kern_prot.c revision 98403
1/* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD: head/sys/kern/kern_prot.c 98403 2002-06-18 22:41:35Z alfred $ 41 */ 42 43/* 44 * System calls related to processes and protection 45 */ 46 47#include "opt_compat.h" 48 49#include <sys/param.h> 50#include <sys/systm.h> 51#include <sys/acct.h> 52#include <sys/kernel.h> 53#include <sys/lock.h> 54#include <sys/malloc.h> 55#include <sys/mutex.h> 56#include <sys/sx.h> 57#include <sys/proc.h> 58#include <sys/sysproto.h> 59#include <sys/jail.h> 60#include <sys/pioctl.h> 61#include <sys/resourcevar.h> 62#include <sys/socket.h> 63#include <sys/socketvar.h> 64#include <sys/sysctl.h> 65 66static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 67 68SYSCTL_DECL(_security); 69SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, 70 "BSD security policy"); 71 72#ifndef _SYS_SYSPROTO_H_ 73struct getpid_args { 74 int dummy; 75}; 76#endif 77/* 78 * MPSAFE 79 */ 80/* ARGSUSED */ 81int 82getpid(struct thread *td, struct getpid_args *uap) 83{ 84 struct proc *p = td->td_proc; 85 int s; 86 87 s = mtx_lock_giant(kern_giant_proc); 88 td->td_retval[0] = p->p_pid; 89#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 90 PROC_LOCK(p); 91 td->td_retval[1] = p->p_pptr->p_pid; 92 PROC_UNLOCK(p); 93#endif 94 mtx_unlock_giant(s); 95 return (0); 96} 97 98#ifndef _SYS_SYSPROTO_H_ 99struct getppid_args { 100 int dummy; 101}; 102#endif 103/* 104 * MPSAFE 105 */ 106/* ARGSUSED */ 107int 108getppid(struct thread *td, struct getppid_args *uap) 109{ 110 struct proc *p = td->td_proc; 111 int s; 112 113 s = mtx_lock_giant(kern_giant_proc); 114 PROC_LOCK(p); 115 td->td_retval[0] = p->p_pptr->p_pid; 116 PROC_UNLOCK(p); 117 mtx_unlock_giant(s); 118 return (0); 119} 120 121/* 122 * Get process group ID; note that POSIX getpgrp takes no parameter. 123 */ 124#ifndef _SYS_SYSPROTO_H_ 125struct getpgrp_args { 126 int dummy; 127}; 128#endif 129/* 130 * MPSAFE 131 */ 132int 133getpgrp(struct thread *td, struct getpgrp_args *uap) 134{ 135 struct proc *p = td->td_proc; 136 int s; 137 138 s = mtx_lock_giant(kern_giant_proc); 139 PROC_LOCK(p); 140 td->td_retval[0] = p->p_pgrp->pg_id; 141 PROC_UNLOCK(p); 142 mtx_unlock_giant(s); 143 return (0); 144} 145 146/* Get an arbitary pid's process group id */ 147#ifndef _SYS_SYSPROTO_H_ 148struct getpgid_args { 149 pid_t pid; 150}; 151#endif 152/* 153 * MPSAFE 154 */ 155int 156getpgid(struct thread *td, struct getpgid_args *uap) 157{ 158 struct proc *p = td->td_proc; 159 struct proc *pt; 160 int error; 161 162 mtx_lock(&Giant); 163 error = 0; 164 if (uap->pid == 0) { 165 PROC_LOCK(p); 166 td->td_retval[0] = p->p_pgrp->pg_id; 167 PROC_UNLOCK(p); 168 } else if ((pt = pfind(uap->pid)) == NULL) 169 error = ESRCH; 170 else { 171 error = p_cansee(td, pt); 172 if (error == 0) 173 td->td_retval[0] = pt->p_pgrp->pg_id; 174 PROC_UNLOCK(pt); 175 } 176 mtx_unlock(&Giant); 177 return (error); 178} 179 180/* 181 * Get an arbitary pid's session id. 182 */ 183#ifndef _SYS_SYSPROTO_H_ 184struct getsid_args { 185 pid_t pid; 186}; 187#endif 188/* 189 * MPSAFE 190 */ 191int 192getsid(struct thread *td, struct getsid_args *uap) 193{ 194 struct proc *p = td->td_proc; 195 struct proc *pt; 196 int error; 197 198 mtx_lock(&Giant); 199 error = 0; 200 if (uap->pid == 0) { 201 PROC_LOCK(p); 202 td->td_retval[0] = p->p_session->s_sid; 203 PROC_UNLOCK(p); 204 } else if ((pt = pfind(uap->pid)) == NULL) 205 error = ESRCH; 206 else { 207 error = p_cansee(td, pt); 208 if (error == 0) 209 td->td_retval[0] = pt->p_session->s_sid; 210 PROC_UNLOCK(pt); 211 } 212 mtx_unlock(&Giant); 213 return (error); 214} 215 216#ifndef _SYS_SYSPROTO_H_ 217struct getuid_args { 218 int dummy; 219}; 220#endif 221/* 222 * MPSAFE 223 */ 224/* ARGSUSED */ 225int 226getuid(struct thread *td, struct getuid_args *uap) 227{ 228 229 td->td_retval[0] = td->td_ucred->cr_ruid; 230#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 231 td->td_retval[1] = td->td_ucred->cr_uid; 232#endif 233 return (0); 234} 235 236#ifndef _SYS_SYSPROTO_H_ 237struct geteuid_args { 238 int dummy; 239}; 240#endif 241/* 242 * MPSAFE 243 */ 244/* ARGSUSED */ 245int 246geteuid(struct thread *td, struct geteuid_args *uap) 247{ 248 249 td->td_retval[0] = td->td_ucred->cr_uid; 250 return (0); 251} 252 253#ifndef _SYS_SYSPROTO_H_ 254struct getgid_args { 255 int dummy; 256}; 257#endif 258/* 259 * MPSAFE 260 */ 261/* ARGSUSED */ 262int 263getgid(struct thread *td, struct getgid_args *uap) 264{ 265 266 td->td_retval[0] = td->td_ucred->cr_rgid; 267#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 268 td->td_retval[1] = td->td_ucred->cr_groups[0]; 269#endif 270 return (0); 271} 272 273/* 274 * Get effective group ID. The "egid" is groups[0], and could be obtained 275 * via getgroups. This syscall exists because it is somewhat painful to do 276 * correctly in a library function. 277 */ 278#ifndef _SYS_SYSPROTO_H_ 279struct getegid_args { 280 int dummy; 281}; 282#endif 283/* 284 * MPSAFE 285 */ 286/* ARGSUSED */ 287int 288getegid(struct thread *td, struct getegid_args *uap) 289{ 290 291 td->td_retval[0] = td->td_ucred->cr_groups[0]; 292 return (0); 293} 294 295#ifndef _SYS_SYSPROTO_H_ 296struct getgroups_args { 297 u_int gidsetsize; 298 gid_t *gidset; 299}; 300#endif 301/* 302 * MPSAFE 303 */ 304int 305getgroups(struct thread *td, register struct getgroups_args *uap) 306{ 307 struct ucred *cred; 308 u_int ngrp; 309 int error; 310 311 cred = td->td_ucred; 312 if ((ngrp = uap->gidsetsize) == 0) { 313 td->td_retval[0] = cred->cr_ngroups; 314 return (0); 315 } 316 if (ngrp < cred->cr_ngroups) 317 return (EINVAL); 318 ngrp = cred->cr_ngroups; 319 error = copyout((caddr_t)cred->cr_groups, (caddr_t)uap->gidset, 320 ngrp * sizeof(gid_t)); 321 if (error == 0) 322 td->td_retval[0] = ngrp; 323 return (error); 324} 325 326#ifndef _SYS_SYSPROTO_H_ 327struct setsid_args { 328 int dummy; 329}; 330#endif 331/* 332 * MPSAFE 333 */ 334/* ARGSUSED */ 335int 336setsid(register struct thread *td, struct setsid_args *uap) 337{ 338 struct pgrp *pgrp; 339 int error; 340 struct proc *p = td->td_proc; 341 struct pgrp *newpgrp; 342 struct session *newsess; 343 344 error = 0; 345 pgrp = NULL; 346 347 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 348 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 349 350 sx_xlock(&proctree_lock); 351 352 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 353 if (pgrp != NULL) 354 PGRP_UNLOCK(pgrp); 355 error = EPERM; 356 } else { 357 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 358 td->td_retval[0] = p->p_pid; 359 newpgrp = NULL; 360 newsess = NULL; 361 } 362 363 sx_xunlock(&proctree_lock); 364 365 if (newpgrp != NULL) 366 FREE(newpgrp, M_PGRP); 367 if (newsess != NULL) 368 FREE(newsess, M_SESSION); 369 370 return (error); 371} 372 373/* 374 * set process group (setpgid/old setpgrp) 375 * 376 * caller does setpgid(targpid, targpgid) 377 * 378 * pid must be caller or child of caller (ESRCH) 379 * if a child 380 * pid must be in same session (EPERM) 381 * pid can't have done an exec (EACCES) 382 * if pgid != pid 383 * there must exist some pid in same session having pgid (EPERM) 384 * pid must not be session leader (EPERM) 385 */ 386#ifndef _SYS_SYSPROTO_H_ 387struct setpgid_args { 388 int pid; /* target process id */ 389 int pgid; /* target pgrp id */ 390}; 391#endif 392/* 393 * MPSAFE 394 */ 395/* ARGSUSED */ 396int 397setpgid(struct thread *td, register struct setpgid_args *uap) 398{ 399 struct proc *curp = td->td_proc; 400 register struct proc *targp; /* target process */ 401 register struct pgrp *pgrp; /* target pgrp */ 402 int error; 403 struct pgrp *newpgrp; 404 405 if (uap->pgid < 0) 406 return (EINVAL); 407 408 error = 0; 409 410 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 411 412 sx_xlock(&proctree_lock); 413 if (uap->pid != 0 && uap->pid != curp->p_pid) { 414 if ((targp = pfind(uap->pid)) == NULL) { 415 if (targp) 416 PROC_UNLOCK(targp); 417 error = ESRCH; 418 goto done; 419 } 420 if (!inferior(targp)) { 421 PROC_UNLOCK(targp); 422 error = ESRCH; 423 goto done; 424 } 425 if ((error = p_cansee(curthread, targp))) { 426 PROC_UNLOCK(targp); 427 goto done; 428 } 429 if (targp->p_pgrp == NULL || 430 targp->p_session != curp->p_session) { 431 PROC_UNLOCK(targp); 432 error = EPERM; 433 goto done; 434 } 435 if (targp->p_flag & P_EXEC) { 436 PROC_UNLOCK(targp); 437 error = EACCES; 438 goto done; 439 } 440 PROC_UNLOCK(targp); 441 } else 442 targp = curp; 443 if (SESS_LEADER(targp)) { 444 error = EPERM; 445 goto done; 446 } 447 if (uap->pgid == 0) 448 uap->pgid = targp->p_pid; 449 if (uap->pgid == targp->p_pid) { 450 if (targp->p_pgid == uap->pgid) 451 goto done; 452 error = enterpgrp(targp, uap->pgid, newpgrp, NULL); 453 if (error == 0) 454 newpgrp = NULL; 455 } else { 456 if ((pgrp = pgfind(uap->pgid)) == NULL || 457 pgrp->pg_session != curp->p_session) { 458 if (pgrp != NULL) 459 PGRP_UNLOCK(pgrp); 460 error = EPERM; 461 goto done; 462 } 463 if (pgrp == targp->p_pgrp) { 464 PGRP_UNLOCK(pgrp); 465 goto done; 466 } 467 PGRP_UNLOCK(pgrp); 468 error = enterthispgrp(targp, pgrp); 469 } 470done: 471 sx_xunlock(&proctree_lock); 472 KASSERT((error == 0) || (newpgrp != NULL), 473 ("setpgid failed and newpgrp is NULL")); 474 if (newpgrp != NULL) 475 FREE(newpgrp, M_PGRP); 476 return (error); 477} 478 479/* 480 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 481 * compatible. It says that setting the uid/gid to euid/egid is a special 482 * case of "appropriate privilege". Once the rules are expanded out, this 483 * basically means that setuid(nnn) sets all three id's, in all permitted 484 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 485 * does not set the saved id - this is dangerous for traditional BSD 486 * programs. For this reason, we *really* do not want to set 487 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 488 */ 489#define POSIX_APPENDIX_B_4_2_2 490 491#ifndef _SYS_SYSPROTO_H_ 492struct setuid_args { 493 uid_t uid; 494}; 495#endif 496/* 497 * MPSAFE 498 */ 499/* ARGSUSED */ 500int 501setuid(struct thread *td, struct setuid_args *uap) 502{ 503 struct proc *p = td->td_proc; 504 struct ucred *newcred, *oldcred; 505 uid_t uid; 506 int error; 507 508 mtx_lock(&Giant); 509 uid = uap->uid; 510 newcred = crget(); 511 PROC_LOCK(p); 512 oldcred = p->p_ucred; 513 514 /* 515 * See if we have "permission" by POSIX 1003.1 rules. 516 * 517 * Note that setuid(geteuid()) is a special case of 518 * "appropriate privileges" in appendix B.4.2.2. We need 519 * to use this clause to be compatible with traditional BSD 520 * semantics. Basically, it means that "setuid(xx)" sets all 521 * three id's (assuming you have privs). 522 * 523 * Notes on the logic. We do things in three steps. 524 * 1: We determine if the euid is going to change, and do EPERM 525 * right away. We unconditionally change the euid later if this 526 * test is satisfied, simplifying that part of the logic. 527 * 2: We determine if the real and/or saved uids are going to 528 * change. Determined by compile options. 529 * 3: Change euid last. (after tests in #2 for "appropriate privs") 530 */ 531 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 532#ifdef _POSIX_SAVED_IDS 533 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 534#endif 535#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 536 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 537#endif 538 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 539 PROC_UNLOCK(p); 540 crfree(newcred); 541 mtx_unlock(&Giant); 542 return (error); 543 } 544 545 crcopy(newcred, oldcred); 546#ifdef _POSIX_SAVED_IDS 547 /* 548 * Do we have "appropriate privileges" (are we root or uid == euid) 549 * If so, we are changing the real uid and/or saved uid. 550 */ 551 if ( 552#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 553 uid == oldcred->cr_uid || 554#endif 555 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 556#endif 557 { 558 /* 559 * Set the real uid and transfer proc count to new user. 560 */ 561 if (uid != oldcred->cr_ruid) { 562 change_ruid(newcred, uid); 563 setsugid(p); 564 } 565 /* 566 * Set saved uid 567 * 568 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 569 * the security of seteuid() depends on it. B.4.2.2 says it 570 * is important that we should do this. 571 */ 572 if (uid != oldcred->cr_svuid) { 573 change_svuid(newcred, uid); 574 setsugid(p); 575 } 576 } 577 578 /* 579 * In all permitted cases, we are changing the euid. 580 * Copy credentials so other references do not see our changes. 581 */ 582 if (uid != oldcred->cr_uid) { 583 change_euid(newcred, uid); 584 setsugid(p); 585 } 586 p->p_ucred = newcred; 587 PROC_UNLOCK(p); 588 crfree(oldcred); 589 mtx_unlock(&Giant); 590 return (0); 591} 592 593#ifndef _SYS_SYSPROTO_H_ 594struct seteuid_args { 595 uid_t euid; 596}; 597#endif 598/* 599 * MPSAFE 600 */ 601/* ARGSUSED */ 602int 603seteuid(struct thread *td, struct seteuid_args *uap) 604{ 605 struct proc *p = td->td_proc; 606 struct ucred *newcred, *oldcred; 607 uid_t euid; 608 int error; 609 610 euid = uap->euid; 611 mtx_lock(&Giant); 612 newcred = crget(); 613 PROC_LOCK(p); 614 oldcred = p->p_ucred; 615 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 616 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 617 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 618 PROC_UNLOCK(p); 619 crfree(newcred); 620 mtx_unlock(&Giant); 621 return (error); 622 } 623 /* 624 * Everything's okay, do it. Copy credentials so other references do 625 * not see our changes. 626 */ 627 crcopy(newcred, oldcred); 628 if (oldcred->cr_uid != euid) { 629 change_euid(newcred, euid); 630 setsugid(p); 631 } 632 p->p_ucred = newcred; 633 PROC_UNLOCK(p); 634 crfree(oldcred); 635 mtx_unlock(&Giant); 636 return (0); 637} 638 639#ifndef _SYS_SYSPROTO_H_ 640struct setgid_args { 641 gid_t gid; 642}; 643#endif 644/* 645 * MPSAFE 646 */ 647/* ARGSUSED */ 648int 649setgid(struct thread *td, struct setgid_args *uap) 650{ 651 struct proc *p = td->td_proc; 652 struct ucred *newcred, *oldcred; 653 gid_t gid; 654 int error; 655 656 gid = uap->gid; 657 mtx_lock(&Giant); 658 newcred = crget(); 659 PROC_LOCK(p); 660 oldcred = p->p_ucred; 661 662 /* 663 * See if we have "permission" by POSIX 1003.1 rules. 664 * 665 * Note that setgid(getegid()) is a special case of 666 * "appropriate privileges" in appendix B.4.2.2. We need 667 * to use this clause to be compatible with traditional BSD 668 * semantics. Basically, it means that "setgid(xx)" sets all 669 * three id's (assuming you have privs). 670 * 671 * For notes on the logic here, see setuid() above. 672 */ 673 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 674#ifdef _POSIX_SAVED_IDS 675 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 676#endif 677#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 678 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 679#endif 680 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 681 PROC_UNLOCK(p); 682 crfree(newcred); 683 mtx_unlock(&Giant); 684 return (error); 685 } 686 687 crcopy(newcred, oldcred); 688#ifdef _POSIX_SAVED_IDS 689 /* 690 * Do we have "appropriate privileges" (are we root or gid == egid) 691 * If so, we are changing the real uid and saved gid. 692 */ 693 if ( 694#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 695 gid == oldcred->cr_groups[0] || 696#endif 697 suser_cred(oldcred, PRISON_ROOT) == 0) /* we are using privs */ 698#endif 699 { 700 /* 701 * Set real gid 702 */ 703 if (oldcred->cr_rgid != gid) { 704 change_rgid(newcred, gid); 705 setsugid(p); 706 } 707 /* 708 * Set saved gid 709 * 710 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 711 * the security of setegid() depends on it. B.4.2.2 says it 712 * is important that we should do this. 713 */ 714 if (oldcred->cr_svgid != gid) { 715 change_svgid(newcred, gid); 716 setsugid(p); 717 } 718 } 719 /* 720 * In all cases permitted cases, we are changing the egid. 721 * Copy credentials so other references do not see our changes. 722 */ 723 if (oldcred->cr_groups[0] != gid) { 724 change_egid(newcred, gid); 725 setsugid(p); 726 } 727 p->p_ucred = newcred; 728 PROC_UNLOCK(p); 729 crfree(oldcred); 730 mtx_unlock(&Giant); 731 return (0); 732} 733 734#ifndef _SYS_SYSPROTO_H_ 735struct setegid_args { 736 gid_t egid; 737}; 738#endif 739/* 740 * MPSAFE 741 */ 742/* ARGSUSED */ 743int 744setegid(struct thread *td, struct setegid_args *uap) 745{ 746 struct proc *p = td->td_proc; 747 struct ucred *newcred, *oldcred; 748 gid_t egid; 749 int error; 750 751 egid = uap->egid; 752 mtx_lock(&Giant); 753 newcred = crget(); 754 PROC_LOCK(p); 755 oldcred = p->p_ucred; 756 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 757 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 758 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 759 PROC_UNLOCK(p); 760 crfree(newcred); 761 mtx_unlock(&Giant); 762 return (error); 763 } 764 crcopy(newcred, oldcred); 765 if (oldcred->cr_groups[0] != egid) { 766 change_egid(newcred, egid); 767 setsugid(p); 768 } 769 p->p_ucred = newcred; 770 PROC_UNLOCK(p); 771 crfree(oldcred); 772 mtx_unlock(&Giant); 773 return (0); 774} 775 776#ifndef _SYS_SYSPROTO_H_ 777struct setgroups_args { 778 u_int gidsetsize; 779 gid_t *gidset; 780}; 781#endif 782/* 783 * MPSAFE 784 */ 785/* ARGSUSED */ 786int 787setgroups(struct thread *td, struct setgroups_args *uap) 788{ 789 struct proc *p = td->td_proc; 790 struct ucred *newcred, *tempcred, *oldcred; 791 u_int ngrp; 792 int error; 793 794 ngrp = uap->gidsetsize; 795 if (ngrp > NGROUPS) 796 return (EINVAL); 797 mtx_lock(&Giant); 798 tempcred = crget(); 799 error = copyin((caddr_t)uap->gidset, (caddr_t)tempcred->cr_groups, 800 ngrp * sizeof(gid_t)); 801 if (error != 0) { 802 crfree(tempcred); 803 mtx_unlock(&Giant); 804 return (error); 805 } 806 newcred = crget(); 807 PROC_LOCK(p); 808 oldcred = p->p_ucred; 809 error = suser_cred(oldcred, PRISON_ROOT); 810 if (error) { 811 PROC_UNLOCK(p); 812 crfree(newcred); 813 crfree(tempcred); 814 mtx_unlock(&Giant); 815 return (error); 816 } 817 818 /* 819 * XXX A little bit lazy here. We could test if anything has 820 * changed before crcopy() and setting P_SUGID. 821 */ 822 crcopy(newcred, oldcred); 823 if (ngrp < 1) { 824 /* 825 * setgroups(0, NULL) is a legitimate way of clearing the 826 * groups vector on non-BSD systems (which generally do not 827 * have the egid in the groups[0]). We risk security holes 828 * when running non-BSD software if we do not do the same. 829 */ 830 newcred->cr_ngroups = 1; 831 } else { 832 bcopy(tempcred->cr_groups, newcred->cr_groups, 833 ngrp * sizeof(gid_t)); 834 newcred->cr_ngroups = ngrp; 835 } 836 setsugid(p); 837 p->p_ucred = newcred; 838 PROC_UNLOCK(p); 839 crfree(tempcred); 840 crfree(oldcred); 841 mtx_unlock(&Giant); 842 return (0); 843} 844 845#ifndef _SYS_SYSPROTO_H_ 846struct setreuid_args { 847 uid_t ruid; 848 uid_t euid; 849}; 850#endif 851/* 852 * MPSAFE 853 */ 854/* ARGSUSED */ 855int 856setreuid(register struct thread *td, struct setreuid_args *uap) 857{ 858 struct proc *p = td->td_proc; 859 struct ucred *newcred, *oldcred; 860 uid_t euid, ruid; 861 int error; 862 863 euid = uap->euid; 864 ruid = uap->ruid; 865 mtx_lock(&Giant); 866 newcred = crget(); 867 PROC_LOCK(p); 868 oldcred = p->p_ucred; 869 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 870 ruid != oldcred->cr_svuid) || 871 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 872 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 873 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 874 PROC_UNLOCK(p); 875 crfree(newcred); 876 mtx_unlock(&Giant); 877 return (error); 878 } 879 crcopy(newcred, oldcred); 880 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 881 change_euid(newcred, euid); 882 setsugid(p); 883 } 884 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 885 change_ruid(newcred, ruid); 886 setsugid(p); 887 } 888 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 889 newcred->cr_svuid != newcred->cr_uid) { 890 change_svuid(newcred, newcred->cr_uid); 891 setsugid(p); 892 } 893 p->p_ucred = newcred; 894 PROC_UNLOCK(p); 895 crfree(oldcred); 896 mtx_unlock(&Giant); 897 return (0); 898} 899 900#ifndef _SYS_SYSPROTO_H_ 901struct setregid_args { 902 gid_t rgid; 903 gid_t egid; 904}; 905#endif 906/* 907 * MPSAFE 908 */ 909/* ARGSUSED */ 910int 911setregid(register struct thread *td, struct setregid_args *uap) 912{ 913 struct proc *p = td->td_proc; 914 struct ucred *newcred, *oldcred; 915 gid_t egid, rgid; 916 int error; 917 918 egid = uap->egid; 919 rgid = uap->rgid; 920 mtx_lock(&Giant); 921 newcred = crget(); 922 PROC_LOCK(p); 923 oldcred = p->p_ucred; 924 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 925 rgid != oldcred->cr_svgid) || 926 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 927 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 928 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 929 PROC_UNLOCK(p); 930 crfree(newcred); 931 mtx_unlock(&Giant); 932 return (error); 933 } 934 935 crcopy(newcred, oldcred); 936 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 937 change_egid(newcred, egid); 938 setsugid(p); 939 } 940 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 941 change_rgid(newcred, rgid); 942 setsugid(p); 943 } 944 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 945 newcred->cr_svgid != newcred->cr_groups[0]) { 946 change_svgid(newcred, newcred->cr_groups[0]); 947 setsugid(p); 948 } 949 p->p_ucred = newcred; 950 PROC_UNLOCK(p); 951 crfree(oldcred); 952 mtx_unlock(&Giant); 953 return (0); 954} 955 956/* 957 * setresuid(ruid, euid, suid) is like setreuid except control over the 958 * saved uid is explicit. 959 */ 960 961#ifndef _SYS_SYSPROTO_H_ 962struct setresuid_args { 963 uid_t ruid; 964 uid_t euid; 965 uid_t suid; 966}; 967#endif 968/* 969 * MPSAFE 970 */ 971/* ARGSUSED */ 972int 973setresuid(register struct thread *td, struct setresuid_args *uap) 974{ 975 struct proc *p = td->td_proc; 976 struct ucred *newcred, *oldcred; 977 uid_t euid, ruid, suid; 978 int error; 979 980 euid = uap->euid; 981 ruid = uap->ruid; 982 suid = uap->suid; 983 mtx_lock(&Giant); 984 newcred = crget(); 985 PROC_LOCK(p); 986 oldcred = p->p_ucred; 987 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 988 ruid != oldcred->cr_svuid && 989 ruid != oldcred->cr_uid) || 990 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 991 euid != oldcred->cr_svuid && 992 euid != oldcred->cr_uid) || 993 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 994 suid != oldcred->cr_svuid && 995 suid != oldcred->cr_uid)) && 996 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 997 PROC_UNLOCK(p); 998 crfree(newcred); 999 mtx_unlock(&Giant); 1000 return (error); 1001 } 1002 1003 crcopy(newcred, oldcred); 1004 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1005 change_euid(newcred, euid); 1006 setsugid(p); 1007 } 1008 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1009 change_ruid(newcred, ruid); 1010 setsugid(p); 1011 } 1012 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1013 change_svuid(newcred, suid); 1014 setsugid(p); 1015 } 1016 p->p_ucred = newcred; 1017 PROC_UNLOCK(p); 1018 crfree(oldcred); 1019 mtx_unlock(&Giant); 1020 return (0); 1021} 1022 1023/* 1024 * setresgid(rgid, egid, sgid) is like setregid except control over the 1025 * saved gid is explicit. 1026 */ 1027 1028#ifndef _SYS_SYSPROTO_H_ 1029struct setresgid_args { 1030 gid_t rgid; 1031 gid_t egid; 1032 gid_t sgid; 1033}; 1034#endif 1035/* 1036 * MPSAFE 1037 */ 1038/* ARGSUSED */ 1039int 1040setresgid(register struct thread *td, struct setresgid_args *uap) 1041{ 1042 struct proc *p = td->td_proc; 1043 struct ucred *newcred, *oldcred; 1044 gid_t egid, rgid, sgid; 1045 int error; 1046 1047 egid = uap->egid; 1048 rgid = uap->rgid; 1049 sgid = uap->sgid; 1050 mtx_lock(&Giant); 1051 newcred = crget(); 1052 PROC_LOCK(p); 1053 oldcred = p->p_ucred; 1054 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1055 rgid != oldcred->cr_svgid && 1056 rgid != oldcred->cr_groups[0]) || 1057 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1058 egid != oldcred->cr_svgid && 1059 egid != oldcred->cr_groups[0]) || 1060 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1061 sgid != oldcred->cr_svgid && 1062 sgid != oldcred->cr_groups[0])) && 1063 (error = suser_cred(oldcred, PRISON_ROOT)) != 0) { 1064 PROC_UNLOCK(p); 1065 crfree(newcred); 1066 mtx_unlock(&Giant); 1067 return (error); 1068 } 1069 1070 crcopy(newcred, oldcred); 1071 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1072 change_egid(newcred, egid); 1073 setsugid(p); 1074 } 1075 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1076 change_rgid(newcred, rgid); 1077 setsugid(p); 1078 } 1079 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1080 change_svgid(newcred, sgid); 1081 setsugid(p); 1082 } 1083 p->p_ucred = newcred; 1084 PROC_UNLOCK(p); 1085 crfree(oldcred); 1086 mtx_unlock(&Giant); 1087 return (0); 1088} 1089 1090#ifndef _SYS_SYSPROTO_H_ 1091struct getresuid_args { 1092 uid_t *ruid; 1093 uid_t *euid; 1094 uid_t *suid; 1095}; 1096#endif 1097/* 1098 * MPSAFE 1099 */ 1100/* ARGSUSED */ 1101int 1102getresuid(register struct thread *td, struct getresuid_args *uap) 1103{ 1104 struct ucred *cred; 1105 int error1 = 0, error2 = 0, error3 = 0; 1106 1107 cred = td->td_ucred; 1108 if (uap->ruid) 1109 error1 = copyout((caddr_t)&cred->cr_ruid, 1110 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1111 if (uap->euid) 1112 error2 = copyout((caddr_t)&cred->cr_uid, 1113 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1114 if (uap->suid) 1115 error3 = copyout((caddr_t)&cred->cr_svuid, 1116 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1117 return (error1 ? error1 : error2 ? error2 : error3); 1118} 1119 1120#ifndef _SYS_SYSPROTO_H_ 1121struct getresgid_args { 1122 gid_t *rgid; 1123 gid_t *egid; 1124 gid_t *sgid; 1125}; 1126#endif 1127/* 1128 * MPSAFE 1129 */ 1130/* ARGSUSED */ 1131int 1132getresgid(register struct thread *td, struct getresgid_args *uap) 1133{ 1134 struct ucred *cred; 1135 int error1 = 0, error2 = 0, error3 = 0; 1136 1137 cred = td->td_ucred; 1138 if (uap->rgid) 1139 error1 = copyout((caddr_t)&cred->cr_rgid, 1140 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1141 if (uap->egid) 1142 error2 = copyout((caddr_t)&cred->cr_groups[0], 1143 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1144 if (uap->sgid) 1145 error3 = copyout((caddr_t)&cred->cr_svgid, 1146 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1147 return (error1 ? error1 : error2 ? error2 : error3); 1148} 1149 1150#ifndef _SYS_SYSPROTO_H_ 1151struct issetugid_args { 1152 int dummy; 1153}; 1154#endif 1155/* 1156 * NOT MPSAFE? 1157 */ 1158/* ARGSUSED */ 1159int 1160issetugid(register struct thread *td, struct issetugid_args *uap) 1161{ 1162 struct proc *p = td->td_proc; 1163 1164 /* 1165 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1166 * we use P_SUGID because we consider changing the owners as 1167 * "tainting" as well. 1168 * This is significant for procs that start as root and "become" 1169 * a user without an exec - programs cannot know *everything* 1170 * that libc *might* have put in their data segment. 1171 */ 1172 PROC_LOCK(p); 1173 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1174 PROC_UNLOCK(p); 1175 return (0); 1176} 1177 1178/* 1179 * MPSAFE 1180 */ 1181int 1182__setugid(struct thread *td, struct __setugid_args *uap) 1183{ 1184#ifdef REGRESSION 1185 struct proc *p; 1186 1187 p = td->td_proc; 1188 switch (uap->flag) { 1189 case 0: 1190 mtx_lock(&Giant); 1191 PROC_LOCK(p); 1192 p->p_flag &= ~P_SUGID; 1193 PROC_UNLOCK(p); 1194 mtx_unlock(&Giant); 1195 return (0); 1196 case 1: 1197 mtx_lock(&Giant); 1198 PROC_LOCK(p); 1199 p->p_flag |= P_SUGID; 1200 PROC_UNLOCK(p); 1201 mtx_unlock(&Giant); 1202 return (0); 1203 default: 1204 return (EINVAL); 1205 } 1206#else /* !REGRESSION */ 1207 1208 return (ENOSYS); 1209#endif /* REGRESSION */ 1210} 1211 1212/* 1213 * Check if gid is a member of the group set. 1214 * 1215 * MPSAFE (cred must be held) 1216 */ 1217int 1218groupmember(gid_t gid, struct ucred *cred) 1219{ 1220 register gid_t *gp; 1221 gid_t *egp; 1222 1223 egp = &(cred->cr_groups[cred->cr_ngroups]); 1224 for (gp = cred->cr_groups; gp < egp; gp++) 1225 if (*gp == gid) 1226 return (1); 1227 return (0); 1228} 1229 1230/* 1231 * `suser_enabled' (which can be set by the security.suser_enabled 1232 * sysctl) determines whether the system 'super-user' policy is in effect. 1233 * If it is nonzero, an effective uid of 0 connotes special privilege, 1234 * overriding many mandatory and discretionary protections. If it is zero, 1235 * uid 0 is offered no special privilege in the kernel security policy. 1236 * Setting it to zero may seriously impact the functionality of many 1237 * existing userland programs, and should not be done without careful 1238 * consideration of the consequences. 1239 */ 1240int suser_enabled = 1; 1241SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, 1242 &suser_enabled, 0, "processes with uid 0 have privilege"); 1243TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); 1244 1245/* 1246 * Test whether the specified credentials imply "super-user" privilege. 1247 * Return 0 or EPERM. The flag argument is currently used only to 1248 * specify jail interaction. 1249 */ 1250int 1251suser_cred(struct ucred *cred, int flag) 1252{ 1253 1254 if (!suser_enabled) 1255 return (EPERM); 1256 if (cred->cr_uid != 0) 1257 return (EPERM); 1258 if (jailed(cred) && !(flag & PRISON_ROOT)) 1259 return (EPERM); 1260 return (0); 1261} 1262 1263/* 1264 * Shortcut to hide contents of struct td and struct proc from the 1265 * caller, promoting binary compatibility. 1266 */ 1267int 1268suser(struct thread *td) 1269{ 1270 1271 return (suser_cred(td->td_ucred, 0)); 1272} 1273 1274/* 1275 * Test the active securelevel against a given level. securelevel_gt() 1276 * implements (securelevel > level). securelevel_ge() implements 1277 * (securelevel >= level). Note that the logic is inverted -- these 1278 * functions return EPERM on "success" and 0 on "failure". 1279 * 1280 * MPSAFE 1281 */ 1282int 1283securelevel_gt(struct ucred *cr, int level) 1284{ 1285 int active_securelevel; 1286 1287 active_securelevel = securelevel; 1288 KASSERT(cr != NULL, ("securelevel_gt: null cr")); 1289 if (cr->cr_prison != NULL) { 1290 mtx_lock(&cr->cr_prison->pr_mtx); 1291 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1292 active_securelevel); 1293 mtx_unlock(&cr->cr_prison->pr_mtx); 1294 } 1295 return (active_securelevel > level ? EPERM : 0); 1296} 1297 1298int 1299securelevel_ge(struct ucred *cr, int level) 1300{ 1301 int active_securelevel; 1302 1303 active_securelevel = securelevel; 1304 KASSERT(cr != NULL, ("securelevel_ge: null cr")); 1305 if (cr->cr_prison != NULL) { 1306 mtx_lock(&cr->cr_prison->pr_mtx); 1307 active_securelevel = imax(cr->cr_prison->pr_securelevel, 1308 active_securelevel); 1309 mtx_unlock(&cr->cr_prison->pr_mtx); 1310 } 1311 return (active_securelevel >= level ? EPERM : 0); 1312} 1313 1314/* 1315 * 'see_other_uids' determines whether or not visibility of processes 1316 * and sockets with credentials holding different real uids is possible 1317 * using a variety of system MIBs. 1318 * XXX: data declarations should be together near the beginning of the file. 1319 */ 1320static int see_other_uids = 1; 1321SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1322 &see_other_uids, 0, 1323 "Unprivileged processes may see subjects/objects with different real uid"); 1324 1325/*- 1326 * Determine if u1 "can see" the subject specified by u2, according to the 1327 * 'see_other_uids' policy. 1328 * Returns: 0 for permitted, ESRCH otherwise 1329 * Locks: none 1330 * References: *u1 and *u2 must not change during the call 1331 * u1 may equal u2, in which case only one reference is required 1332 */ 1333static int 1334cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1335{ 1336 1337 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1338 if (suser_cred(u1, PRISON_ROOT) != 0) 1339 return (ESRCH); 1340 } 1341 return (0); 1342} 1343 1344/*- 1345 * Determine if u1 "can see" the subject specified by u2. 1346 * Returns: 0 for permitted, an errno value otherwise 1347 * Locks: none 1348 * References: *u1 and *u2 must not change during the call 1349 * u1 may equal u2, in which case only one reference is required 1350 */ 1351int 1352cr_cansee(struct ucred *u1, struct ucred *u2) 1353{ 1354 int error; 1355 1356 if ((error = prison_check(u1, u2))) 1357 return (error); 1358 if ((error = cr_seeotheruids(u1, u2))) 1359 return (error); 1360 return (0); 1361} 1362 1363/*- 1364 * Determine if td "can see" the subject specified by p. 1365 * Returns: 0 for permitted, an errno value otherwise 1366 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1367 * should be curthread. 1368 * References: td and p must be valid for the lifetime of the call 1369 */ 1370int 1371p_cansee(struct thread *td, struct proc *p) 1372{ 1373 1374 /* Wrap cr_cansee() for all functionality. */ 1375 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1376 PROC_LOCK_ASSERT(p, MA_OWNED); 1377 return (cr_cansee(td->td_ucred, p->p_ucred)); 1378} 1379 1380/*- 1381 * Determine whether cred may deliver the specified signal to proc. 1382 * Returns: 0 for permitted, an errno value otherwise. 1383 * Locks: A lock must be held for proc. 1384 * References: cred and proc must be valid for the lifetime of the call. 1385 */ 1386int 1387cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1388{ 1389 int error; 1390 1391 PROC_LOCK_ASSERT(proc, MA_OWNED); 1392 /* 1393 * Jail semantics limit the scope of signalling to proc in the 1394 * same jail as cred, if cred is in jail. 1395 */ 1396 error = prison_check(cred, proc->p_ucred); 1397 if (error) 1398 return (error); 1399 error = cr_seeotheruids(cred, proc->p_ucred); 1400 if (error) 1401 return (error); 1402 1403 /* 1404 * UNIX signal semantics depend on the status of the P_SUGID 1405 * bit on the target process. If the bit is set, then additional 1406 * restrictions are placed on the set of available signals. 1407 */ 1408 if (proc->p_flag & P_SUGID) { 1409 switch (signum) { 1410 case 0: 1411 case SIGKILL: 1412 case SIGINT: 1413 case SIGTERM: 1414 case SIGSTOP: 1415 case SIGTTIN: 1416 case SIGTTOU: 1417 case SIGTSTP: 1418 case SIGHUP: 1419 case SIGUSR1: 1420 case SIGUSR2: 1421 /* 1422 * Generally, permit job and terminal control 1423 * signals. 1424 */ 1425 break; 1426 default: 1427 /* Not permitted without privilege. */ 1428 error = suser_cred(cred, PRISON_ROOT); 1429 if (error) 1430 return (error); 1431 } 1432 } 1433 1434 /* 1435 * Generally, the target credential's ruid or svuid must match the 1436 * subject credential's ruid or euid. 1437 */ 1438 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1439 cred->cr_ruid != proc->p_ucred->cr_svuid && 1440 cred->cr_uid != proc->p_ucred->cr_ruid && 1441 cred->cr_uid != proc->p_ucred->cr_svuid) { 1442 /* Not permitted without privilege. */ 1443 error = suser_cred(cred, PRISON_ROOT); 1444 if (error) 1445 return (error); 1446 } 1447 1448 return (0); 1449} 1450 1451 1452/*- 1453 * Determine whether td may deliver the specified signal to p. 1454 * Returns: 0 for permitted, an errno value otherwise 1455 * Locks: Sufficient locks to protect various components of td and p 1456 * must be held. td must be curthread, and a lock must be 1457 * held for p. 1458 * References: td and p must be valid for the lifetime of the call 1459 */ 1460int 1461p_cansignal(struct thread *td, struct proc *p, int signum) 1462{ 1463 1464 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1465 PROC_LOCK_ASSERT(p, MA_OWNED); 1466 if (td->td_proc == p) 1467 return (0); 1468 1469 /* 1470 * UNIX signalling semantics require that processes in the same 1471 * session always be able to deliver SIGCONT to one another, 1472 * overriding the remaining protections. 1473 */ 1474 /* XXX: This will require an additional lock of some sort. */ 1475 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1476 return (0); 1477 1478 return (cr_cansignal(td->td_ucred, p, signum)); 1479} 1480 1481/*- 1482 * Determine whether td may reschedule p. 1483 * Returns: 0 for permitted, an errno value otherwise 1484 * Locks: Sufficient locks to protect various components of td and p 1485 * must be held. td must be curthread, and a lock must 1486 * be held for p. 1487 * References: td and p must be valid for the lifetime of the call 1488 */ 1489int 1490p_cansched(struct thread *td, struct proc *p) 1491{ 1492 int error; 1493 1494 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1495 PROC_LOCK_ASSERT(p, MA_OWNED); 1496 if (td->td_proc == p) 1497 return (0); 1498 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1499 return (error); 1500 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1501 return (error); 1502 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) 1503 return (0); 1504 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) 1505 return (0); 1506 if (suser_cred(td->td_ucred, PRISON_ROOT) == 0) 1507 return (0); 1508 1509#ifdef CAPABILITIES 1510 if (!cap_check(NULL, td, CAP_SYS_NICE, PRISON_ROOT)) 1511 return (0); 1512#endif 1513 1514 return (EPERM); 1515} 1516 1517/* 1518 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1519 * unprivileged inter-process debugging services, including some procfs 1520 * functionality, ptrace(), and ktrace(). In the past, inter-process 1521 * debugging has been involved in a variety of security problems, and sites 1522 * not requiring the service might choose to disable it when hardening 1523 * systems. 1524 * 1525 * XXX: Should modifying and reading this variable require locking? 1526 * XXX: data declarations should be together near the beginning of the file. 1527 */ 1528static int unprivileged_proc_debug = 1; 1529SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1530 &unprivileged_proc_debug, 0, 1531 "Unprivileged processes may use process debugging facilities"); 1532 1533/*- 1534 * Determine whether td may debug p. 1535 * Returns: 0 for permitted, an errno value otherwise 1536 * Locks: Sufficient locks to protect various components of td and p 1537 * must be held. td must be curthread, and a lock must 1538 * be held for p. 1539 * References: td and p must be valid for the lifetime of the call 1540 */ 1541int 1542p_candebug(struct thread *td, struct proc *p) 1543{ 1544 int credentialchanged, error, grpsubset, i, uidsubset; 1545 1546 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1547 PROC_LOCK_ASSERT(p, MA_OWNED); 1548 if (!unprivileged_proc_debug) { 1549 error = suser_cred(td->td_ucred, PRISON_ROOT); 1550 if (error) 1551 return (error); 1552 } 1553 if (td->td_proc == p) 1554 return (0); 1555 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1556 return (error); 1557 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1558 return (error); 1559 1560 /* 1561 * Is p's group set a subset of td's effective group set? This 1562 * includes p's egid, group access list, rgid, and svgid. 1563 */ 1564 grpsubset = 1; 1565 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1566 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1567 grpsubset = 0; 1568 break; 1569 } 1570 } 1571 grpsubset = grpsubset && 1572 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1573 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1574 1575 /* 1576 * Are the uids present in p's credential equal to td's 1577 * effective uid? This includes p's euid, svuid, and ruid. 1578 */ 1579 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1580 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1581 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1582 1583 /* 1584 * Has the credential of the process changed since the last exec()? 1585 */ 1586 credentialchanged = (p->p_flag & P_SUGID); 1587 1588 /* 1589 * If p's gids aren't a subset, or the uids aren't a subset, 1590 * or the credential has changed, require appropriate privilege 1591 * for td to debug p. For POSIX.1e capabilities, this will 1592 * require CAP_SYS_PTRACE. 1593 */ 1594 if (!grpsubset || !uidsubset || credentialchanged) { 1595 error = suser_cred(td->td_ucred, PRISON_ROOT); 1596 if (error) 1597 return (error); 1598 } 1599 1600 /* Can't trace init when securelevel > 0. */ 1601 if (p == initproc) { 1602 error = securelevel_gt(td->td_ucred, 0); 1603 if (error) 1604 return (error); 1605 } 1606 1607 /* 1608 * Can't trace a process that's currently exec'ing. 1609 * XXX: Note, this is not a security policy decision, it's a 1610 * basic correctness/functionality decision. Therefore, this check 1611 * should be moved to the caller's of p_candebug(). 1612 */ 1613 if ((p->p_flag & P_INEXEC) != 0) 1614 return (EAGAIN); 1615 1616 return (0); 1617} 1618 1619/*- 1620 * Determine whether the subject represented by cred can "see" a socket. 1621 * Returns: 0 for permitted, ENOENT otherwise. 1622 */ 1623int 1624cr_canseesocket(struct ucred *cred, struct socket *so) 1625{ 1626 int error; 1627 1628 error = prison_check(cred, so->so_cred); 1629 if (error) 1630 return (ENOENT); 1631 if (cr_seeotheruids(cred, so->so_cred)) 1632 return (ENOENT); 1633#ifdef MAC 1634 /* XXX: error = mac_cred_check_seesocket() here. */ 1635#endif 1636 1637 return (0); 1638} 1639 1640/* 1641 * Allocate a zeroed cred structure. 1642 */ 1643struct ucred * 1644crget(void) 1645{ 1646 register struct ucred *cr; 1647 1648 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1649 cr->cr_ref = 1; 1650 cr->cr_mtxp = mtx_pool_find(cr); 1651 return (cr); 1652} 1653 1654/* 1655 * Claim another reference to a ucred structure. 1656 */ 1657struct ucred * 1658crhold(struct ucred *cr) 1659{ 1660 1661 mtx_lock(cr->cr_mtxp); 1662 cr->cr_ref++; 1663 mtx_unlock(cr->cr_mtxp); 1664 return (cr); 1665} 1666 1667/* 1668 * Free a cred structure. 1669 * Throws away space when ref count gets to 0. 1670 */ 1671void 1672crfree(struct ucred *cr) 1673{ 1674 struct mtx *mtxp = cr->cr_mtxp; 1675 1676 mtx_lock(mtxp); 1677 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1678 if (--cr->cr_ref == 0) { 1679 /* 1680 * Some callers of crget(), such as nfs_statfs(), 1681 * allocate a temporary credential, but don't 1682 * allocate a uidinfo structure. 1683 */ 1684 mtx_unlock(mtxp); 1685 mtx_lock(&Giant); 1686 if (cr->cr_uidinfo != NULL) 1687 uifree(cr->cr_uidinfo); 1688 if (cr->cr_ruidinfo != NULL) 1689 uifree(cr->cr_ruidinfo); 1690 /* 1691 * Free a prison, if any. 1692 */ 1693 if (jailed(cr)) 1694 prison_free(cr->cr_prison); 1695 FREE((caddr_t)cr, M_CRED); 1696 mtx_unlock(&Giant); 1697 } else { 1698 mtx_unlock(mtxp); 1699 } 1700} 1701 1702/* 1703 * Check to see if this ucred is shared. 1704 */ 1705int 1706crshared(struct ucred *cr) 1707{ 1708 int shared; 1709 1710 mtx_lock(cr->cr_mtxp); 1711 shared = (cr->cr_ref > 1); 1712 mtx_unlock(cr->cr_mtxp); 1713 return (shared); 1714} 1715 1716/* 1717 * Copy a ucred's contents from a template. Does not block. 1718 */ 1719void 1720crcopy(struct ucred *dest, struct ucred *src) 1721{ 1722 1723 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1724 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1725 (unsigned)((caddr_t)&src->cr_endcopy - 1726 (caddr_t)&src->cr_startcopy)); 1727 uihold(dest->cr_uidinfo); 1728 uihold(dest->cr_ruidinfo); 1729 if (jailed(dest)) 1730 prison_hold(dest->cr_prison); 1731} 1732 1733/* 1734 * Dup cred struct to a new held one. 1735 */ 1736struct ucred * 1737crdup(struct ucred *cr) 1738{ 1739 struct ucred *newcr; 1740 1741 newcr = crget(); 1742 crcopy(newcr, cr); 1743 return (newcr); 1744} 1745 1746#ifdef DIAGNOSTIC 1747void 1748cred_free_thread(struct thread *td) 1749{ 1750 struct ucred *cred; 1751 1752 cred = td->td_ucred; 1753 td->td_ucred = NULL; 1754 if (cred != NULL) 1755 crfree(cred); 1756} 1757#endif 1758 1759/* 1760 * Fill in a struct xucred based on a struct ucred. 1761 */ 1762void 1763cru2x(struct ucred *cr, struct xucred *xcr) 1764{ 1765 1766 bzero(xcr, sizeof(*xcr)); 1767 xcr->cr_version = XUCRED_VERSION; 1768 xcr->cr_uid = cr->cr_uid; 1769 xcr->cr_ngroups = cr->cr_ngroups; 1770 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1771} 1772 1773/* 1774 * small routine to swap a thread's current ucred for the correct one 1775 * taken from the process. 1776 */ 1777void 1778cred_update_thread(struct thread *td) 1779{ 1780 struct proc *p; 1781 struct ucred *cred; 1782 1783 p = td->td_proc; 1784 cred = td->td_ucred; 1785 mtx_lock(&Giant); 1786 PROC_LOCK(p); 1787 td->td_ucred = crhold(p->p_ucred); 1788 PROC_UNLOCK(p); 1789 if (cred != NULL) 1790 crfree(cred); 1791 mtx_unlock(&Giant); 1792} 1793 1794/* 1795 * Get login name, if available. 1796 */ 1797#ifndef _SYS_SYSPROTO_H_ 1798struct getlogin_args { 1799 char *namebuf; 1800 u_int namelen; 1801}; 1802#endif 1803/* 1804 * MPSAFE 1805 */ 1806/* ARGSUSED */ 1807int 1808getlogin(struct thread *td, struct getlogin_args *uap) 1809{ 1810 int error; 1811 char login[MAXLOGNAME]; 1812 struct proc *p = td->td_proc; 1813 1814 if (uap->namelen > MAXLOGNAME) 1815 uap->namelen = MAXLOGNAME; 1816 PROC_LOCK(p); 1817 SESS_LOCK(p->p_session); 1818 bcopy(p->p_session->s_login, login, uap->namelen); 1819 SESS_UNLOCK(p->p_session); 1820 PROC_UNLOCK(p); 1821 error = copyout((caddr_t) login, (caddr_t) uap->namebuf, uap->namelen); 1822 return(error); 1823} 1824 1825/* 1826 * Set login name. 1827 */ 1828#ifndef _SYS_SYSPROTO_H_ 1829struct setlogin_args { 1830 char *namebuf; 1831}; 1832#endif 1833/* 1834 * MPSAFE 1835 */ 1836/* ARGSUSED */ 1837int 1838setlogin(struct thread *td, struct setlogin_args *uap) 1839{ 1840 struct proc *p = td->td_proc; 1841 int error; 1842 char logintmp[MAXLOGNAME]; 1843 1844 error = suser_cred(td->td_ucred, PRISON_ROOT); 1845 if (error) 1846 return (error); 1847 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1848 sizeof(logintmp), (size_t *)0); 1849 if (error == ENAMETOOLONG) 1850 error = EINVAL; 1851 else if (!error) { 1852 PROC_LOCK(p); 1853 SESS_LOCK(p->p_session); 1854 (void) memcpy(p->p_session->s_login, logintmp, 1855 sizeof(logintmp)); 1856 SESS_UNLOCK(p->p_session); 1857 PROC_UNLOCK(p); 1858 } 1859 return (error); 1860} 1861 1862void 1863setsugid(struct proc *p) 1864{ 1865 1866 PROC_LOCK_ASSERT(p, MA_OWNED); 1867 p->p_flag |= P_SUGID; 1868 if (!(p->p_pfsflags & PF_ISUGID)) 1869 p->p_stops = 0; 1870} 1871 1872/*- 1873 * Change a process's effective uid. 1874 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1875 * References: newcred must be an exclusive credential reference for the 1876 * duration of the call. 1877 */ 1878void 1879change_euid(struct ucred *newcred, uid_t euid) 1880{ 1881 1882 newcred->cr_uid = euid; 1883 uifree(newcred->cr_uidinfo); 1884 newcred->cr_uidinfo = uifind(euid); 1885} 1886 1887/*- 1888 * Change a process's effective gid. 1889 * Side effects: newcred->cr_gid will be modified. 1890 * References: newcred must be an exclusive credential reference for the 1891 * duration of the call. 1892 */ 1893void 1894change_egid(struct ucred *newcred, gid_t egid) 1895{ 1896 1897 newcred->cr_groups[0] = egid; 1898} 1899 1900/*- 1901 * Change a process's real uid. 1902 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1903 * will be updated, and the old and new cr_ruidinfo proc 1904 * counts will be updated. 1905 * References: newcred must be an exclusive credential reference for the 1906 * duration of the call. 1907 */ 1908void 1909change_ruid(struct ucred *newcred, uid_t ruid) 1910{ 1911 1912 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1913 newcred->cr_ruid = ruid; 1914 uifree(newcred->cr_ruidinfo); 1915 newcred->cr_ruidinfo = uifind(ruid); 1916 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1917} 1918 1919/*- 1920 * Change a process's real gid. 1921 * Side effects: newcred->cr_rgid will be updated. 1922 * References: newcred must be an exclusive credential reference for the 1923 * duration of the call. 1924 */ 1925void 1926change_rgid(struct ucred *newcred, gid_t rgid) 1927{ 1928 1929 newcred->cr_rgid = rgid; 1930} 1931 1932/*- 1933 * Change a process's saved uid. 1934 * Side effects: newcred->cr_svuid will be updated. 1935 * References: newcred must be an exclusive credential reference for the 1936 * duration of the call. 1937 */ 1938void 1939change_svuid(struct ucred *newcred, uid_t svuid) 1940{ 1941 1942 newcred->cr_svuid = svuid; 1943} 1944 1945/*- 1946 * Change a process's saved gid. 1947 * Side effects: newcred->cr_svgid will be updated. 1948 * References: newcred must be an exclusive credential reference for the 1949 * duration of the call. 1950 */ 1951void 1952change_svgid(struct ucred *newcred, gid_t svgid) 1953{ 1954 1955 newcred->cr_svgid = svgid; 1956} 1957