = p->p_ucred; 671 672 /* 673 * See if we have "permission" by POSIX 1003.1 rules. 674 * 675 * Note that setgid(getegid()) is a special case of 676 * "appropriate privileges" in appendix B.4.2.2. We need 677 * to use this clause to be compatible with traditional BSD 678 * semantics. Basically, it means that "setgid(xx)" sets all 679 * three id's (assuming you have privs). 680 * 681 * For notes on the logic here, see setuid() above. 682 */ 683 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 684#ifdef _POSIX_SAVED_IDS 685 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 686#endif 687#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 688 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 689#endif 690 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 691 goto done2; 692 693 newcred = crdup(oldcred); 694#ifdef _POSIX_SAVED_IDS 695 /* 696 * Do we have "appropriate privileges" (are we root or gid == egid) 697 * If so, we are changing the real uid and saved gid. 698 */ 699 if ( 700#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 701 gid == oldcred->cr_groups[0] || 702#endif 703 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 704#endif 705 { 706 /* 707 * Set real gid 708 */ 709 if (oldcred->cr_rgid != gid) { 710 change_rgid(newcred, gid); 711 setsugid(p); 712 } 713 /* 714 * Set saved gid 715 * 716 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 717 * the security of setegid() depends on it. B.4.2.2 says it 718 * is important that we should do this. 719 */ 720 if (oldcred->cr_svgid != gid) { 721 change_svgid(newcred, gid); 722 setsugid(p); 723 } 724 } 725 /* 726 * In all cases permitted cases, we are changing the egid. 727 * Copy credentials so other references do not see our changes. 728 */ 729 if (oldcred->cr_groups[0] != gid) { 730 change_egid(newcred, gid); 731 setsugid(p); 732 } 733 p->p_ucred = newcred; 734 crfree(oldcred); 735done2: 736 mtx_unlock(&Giant); 737 return (error); 738} 739 740#ifndef _SYS_SYSPROTO_H_ 741struct setegid_args { 742 gid_t egid; 743}; 744#endif 745/* 746 * MPSAFE 747 */ 748/* ARGSUSED */ 749int 750setegid(struct thread *td, struct setegid_args *uap) 751{ 752 struct proc *p = td->td_proc; 753 struct ucred *newcred, *oldcred; 754 gid_t egid; 755 int error; 756 757 egid = uap->egid; 758 mtx_lock(&Giant); 759 error = 0; 760 oldcred = p->p_ucred; 761 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 762 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 763 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 764 goto done2; 765 newcred = crdup(oldcred); 766 if (oldcred->cr_groups[0] != egid) { 767 change_egid(newcred, egid); 768 setsugid(p); 769 } 770 p->p_ucred = newcred; 771 crfree(oldcred); 772done2: 773 mtx_unlock(&Giant); 774 return (error); 775} 776 777#ifndef _SYS_SYSPROTO_H_ 778struct setgroups_args { 779 u_int gidsetsize; 780 gid_t *gidset; 781}; 782#endif 783/* 784 * MPSAFE 785 */ 786/* ARGSUSED */ 787int 788setgroups(struct thread *td, struct setgroups_args *uap) 789{ 790 struct proc *p = td->td_proc; 791 struct ucred *newcred, *oldcred; 792 u_int ngrp; 793 int error; 794 795 ngrp = uap->gidsetsize; 796 mtx_lock(&Giant); 797 oldcred = p->p_ucred; 798 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 799 goto done2; 800 if (ngrp > NGROUPS) { 801 error = EINVAL; 802 goto done2; 803 } 804 /* 805 * XXX A little bit lazy here. We could test if anything has 806 * changed before crcopy() and setting P_SUGID. 807 */ 808 newcred = crdup(oldcred); 809 if (ngrp < 1) { 810 /* 811 * setgroups(0, NULL) is a legitimate way of clearing the 812 * groups vector on non-BSD systems (which generally do not 813 * have the egid in the groups[0]). We risk security holes 814 * when running non-BSD software if we do not do the same. 815 */ 816 newcred->cr_ngroups = 1; 817 } else { 818 if ((error = copyin((caddr_t)uap->gidset, 819 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 820 crfree(newcred); 821 goto done2; 822 } 823 newcred->cr_ngroups = ngrp; 824 } 825 setsugid(p); 826 p->p_ucred = newcred; 827 crfree(oldcred); 828done2: 829 mtx_unlock(&Giant); 830 return (error); 831} 832 833#ifndef _SYS_SYSPROTO_H_ 834struct setreuid_args { 835 uid_t ruid; 836 uid_t euid; 837}; 838#endif 839/* 840 * MPSAFE 841 */ 842/* ARGSUSED */ 843int 844setreuid(register struct thread *td, struct setreuid_args *uap) 845{ 846 struct proc *p = td->td_proc; 847 struct ucred *newcred, *oldcred; 848 uid_t euid, ruid; 849 int error; 850 851 euid = uap->euid; 852 ruid = uap->ruid; 853 mtx_lock(&Giant); 854 error = 0; 855 oldcred = p->p_ucred; 856 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 857 ruid != oldcred->cr_svuid) || 858 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 859 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 860 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 861 goto done2; 862 newcred = crdup(oldcred); 863 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 864 change_euid(newcred, euid); 865 setsugid(p); 866 } 867 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 868 change_ruid(newcred, ruid); 869 setsugid(p); 870 } 871 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 872 newcred->cr_svuid != newcred->cr_uid) { 873 change_svuid(newcred, newcred->cr_uid); 874 setsugid(p); 875 } 876 p->p_ucred = newcred; 877 crfree(oldcred); 878done2: 879 mtx_unlock(&Giant); 880 return (error); 881} 882 883#ifndef _SYS_SYSPROTO_H_ 884struct setregid_args { 885 gid_t rgid; 886 gid_t egid; 887}; 888#endif 889/* 890 * MPSAFE 891 */ 892/* ARGSUSED */ 893int 894setregid(register struct thread *td, struct setregid_args *uap) 895{ 896 struct proc *p = td->td_proc; 897 struct ucred *newcred, *oldcred; 898 gid_t egid, rgid; 899 int error; 900 901 egid = uap->egid; 902 rgid = uap->rgid; 903 mtx_lock(&Giant); 904 error = 0; 905 oldcred = p->p_ucred; 906 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 907 rgid != oldcred->cr_svgid) || 908 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 909 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 910 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 911 goto done2; 912 newcred = crdup(oldcred); 913 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 914 change_egid(newcred, egid); 915 setsugid(p); 916 } 917 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 918 change_rgid(newcred, rgid); 919 setsugid(p); 920 } 921 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 922 newcred->cr_svgid != newcred->cr_groups[0]) { 923 change_svgid(newcred, newcred->cr_groups[0]); 924 setsugid(p); 925 } 926 p->p_ucred = newcred; 927 crfree(oldcred); 928done2: 929 mtx_unlock(&Giant); 930 return (error); 931} 932 933/* 934 * setresuid(ruid, euid, suid) is like setreuid except control over the 935 * saved uid is explicit. 936 */ 937 938#ifndef _SYS_SYSPROTO_H_ 939struct setresuid_args { 940 uid_t ruid; 941 uid_t euid; 942 uid_t suid; 943}; 944#endif 945/* 946 * MPSAFE 947 */ 948/* ARGSUSED */ 949int 950setresuid(register struct thread *td, struct setresuid_args *uap) 951{ 952 struct proc *p = td->td_proc; 953 struct ucred *newcred, *oldcred; 954 uid_t euid, ruid, suid; 955 int error; 956 957 euid = uap->euid; 958 ruid = uap->ruid; 959 suid = uap->suid; 960 mtx_lock(&Giant); 961 oldcred = p->p_ucred; 962 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 963 ruid != oldcred->cr_svuid && 964 ruid != oldcred->cr_uid) || 965 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 966 euid != oldcred->cr_svuid && 967 euid != oldcred->cr_uid) || 968 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 969 suid != oldcred->cr_svuid && 970 suid != oldcred->cr_uid)) && 971 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 972 goto done2; 973 newcred = crdup(oldcred); 974 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 975 change_euid(newcred, euid); 976 setsugid(p); 977 } 978 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 979 change_ruid(newcred, ruid); 980 setsugid(p); 981 } 982 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 983 change_svuid(newcred, suid); 984 setsugid(p); 985 } 986 p->p_ucred = newcred; 987 crfree(oldcred); 988 error = 0; 989done2: 990 mtx_unlock(&Giant); 991 return (error); 992} 993 994/* 995 * setresgid(rgid, egid, sgid) is like setregid except control over the 996 * saved gid is explicit. 997 */ 998 999#ifndef _SYS_SYSPROTO_H_ 1000struct setresgid_args { 1001 gid_t rgid; 1002 gid_t egid; 1003 gid_t sgid; 1004}; 1005#endif 1006/* 1007 * MPSAFE 1008 */ 1009/* ARGSUSED */ 1010int 1011setresgid(register struct thread *td, struct setresgid_args *uap) 1012{ 1013 struct proc *p = td->td_proc; 1014 struct ucred *newcred, *oldcred; 1015 gid_t egid, rgid, sgid; 1016 int error; 1017 1018 egid = uap->egid; 1019 rgid = uap->rgid; 1020 sgid = uap->sgid; 1021 mtx_lock(&Giant); 1022 oldcred = p->p_ucred; 1023 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1024 rgid != oldcred->cr_svgid && 1025 rgid != oldcred->cr_groups[0]) || 1026 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1027 egid != oldcred->cr_svgid && 1028 egid != oldcred->cr_groups[0]) || 1029 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1030 sgid != oldcred->cr_svgid && 1031 sgid != oldcred->cr_groups[0])) && 1032 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) 1033 goto done2; 1034 newcred = crdup(oldcred); 1035 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1036 change_egid(newcred, egid); 1037 setsugid(p); 1038 } 1039 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1040 change_rgid(newcred, rgid); 1041 setsugid(p); 1042 } 1043 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1044 change_svgid(newcred, sgid); 1045 setsugid(p); 1046 } 1047 p->p_ucred = newcred; 1048 crfree(oldcred); 1049 error = 0; 1050done2: 1051 mtx_unlock(&Giant); 1052 return (error); 1053} 1054 1055#ifndef _SYS_SYSPROTO_H_ 1056struct getresuid_args { 1057 uid_t *ruid; 1058 uid_t *euid; 1059 uid_t *suid; 1060}; 1061#endif 1062/* 1063 * MPSAFE 1064 */ 1065/* ARGSUSED */ 1066int 1067getresuid(register struct thread *td, struct getresuid_args *uap) 1068{ 1069 struct ucred *cred; 1070 int error1 = 0, error2 = 0, error3 = 0; 1071 1072 cred = td->td_ucred; 1073 if (uap->ruid) 1074 error1 = copyout((caddr_t)&cred->cr_ruid, 1075 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1076 if (uap->euid) 1077 error2 = copyout((caddr_t)&cred->cr_uid, 1078 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1079 if (uap->suid) 1080 error3 = copyout((caddr_t)&cred->cr_svuid, 1081 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1082 return (error1 ? error1 : error2 ? error2 : error3); 1083} 1084 1085#ifndef _SYS_SYSPROTO_H_ 1086struct getresgid_args { 1087 gid_t *rgid; 1088 gid_t *egid; 1089 gid_t *sgid; 1090}; 1091#endif 1092/* 1093 * MPSAFE 1094 */ 1095/* ARGSUSED */ 1096int 1097getresgid(register struct thread *td, struct getresgid_args *uap) 1098{ 1099 struct ucred *cred; 1100 int error1 = 0, error2 = 0, error3 = 0; 1101 1102 cred = td->td_ucred; 1103 if (uap->rgid) 1104 error1 = copyout((caddr_t)&cred->cr_rgid, 1105 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1106 if (uap->egid) 1107 error2 = copyout((caddr_t)&cred->cr_groups[0], 1108 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1109 if (uap->sgid) 1110 error3 = copyout((caddr_t)&cred->cr_svgid, 1111 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1112 return (error1 ? error1 : error2 ? error2 : error3); 1113} 1114 1115#ifndef _SYS_SYSPROTO_H_ 1116struct issetugid_args { 1117 int dummy; 1118}; 1119#endif 1120/* 1121 * NOT MPSAFE? 1122 */ 1123/* ARGSUSED */ 1124int 1125issetugid(register struct thread *td, struct issetugid_args *uap) 1126{ 1127 struct proc *p = td->td_proc; 1128 1129 /* 1130 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1131 * we use P_SUGID because we consider changing the owners as 1132 * "tainting" as well. 1133 * This is significant for procs that start as root and "become" 1134 * a user without an exec - programs cannot know *everything* 1135 * that libc *might* have put in their data segment. 1136 */ 1137 PROC_LOCK(p); 1138 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1139 PROC_UNLOCK(p); 1140 return (0); 1141} 1142 1143/* 1144 * MPSAFE 1145 */ 1146int 1147__setugid(struct thread *td, struct __setugid_args *uap) 1148{ 1149#ifdef REGRESSION 1150 int error; 1151 1152 mtx_lock(&Giant); 1153 error = 0; 1154 switch (uap->flag) { 1155 case 0: 1156 PROC_LOCK(td->td_proc); 1157 td->td_proc->p_flag &= ~P_SUGID; 1158 PROC_UNLOCK(td->td_proc); 1159 break; 1160 case 1: 1161 PROC_LOCK(td->td_proc); 1162 td->td_proc->p_flag |= P_SUGID; 1163 PROC_UNLOCK(td->td_proc); 1164 break; 1165 default: 1166 error = EINVAL; 1167 break; 1168 } 1169 mtx_unlock(&Giant); 1170 return (error); 1171#else /* !REGRESSION */ 1172 1173 return (ENOSYS); 1174#endif /* REGRESSION */ 1175} 1176 1177/* 1178 * Check if gid is a member of the group set. 1179 * 1180 * MPSAFE (cred must be held) 1181 */ 1182int 1183groupmember(gid_t gid, struct ucred *cred) 1184{ 1185 register gid_t *gp; 1186 gid_t *egp; 1187 1188 egp = &(cred->cr_groups[cred->cr_ngroups]); 1189 for (gp = cred->cr_groups; gp < egp; gp++) 1190 if (*gp == gid) 1191 return (1); 1192 return (0); 1193} 1194 1195/* 1196 * `suser_enabled' (which can be set by the security.suser_enabled 1197 * sysctl) determines whether the system 'super-user' policy is in effect. 1198 * If it is nonzero, an effective uid of 0 connotes special privilege, 1199 * overriding many mandatory and discretionary protections. If it is zero, 1200 * uid 0 is offered no special privilege in the kernel security policy. 1201 * Setting it to zero may seriously impact the functionality of many 1202 * existing userland programs, and should not be done without careful 1203 * consideration of the consequences. 1204 */ 1205int suser_enabled = 1; 1206SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1207 &suser_enabled, 0, "processes with uid 0 have privilege"); 1208TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1209 1210/* 1211 * Test whether the specified credentials imply "super-user" privilege. 1212 * Return 0 or EPERM. 1213 */ 1214int 1215suser(struct proc *p) 1216{ 1217 1218 return (suser_xxx(0, p, 0)); 1219} 1220 1221/* 1222 * version for when the thread pointer is available and not the proc. 1223 * (saves having to include proc.h into every file that needs to do the change.) 1224 */ 1225int 1226suser_td(struct thread *td) 1227{ 1228 return (suser_xxx(0, td->td_proc, 0)); 1229} 1230 1231/* 1232 * wrapper to use if you have the thread on hand but not the proc. 1233 * 1234 * MPSAFE (cred must be held) 1235 */ 1236int 1237suser_xxx_td(struct ucred *cred, struct thread *td, int flag) 1238{ 1239 return(suser_xxx(cred, td->td_proc, flag)); 1240} 1241 1242int 1243suser_xxx(struct ucred *cred, struct proc *proc, int flag) 1244{ 1245 if (!suser_enabled) 1246 return (EPERM); 1247 if (!cred && !proc) { 1248 printf("suser_xxx(): THINK!\n"); 1249 return (EPERM); 1250 } 1251 if (cred == NULL) 1252 cred = proc->p_ucred; 1253 if (cred->cr_uid != 0) 1254 return (EPERM); 1255 if (jailed(cred) && !(flag & PRISON_ROOT)) 1256 return (EPERM); 1257 return (0); 1258} 1259 1260/* 1261 * Test the active securelevel against a given level. securelevel_gt() 1262 * implements (securelevel > level). securelevel_ge() implements 1263 * (securelevel >= level). Note that the logic is inverted -- these 1264 * functions return EPERM on "success" and 0 on "failure". 1265 * 1266 * cr is permitted to be NULL for the time being, as there were some 1267 * existing securelevel checks that occurred without a process/credential 1268 * context. In the future this will be disallowed, so a kernel message 1269 * is displayed. 1270 * 1271 * MPSAFE 1272 */ 1273int 1274securelevel_gt(struct ucred *cr, int level) 1275{ 1276 int active_securelevel; 1277 1278 active_securelevel = securelevel; 1279 if (cr == NULL) 1280 panic("securelevel_gt: cr is NULL\n"); 1281 if (cr->cr_prison != NULL) { 1282 mtx_lock(&cr->cr_prison->pr_mtx); 1283 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1284 active_securelevel); 1285 mtx_unlock(&cr->cr_prison->pr_mtx); 1286 } 1287 return (active_securelevel > level ? EPERM : 0); 1288} 1289 1290int 1291securelevel_ge(struct ucred *cr, int level) 1292{ 1293 int active_securelevel; 1294 1295 active_securelevel = securelevel; 1296 if (cr == NULL) 1297 panic("securelevel_gt: cr is NULL\n"); 1298 if (cr->cr_prison != NULL) { 1299 mtx_lock(&cr->cr_prison->pr_mtx); 1300 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1301 active_securelevel); 1302 mtx_unlock(&cr->cr_prison->pr_mtx); 1303 } 1304 return (active_securelevel >= level ? EPERM : 0); 1305} 1306 1307/* 1308 * 'see_other_uids' determines whether or not visibility of processes 1309 * and sockets with credentials holding different real uids is possible 1310 * using a variety of system MIBs. 1311 * XXX: data declarations should be together near the beginning of the file. 1312 */ 1313static int see_other_uids = 1; 1314SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1315 &see_other_uids, 0, 1316 "Unprivileged processes may see subjects/objects with different real uid"); 1317 1318/*- 1319 * Determine if u1 "can see" the subject specified by u2, according to the 1320 * 'see_other_uids' policy. 1321 * Returns: 0 for permitted, ESRCH otherwise 1322 * Locks: none 1323 * References: *u1 and *u2 must not change during the call 1324 * u1 may equal u2, in which case only one reference is required 1325 */ 1326static int 1327cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1328{ 1329 1330 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1331 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1332 return (ESRCH); 1333 } 1334 return (0); 1335} 1336 1337/*- 1338 * Determine if u1 "can see" the subject specified by u2. 1339 * Returns: 0 for permitted, an errno value otherwise 1340 * Locks: none 1341 * References: *u1 and *u2 must not change during the call 1342 * u1 may equal u2, in which case only one reference is required 1343 */ 1344int 1345cr_cansee(struct ucred *u1, struct ucred *u2) 1346{ 1347 int error; 1348 1349 if ((error = prison_check(u1, u2))) 1350 return (error); 1351 if ((error = cr_seeotheruids(u1, u2))) 1352 return (error); 1353 return (0); 1354} 1355 1356/*- 1357 * Determine if p1 "can see" the subject specified by p2. 1358 * Returns: 0 for permitted, an errno value otherwise 1359 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1360 * be held. Normally, p1 will be curproc, and a lock must be held 1361 * for p2. 1362 * References: p1 and p2 must be valid for the lifetime of the call 1363 */ 1364int 1365p_cansee(struct proc *p1, struct proc *p2) 1366{ 1367 1368 /* Wrap cr_cansee() for all functionality. */ 1369 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1370} 1371 1372/*- 1373 * Determine whether cred may deliver the specified signal to proc. 1374 * Returns: 0 for permitted, an errno value otherwise. 1375 * Locks: A lock must be held for proc. 1376 * References: cred and proc must be valid for the lifetime of the call. 1377 */ 1378int 1379cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1380{ 1381 int error; 1382 1383 /* 1384 * Jail semantics limit the scope of signalling to proc in the 1385 * same jail as cred, if cred is in jail. 1386 */ 1387 error = prison_check(cred, proc->p_ucred); 1388 if (error) 1389 return (error); 1390 error = cr_seeotheruids(cred, proc->p_ucred); 1391 if (error) 1392 return (error); 1393 1394 /* 1395 * UNIX signal semantics depend on the status of the P_SUGID 1396 * bit on the target process. If the bit is set, then additional 1397 * restrictions are placed on the set of available signals. 1398 */ 1399 if (proc->p_flag & P_SUGID) { 1400 switch (signum) { 1401 case 0: 1402 case SIGKILL: 1403 case SIGINT: 1404 case SIGTERM: 1405 case SIGSTOP: 1406 case SIGTTIN: 1407 case SIGTTOU: 1408 case SIGTSTP: 1409 case SIGHUP: 1410 case SIGUSR1: 1411 case SIGUSR2: 1412 /* 1413 * Generally, permit job and terminal control 1414 * signals. 1415 */ 1416 break; 1417 default: 1418 /* Not permitted without privilege. */ 1419 error = suser_xxx(cred, NULL, PRISON_ROOT); 1420 if (error) 1421 return (error); 1422 } 1423 } 1424 1425 /* 1426 * Generally, the target credential's ruid or svuid must match the 1427 * subject credential's ruid or euid. 1428 */ 1429 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1430 cred->cr_ruid != proc->p_ucred->cr_svuid && 1431 cred->cr_uid != proc->p_ucred->cr_ruid && 1432 cred->cr_uid != proc->p_ucred->cr_svuid) { 1433 /* Not permitted without privilege. */ 1434 error = suser_xxx(cred, NULL, PRISON_ROOT); 1435 if (error) 1436 return (error); 1437 } 1438 1439 return (0); 1440} 1441 1442 1443/*- 1444 * Determine whether p1 may deliver the specified signal to p2. 1445 * Returns: 0 for permitted, an errno value otherwise 1446 * Locks: Sufficient locks to protect various components of p1 and p2 1447 * must be held. Normally, p1 will be curproc, and a lock must 1448 * be held for p2. 1449 * References: p1 and p2 must be valid for the lifetime of the call 1450 */ 1451int 1452p_cansignal(struct proc *p1, struct proc *p2, int signum) 1453{ 1454 1455 if (p1 == p2) 1456 return (0); 1457 1458 /* 1459 * UNIX signalling semantics require that processes in the same 1460 * session always be able to deliver SIGCONT to one another, 1461 * overriding the remaining protections. 1462 */ 1463 if (signum == SIGCONT && p1->p_session == p2->p_session) 1464 return (0); 1465 1466 return (cr_cansignal(p1->p_ucred, p2, signum)); 1467} 1468 1469/*- 1470 * Determine whether p1 may reschedule p2. 1471 * Returns: 0 for permitted, an errno value otherwise 1472 * Locks: Sufficient locks to protect various components of p1 and p2 1473 * must be held. Normally, p1 will be curproc, and a lock must 1474 * be held for p2. 1475 * References: p1 and p2 must be valid for the lifetime of the call 1476 */ 1477int 1478p_cansched(struct proc *p1, struct proc *p2) 1479{ 1480 int error; 1481 1482 if (p1 == p2) 1483 return (0); 1484 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1485 return (error); 1486 if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) 1487 return (error); 1488 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1489 return (0); 1490 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1491 return (0); 1492 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1493 return (0); 1494 1495#ifdef CAPABILITIES 1496 if (!cap_check(NULL, p1, CAP_SYS_NICE, PRISON_ROOT)) 1497 return (0); 1498#endif 1499 1500 return (EPERM); 1501} 1502 1503/* 1504 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1505 * unprivileged inter-process debugging services, including some procfs 1506 * functionality, ptrace(), and ktrace(). In the past, inter-process 1507 * debugging has been involved in a variety of security problems, and sites 1508 * not requiring the service might choose to disable it when hardening 1509 * systems. 1510 * 1511 * XXX: Should modifying and reading this variable require locking? 1512 * XXX: data declarations should be together near the beginning of the file. 1513 */ 1514static int unprivileged_proc_debug = 1; 1515SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1516 &unprivileged_proc_debug, 0, 1517 "Unprivileged processes may use process debugging facilities"); 1518 1519/*- 1520 * Determine whether p1 may debug p2. 1521 * Returns: 0 for permitted, an errno value otherwise 1522 * Locks: Sufficient locks to protect various components of p1 and p2 1523 * must be held. Normally, p1 will be curproc, and a lock must 1524 * be held for p2. 1525 * References: p1 and p2 must be valid for the lifetime of the call 1526 */ 1527int 1528p_candebug(struct proc *p1, struct proc *p2) 1529{ 1530 int credentialchanged, error, grpsubset, i, uidsubset; 1531 1532 if (!unprivileged_proc_debug) { 1533 error = suser_xxx(NULL, p1, PRISON_ROOT); 1534 if (error) 1535 return (error); 1536 } 1537 if (p1 == p2) 1538 return (0); 1539 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1540 return (error); 1541 if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) 1542 return (error); 1543 1544 /* 1545 * Is p2's group set a subset of p1's effective group set? This 1546 * includes p2's egid, group access list, rgid, and svgid. 1547 */ 1548 grpsubset = 1; 1549 for (i = 0; i < p2->p_ucred->cr_ngroups; i++) { 1550 if (!groupmember(p2->p_ucred->cr_groups[i], p1->p_ucred)) { 1551 grpsubset = 0; 1552 break; 1553 } 1554 } 1555 grpsubset = grpsubset && 1556 groupmember(p2->p_ucred->cr_rgid, p1->p_ucred) && 1557 groupmember(p2->p_ucred->cr_svgid, p1->p_ucred); 1558 1559 /* 1560 * Are the uids present in p2's credential equal to p1's 1561 * effective uid? This includes p2's euid, svuid, and ruid. 1562 */ 1563 uidsubset = (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid && 1564 p1->p_ucred->cr_uid == p2->p_ucred->cr_svuid && 1565 p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid); 1566 1567 /* 1568 * Has the credential of the process changed since the last exec()? 1569 */ 1570 credentialchanged = (p2->p_flag & P_SUGID); 1571 1572 /* 1573 * If p2's gids aren't a subset, or the uids aren't a subset, 1574 * or the credential has changed, require appropriate privilege 1575 * for p1 to debug p2. For POSIX.1e capabilities, this will 1576 * require CAP_SYS_PTRACE. 1577 */ 1578 if (!grpsubset || !uidsubset || credentialchanged) { 1579 error = suser_xxx(NULL, p1, PRISON_ROOT); 1580 if (error) 1581 return (error); 1582 } 1583 1584 /* Can't trace init when securelevel > 0. */ 1585 if (p2 == initproc) { 1586 error = securelevel_gt(p1->p_ucred, 0); 1587 if (error) 1588 return (error); 1589 } 1590 1591 /* 1592 * Can't trace a process that's currently exec'ing. 1593 * XXX: Note, this is not a security policy decision, it's a 1594 * basic correctness/functionality decision. Therefore, this check 1595 * should be moved to the caller's of p_candebug(). 1596 */ 1597 if ((p2->p_flag & P_INEXEC) != 0) 1598 return (EAGAIN); 1599 1600 return (0); 1601} 1602 1603/*- 1604 * Determine whether the subject represented by cred can "see" a socket. 1605 * Returns: 0 for permitted, ENOENT otherwise. 1606 */ 1607int 1608cr_canseesocket(struct ucred *cred, struct socket *so) 1609{ 1610 int error; 1611 1612 error = prison_check(cred, so->so_cred); 1613 if (error) 1614 return (ENOENT); 1615 if (cr_seeotheruids(cred, so->so_cred)) 1616 return (ENOENT); 1617#ifdef MAC 1618 /* XXX: error = mac_cred_check_seesocket() here. */ 1619#endif 1620 1621 return (0); 1622} 1623 1624/* 1625 * Allocate a zeroed cred structure. 1626 */ 1627struct ucred * 1628crget(void) 1629{ 1630 register struct ucred *cr; 1631 1632 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1633 cr->cr_ref = 1; 1634 cr->cr_mtxp = mtx_pool_find(cr); 1635 return (cr); 1636} 1637 1638/* 1639 * Claim another reference to a ucred structure. 1640 */ 1641struct ucred * 1642crhold(struct ucred *cr) 1643{ 1644 1645 mtx_lock(cr->cr_mtxp); 1646 cr->cr_ref++; 1647 mtx_unlock(cr->cr_mtxp); 1648 return (cr); 1649} 1650 1651/* 1652 * Free a cred structure. 1653 * Throws away space when ref count gets to 0. 1654 */ 1655void 1656crfree(struct ucred *cr) 1657{ 1658 struct mtx *mtxp = cr->cr_mtxp; 1659 1660 mtx_lock(mtxp); 1661 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1662 if (--cr->cr_ref == 0) { 1663 /* 1664 * Some callers of crget(), such as nfs_statfs(), 1665 * allocate a temporary credential, but don't 1666 * allocate a uidinfo structure. 1667 */ 1668 mtx_unlock(mtxp); 1669 mtx_lock(&Giant); 1670 if (cr->cr_uidinfo != NULL) 1671 uifree(cr->cr_uidinfo); 1672 if (cr->cr_ruidinfo != NULL) 1673 uifree(cr->cr_ruidinfo); 1674 /* 1675 * Free a prison, if any. 1676 */ 1677 if (jailed(cr)) 1678 prison_free(cr->cr_prison); 1679 FREE((caddr_t)cr, M_CRED); 1680 mtx_unlock(&Giant); 1681 } else { 1682 mtx_unlock(mtxp); 1683 } 1684} 1685 1686/* 1687 * Check to see if this ucred is shared. 1688 */ 1689int 1690crshared(struct ucred *cr) 1691{ 1692 int shared; 1693 1694 mtx_lock(cr->cr_mtxp); 1695 shared = (cr->cr_ref > 1); 1696 mtx_unlock(cr->cr_mtxp); 1697 return (shared); 1698} 1699 1700/* 1701 * Copy a ucred's contents from a template. Does not block. 1702 */ 1703void 1704crcopy(struct ucred *dest, struct ucred *src) 1705{ 1706 1707 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1708 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1709 (unsigned)((caddr_t)&src->cr_endcopy - 1710 (caddr_t)&src->cr_startcopy)); 1711 uihold(dest->cr_uidinfo); 1712 uihold(dest->cr_ruidinfo); 1713 if (jailed(dest)) 1714 prison_hold(dest->cr_prison); 1715} 1716 1717/* 1718 * Dup cred struct to a new held one. 1719 */ 1720struct ucred * 1721crdup(struct ucred *cr) 1722{ 1723 struct ucred *newcr; 1724 1725 newcr = crget(); 1726 crcopy(newcr, cr); 1727 return (newcr); 1728} 1729 1730#ifdef DIAGNOSTIC 1731void 1732cred_free_thread(struct thread *td) 1733{ 1734 struct ucred *cred; 1735 1736 cred = td->td_ucred; 1737 td->td_ucred = NULL; 1738 if (cred != NULL) 1739 crfree(cred); 1740} 1741#endif 1742 1743/* 1744 * Fill in a struct xucred based on a struct ucred. 1745 */ 1746void 1747cru2x(struct ucred *cr, struct xucred *xcr) 1748{ 1749 1750 bzero(xcr, sizeof(*xcr)); 1751 xcr->cr_version = XUCRED_VERSION; 1752 xcr->cr_uid = cr->cr_uid; 1753 xcr->cr_ngroups = cr->cr_ngroups; 1754 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1755} 1756 1757/* 1758 * small routine to swap a thread's current ucred for the correct one 1759 * taken from the process. 1760 */ 1761void 1762cred_update_thread(struct thread *td) 1763{ 1764 struct proc *p; 1765 struct ucred *cred; 1766 1767 p = td->td_proc; 1768 cred = td->td_ucred; 1769 mtx_lock(&Giant); 1770 PROC_LOCK(p); 1771 td->td_ucred = crhold(p->p_ucred); 1772 PROC_UNLOCK(p); 1773 if (cred != NULL) 1774 crfree(cred); 1775 mtx_unlock(&Giant); 1776} 1777 1778/* 1779 * Get login name, if available. 1780 */ 1781#ifndef _SYS_SYSPROTO_H_ 1782struct getlogin_args { 1783 char *namebuf; 1784 u_int namelen; 1785}; 1786#endif 1787/* 1788 * MPSAFE 1789 */ 1790/* ARGSUSED */ 1791int 1792getlogin(struct thread *td, struct getlogin_args *uap) 1793{ 1794 int error; 1795 char login[MAXLOGNAME]; 1796 struct proc *p = td->td_proc; 1797 1798 mtx_lock(&Giant); 1799 if (uap->namelen > MAXLOGNAME) 1800 uap->namelen = MAXLOGNAME; 1801 PROC_LOCK(p); 1802 SESS_LOCK(p->p_session); 1803 bcopy(p->p_session->s_login, login, uap->namelen); 1804 SESS_UNLOCK(p->p_session); 1805 PROC_UNLOCK(p); 1806 error = copyout((caddr_t) login, (caddr_t) uap->namebuf, uap->namelen); 1807 mtx_unlock(&Giant); 1808 return(error); 1809} 1810 1811/* 1812 * Set login name. 1813 */ 1814#ifndef _SYS_SYSPROTO_H_ 1815struct setlogin_args { 1816 char *namebuf; 1817}; 1818#endif 1819/* 1820 * MPSAFE 1821 */ 1822/* ARGSUSED */ 1823int 1824setlogin(struct thread *td, struct setlogin_args *uap) 1825{ 1826 struct proc *p = td->td_proc; 1827 int error; 1828 char logintmp[MAXLOGNAME]; 1829 1830 mtx_lock(&Giant); 1831 if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0) 1832 goto done2; 1833 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1834 sizeof(logintmp), (size_t *)0); 1835 if (error == ENAMETOOLONG) 1836 error = EINVAL; 1837 else if (!error) { 1838 PROC_LOCK(p); 1839 SESS_LOCK(p->p_session); 1840 (void) memcpy(p->p_session->s_login, logintmp, 1841 sizeof(logintmp)); 1842 SESS_UNLOCK(p->p_session); 1843 PROC_UNLOCK(p); 1844 } 1845done2: 1846 mtx_unlock(&Giant); 1847 return (error); 1848} 1849 1850void 1851setsugid(struct proc *p) 1852{ 1853 p->p_flag |= P_SUGID; 1854 if (!(p->p_pfsflags & PF_ISUGID)) 1855 p->p_stops = 0; 1856} 1857 1858/*- 1859 * Change a process's effective uid. 1860 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1861 * References: newcred must be an exclusive credential reference for the 1862 * duration of the call. 1863 */ 1864void 1865change_euid(struct ucred *newcred, uid_t euid) 1866{ 1867 1868 newcred->cr_uid = euid; 1869 uifree(newcred->cr_uidinfo); 1870 newcred->cr_uidinfo = uifind(euid); 1871} 1872 1873/*- 1874 * Change a process's effective gid. 1875 * Side effects: newcred->cr_gid will be modified. 1876 * References: newcred must be an exclusive credential reference for the 1877 * duration of the call. 1878 */ 1879void 1880change_egid(struct ucred *newcred, gid_t egid) 1881{ 1882 1883 newcred->cr_groups[0] = egid; 1884} 1885 1886/*- 1887 * Change a process's real uid. 1888 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1889 * will be updated, and the old and new cr_ruidinfo proc 1890 * counts will be updated. 1891 * References: newcred must be an exclusive credential reference for the 1892 * duration of the call. 1893 */ 1894void 1895change_ruid(struct ucred *newcred, uid_t ruid) 1896{ 1897 1898 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1899 newcred->cr_ruid = ruid; 1900 uifree(newcred->cr_ruidinfo); 1901 newcred->cr_ruidinfo = uifind(ruid); 1902 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1903} 1904 1905/*- 1906 * Change a process's real gid. 1907 * Side effects: newcred->cr_rgid will be updated. 1908 * References: newcred must be an exclusive credential reference for the 1909 * duration of the call. 1910 */ 1911void 1912change_rgid(struct ucred *newcred, gid_t rgid) 1913{ 1914 1915 newcred->cr_rgid = rgid; 1916} 1917 1918/*- 1919 * Change a process's saved uid. 1920 * Side effects: newcred->cr_svuid will be updated. 1921 * References: newcred must be an exclusive credential reference for the 1922 * duration of the call. 1923 */ 1924void 1925change_svuid(struct ucred *newcred, uid_t svuid) 1926{ 1927 1928 newcred->cr_svuid = svuid; 1929} 1930 1931/*- 1932 * Change a process's saved gid. 1933 * Side effects: newcred->cr_svgid will be updated. 1934 * References: newcred must be an exclusive credential reference for the 1935 * duration of the call. 1936 */ 1937void 1938change_svgid(struct ucred *newcred, gid_t svgid) 1939{ 1940 1941 newcred->cr_svgid = svgid; 1942} 1943