kern_prot.c revision 202143
1/*- 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. 4 * (c) UNIX System Laboratories, Inc. 5 * Copyright (c) 2000-2001 Robert N. M. Watson. 6 * All rights reserved. 7 * 8 * All or some portions of this file are derived from material licensed 9 * to the University of California by American Telephone and Telegraph 10 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 11 * the permission of UNIX System Laboratories, Inc. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 4. Neither the name of the University nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 38 */ 39 40/* 41 * System calls related to processes and protection 42 */ 43 44#include <sys/cdefs.h> 45__FBSDID("$FreeBSD: head/sys/kern/kern_prot.c 202143 2010-01-12 07:49:34Z brooks $"); 46 47#include "opt_compat.h" 48#include "opt_inet.h" 49#include "opt_inet6.h" 50 51#include <sys/param.h> 52#include <sys/systm.h> 53#include <sys/acct.h> 54#include <sys/kdb.h> 55#include <sys/kernel.h> 56#include <sys/lock.h> 57#include <sys/malloc.h> 58#include <sys/mutex.h> 59#include <sys/refcount.h> 60#include <sys/sx.h> 61#include <sys/priv.h> 62#include <sys/proc.h> 63#include <sys/sysproto.h> 64#include <sys/jail.h> 65#include <sys/pioctl.h> 66#include <sys/resourcevar.h> 67#include <sys/socket.h> 68#include <sys/socketvar.h> 69#include <sys/syscallsubr.h> 70#include <sys/sysctl.h> 71 72#if defined(INET) || defined(INET6) 73#include <netinet/in.h> 74#include <netinet/in_pcb.h> 75#endif 76 77#include <security/audit/audit.h> 78#include <security/mac/mac_framework.h> 79 80static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 81 82SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); 83 84static void crextend(struct ucred *cr, int n); 85static void crsetgroups_locked(struct ucred *cr, int ngrp, 86 gid_t *groups); 87 88#ifndef _SYS_SYSPROTO_H_ 89struct getpid_args { 90 int dummy; 91}; 92#endif 93/* ARGSUSED */ 94int 95getpid(struct thread *td, struct getpid_args *uap) 96{ 97 struct proc *p = td->td_proc; 98 99 td->td_retval[0] = p->p_pid; 100#if defined(COMPAT_43) 101 PROC_LOCK(p); 102 td->td_retval[1] = p->p_pptr->p_pid; 103 PROC_UNLOCK(p); 104#endif 105 return (0); 106} 107 108#ifndef _SYS_SYSPROTO_H_ 109struct getppid_args { 110 int dummy; 111}; 112#endif 113/* ARGSUSED */ 114int 115getppid(struct thread *td, struct getppid_args *uap) 116{ 117 struct proc *p = td->td_proc; 118 119 PROC_LOCK(p); 120 td->td_retval[0] = p->p_pptr->p_pid; 121 PROC_UNLOCK(p); 122 return (0); 123} 124 125/* 126 * Get process group ID; note that POSIX getpgrp takes no parameter. 127 */ 128#ifndef _SYS_SYSPROTO_H_ 129struct getpgrp_args { 130 int dummy; 131}; 132#endif 133int 134getpgrp(struct thread *td, struct getpgrp_args *uap) 135{ 136 struct proc *p = td->td_proc; 137 138 PROC_LOCK(p); 139 td->td_retval[0] = p->p_pgrp->pg_id; 140 PROC_UNLOCK(p); 141 return (0); 142} 143 144/* Get an arbitary pid's process group id */ 145#ifndef _SYS_SYSPROTO_H_ 146struct getpgid_args { 147 pid_t pid; 148}; 149#endif 150int 151getpgid(struct thread *td, struct getpgid_args *uap) 152{ 153 struct proc *p; 154 int error; 155 156 if (uap->pid == 0) { 157 p = td->td_proc; 158 PROC_LOCK(p); 159 } else { 160 p = pfind(uap->pid); 161 if (p == NULL) 162 return (ESRCH); 163 error = p_cansee(td, p); 164 if (error) { 165 PROC_UNLOCK(p); 166 return (error); 167 } 168 } 169 td->td_retval[0] = p->p_pgrp->pg_id; 170 PROC_UNLOCK(p); 171 return (0); 172} 173 174/* 175 * Get an arbitary pid's session id. 176 */ 177#ifndef _SYS_SYSPROTO_H_ 178struct getsid_args { 179 pid_t pid; 180}; 181#endif 182int 183getsid(struct thread *td, struct getsid_args *uap) 184{ 185 struct proc *p; 186 int error; 187 188 if (uap->pid == 0) { 189 p = td->td_proc; 190 PROC_LOCK(p); 191 } else { 192 p = pfind(uap->pid); 193 if (p == NULL) 194 return (ESRCH); 195 error = p_cansee(td, p); 196 if (error) { 197 PROC_UNLOCK(p); 198 return (error); 199 } 200 } 201 td->td_retval[0] = p->p_session->s_sid; 202 PROC_UNLOCK(p); 203 return (0); 204} 205 206#ifndef _SYS_SYSPROTO_H_ 207struct getuid_args { 208 int dummy; 209}; 210#endif 211/* ARGSUSED */ 212int 213getuid(struct thread *td, struct getuid_args *uap) 214{ 215 216 td->td_retval[0] = td->td_ucred->cr_ruid; 217#if defined(COMPAT_43) 218 td->td_retval[1] = td->td_ucred->cr_uid; 219#endif 220 return (0); 221} 222 223#ifndef _SYS_SYSPROTO_H_ 224struct geteuid_args { 225 int dummy; 226}; 227#endif 228/* ARGSUSED */ 229int 230geteuid(struct thread *td, struct geteuid_args *uap) 231{ 232 233 td->td_retval[0] = td->td_ucred->cr_uid; 234 return (0); 235} 236 237#ifndef _SYS_SYSPROTO_H_ 238struct getgid_args { 239 int dummy; 240}; 241#endif 242/* ARGSUSED */ 243int 244getgid(struct thread *td, struct getgid_args *uap) 245{ 246 247 td->td_retval[0] = td->td_ucred->cr_rgid; 248#if defined(COMPAT_43) 249 td->td_retval[1] = td->td_ucred->cr_groups[0]; 250#endif 251 return (0); 252} 253 254/* 255 * Get effective group ID. The "egid" is groups[0], and could be obtained 256 * via getgroups. This syscall exists because it is somewhat painful to do 257 * correctly in a library function. 258 */ 259#ifndef _SYS_SYSPROTO_H_ 260struct getegid_args { 261 int dummy; 262}; 263#endif 264/* ARGSUSED */ 265int 266getegid(struct thread *td, struct getegid_args *uap) 267{ 268 269 td->td_retval[0] = td->td_ucred->cr_groups[0]; 270 return (0); 271} 272 273#ifndef _SYS_SYSPROTO_H_ 274struct getgroups_args { 275 u_int gidsetsize; 276 gid_t *gidset; 277}; 278#endif 279int 280getgroups(struct thread *td, register struct getgroups_args *uap) 281{ 282 gid_t *groups; 283 u_int ngrp; 284 int error; 285 286 ngrp = MIN(uap->gidsetsize, ngroups_max + 1); 287 groups = malloc(ngrp * sizeof(*groups), M_TEMP, M_WAITOK); 288 error = kern_getgroups(td, &ngrp, groups); 289 if (error) 290 goto out; 291 if (uap->gidsetsize > 0) 292 error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); 293 if (error == 0) 294 td->td_retval[0] = ngrp; 295out: 296 free(groups, M_TEMP); 297 return (error); 298} 299 300int 301kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) 302{ 303 struct ucred *cred; 304 305 cred = td->td_ucred; 306 if (*ngrp == 0) { 307 *ngrp = cred->cr_ngroups; 308 return (0); 309 } 310 if (*ngrp < cred->cr_ngroups) 311 return (EINVAL); 312 *ngrp = cred->cr_ngroups; 313 bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); 314 return (0); 315} 316 317#ifndef _SYS_SYSPROTO_H_ 318struct setsid_args { 319 int dummy; 320}; 321#endif 322/* ARGSUSED */ 323int 324setsid(register struct thread *td, struct setsid_args *uap) 325{ 326 struct pgrp *pgrp; 327 int error; 328 struct proc *p = td->td_proc; 329 struct pgrp *newpgrp; 330 struct session *newsess; 331 332 error = 0; 333 pgrp = NULL; 334 335 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 336 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); 337 338 sx_xlock(&proctree_lock); 339 340 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { 341 if (pgrp != NULL) 342 PGRP_UNLOCK(pgrp); 343 error = EPERM; 344 } else { 345 (void)enterpgrp(p, p->p_pid, newpgrp, newsess); 346 td->td_retval[0] = p->p_pid; 347 newpgrp = NULL; 348 newsess = NULL; 349 } 350 351 sx_xunlock(&proctree_lock); 352 353 if (newpgrp != NULL) 354 free(newpgrp, M_PGRP); 355 if (newsess != NULL) 356 free(newsess, M_SESSION); 357 358 return (error); 359} 360 361/* 362 * set process group (setpgid/old setpgrp) 363 * 364 * caller does setpgid(targpid, targpgid) 365 * 366 * pid must be caller or child of caller (ESRCH) 367 * if a child 368 * pid must be in same session (EPERM) 369 * pid can't have done an exec (EACCES) 370 * if pgid != pid 371 * there must exist some pid in same session having pgid (EPERM) 372 * pid must not be session leader (EPERM) 373 */ 374#ifndef _SYS_SYSPROTO_H_ 375struct setpgid_args { 376 int pid; /* target process id */ 377 int pgid; /* target pgrp id */ 378}; 379#endif 380/* ARGSUSED */ 381int 382setpgid(struct thread *td, register struct setpgid_args *uap) 383{ 384 struct proc *curp = td->td_proc; 385 register struct proc *targp; /* target process */ 386 register struct pgrp *pgrp; /* target pgrp */ 387 int error; 388 struct pgrp *newpgrp; 389 390 if (uap->pgid < 0) 391 return (EINVAL); 392 393 error = 0; 394 395 newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); 396 397 sx_xlock(&proctree_lock); 398 if (uap->pid != 0 && uap->pid != curp->p_pid) { 399 if ((targp = pfind(uap->pid)) == NULL) { 400 error = ESRCH; 401 goto done; 402 } 403 if (!inferior(targp)) { 404 PROC_UNLOCK(targp); 405 error = ESRCH; 406 goto done; 407 } 408 if ((error = p_cansee(td, targp))) { 409 PROC_UNLOCK(targp); 410 goto done; 411 } 412 if (targp->p_pgrp == NULL || 413 targp->p_session != curp->p_session) { 414 PROC_UNLOCK(targp); 415 error = EPERM; 416 goto done; 417 } 418 if (targp->p_flag & P_EXEC) { 419 PROC_UNLOCK(targp); 420 error = EACCES; 421 goto done; 422 } 423 PROC_UNLOCK(targp); 424 } else 425 targp = curp; 426 if (SESS_LEADER(targp)) { 427 error = EPERM; 428 goto done; 429 } 430 if (uap->pgid == 0) 431 uap->pgid = targp->p_pid; 432 if ((pgrp = pgfind(uap->pgid)) == NULL) { 433 if (uap->pgid == targp->p_pid) { 434 error = enterpgrp(targp, uap->pgid, newpgrp, 435 NULL); 436 if (error == 0) 437 newpgrp = NULL; 438 } else 439 error = EPERM; 440 } else { 441 if (pgrp == targp->p_pgrp) { 442 PGRP_UNLOCK(pgrp); 443 goto done; 444 } 445 if (pgrp->pg_id != targp->p_pid && 446 pgrp->pg_session != curp->p_session) { 447 PGRP_UNLOCK(pgrp); 448 error = EPERM; 449 goto done; 450 } 451 PGRP_UNLOCK(pgrp); 452 error = enterthispgrp(targp, pgrp); 453 } 454done: 455 sx_xunlock(&proctree_lock); 456 KASSERT((error == 0) || (newpgrp != NULL), 457 ("setpgid failed and newpgrp is NULL")); 458 if (newpgrp != NULL) 459 free(newpgrp, M_PGRP); 460 return (error); 461} 462 463/* 464 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 465 * compatible. It says that setting the uid/gid to euid/egid is a special 466 * case of "appropriate privilege". Once the rules are expanded out, this 467 * basically means that setuid(nnn) sets all three id's, in all permitted 468 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 469 * does not set the saved id - this is dangerous for traditional BSD 470 * programs. For this reason, we *really* do not want to set 471 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 472 */ 473#define POSIX_APPENDIX_B_4_2_2 474 475#ifndef _SYS_SYSPROTO_H_ 476struct setuid_args { 477 uid_t uid; 478}; 479#endif 480/* ARGSUSED */ 481int 482setuid(struct thread *td, struct setuid_args *uap) 483{ 484 struct proc *p = td->td_proc; 485 struct ucred *newcred, *oldcred; 486 uid_t uid; 487 struct uidinfo *uip; 488 int error; 489 490 uid = uap->uid; 491 AUDIT_ARG_UID(uid); 492 newcred = crget(); 493 uip = uifind(uid); 494 PROC_LOCK(p); 495 /* 496 * Copy credentials so other references do not see our changes. 497 */ 498 oldcred = crcopysafe(p, newcred); 499 500#ifdef MAC 501 error = mac_cred_check_setuid(oldcred, uid); 502 if (error) 503 goto fail; 504#endif 505 506 /* 507 * See if we have "permission" by POSIX 1003.1 rules. 508 * 509 * Note that setuid(geteuid()) is a special case of 510 * "appropriate privileges" in appendix B.4.2.2. We need 511 * to use this clause to be compatible with traditional BSD 512 * semantics. Basically, it means that "setuid(xx)" sets all 513 * three id's (assuming you have privs). 514 * 515 * Notes on the logic. We do things in three steps. 516 * 1: We determine if the euid is going to change, and do EPERM 517 * right away. We unconditionally change the euid later if this 518 * test is satisfied, simplifying that part of the logic. 519 * 2: We determine if the real and/or saved uids are going to 520 * change. Determined by compile options. 521 * 3: Change euid last. (after tests in #2 for "appropriate privs") 522 */ 523 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 524#ifdef _POSIX_SAVED_IDS 525 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 526#endif 527#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 528 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 529#endif 530 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) 531 goto fail; 532 533#ifdef _POSIX_SAVED_IDS 534 /* 535 * Do we have "appropriate privileges" (are we root or uid == euid) 536 * If so, we are changing the real uid and/or saved uid. 537 */ 538 if ( 539#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 540 uid == oldcred->cr_uid || 541#endif 542 /* We are using privs. */ 543 priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) 544#endif 545 { 546 /* 547 * Set the real uid and transfer proc count to new user. 548 */ 549 if (uid != oldcred->cr_ruid) { 550 change_ruid(newcred, uip); 551 setsugid(p); 552 } 553 /* 554 * Set saved uid 555 * 556 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 557 * the security of seteuid() depends on it. B.4.2.2 says it 558 * is important that we should do this. 559 */ 560 if (uid != oldcred->cr_svuid) { 561 change_svuid(newcred, uid); 562 setsugid(p); 563 } 564 } 565 566 /* 567 * In all permitted cases, we are changing the euid. 568 */ 569 if (uid != oldcred->cr_uid) { 570 change_euid(newcred, uip); 571 setsugid(p); 572 } 573 p->p_ucred = newcred; 574 PROC_UNLOCK(p); 575 uifree(uip); 576 crfree(oldcred); 577 return (0); 578 579fail: 580 PROC_UNLOCK(p); 581 uifree(uip); 582 crfree(newcred); 583 return (error); 584} 585 586#ifndef _SYS_SYSPROTO_H_ 587struct seteuid_args { 588 uid_t euid; 589}; 590#endif 591/* ARGSUSED */ 592int 593seteuid(struct thread *td, struct seteuid_args *uap) 594{ 595 struct proc *p = td->td_proc; 596 struct ucred *newcred, *oldcred; 597 uid_t euid; 598 struct uidinfo *euip; 599 int error; 600 601 euid = uap->euid; 602 AUDIT_ARG_EUID(euid); 603 newcred = crget(); 604 euip = uifind(euid); 605 PROC_LOCK(p); 606 /* 607 * Copy credentials so other references do not see our changes. 608 */ 609 oldcred = crcopysafe(p, newcred); 610 611#ifdef MAC 612 error = mac_cred_check_seteuid(oldcred, euid); 613 if (error) 614 goto fail; 615#endif 616 617 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 618 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 619 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) 620 goto fail; 621 622 /* 623 * Everything's okay, do it. 624 */ 625 if (oldcred->cr_uid != euid) { 626 change_euid(newcred, euip); 627 setsugid(p); 628 } 629 p->p_ucred = newcred; 630 PROC_UNLOCK(p); 631 uifree(euip); 632 crfree(oldcred); 633 return (0); 634 635fail: 636 PROC_UNLOCK(p); 637 uifree(euip); 638 crfree(newcred); 639 return (error); 640} 641 642#ifndef _SYS_SYSPROTO_H_ 643struct setgid_args { 644 gid_t gid; 645}; 646#endif 647/* ARGSUSED */ 648int 649setgid(struct thread *td, struct setgid_args *uap) 650{ 651 struct proc *p = td->td_proc; 652 struct ucred *newcred, *oldcred; 653 gid_t gid; 654 int error; 655 656 gid = uap->gid; 657 AUDIT_ARG_GID(gid); 658 newcred = crget(); 659 PROC_LOCK(p); 660 oldcred = crcopysafe(p, newcred); 661 662#ifdef MAC 663 error = mac_cred_check_setgid(oldcred, gid); 664 if (error) 665 goto fail; 666#endif 667 668 /* 669 * See if we have "permission" by POSIX 1003.1 rules. 670 * 671 * Note that setgid(getegid()) is a special case of 672 * "appropriate privileges" in appendix B.4.2.2. We need 673 * to use this clause to be compatible with traditional BSD 674 * semantics. Basically, it means that "setgid(xx)" sets all 675 * three id's (assuming you have privs). 676 * 677 * For notes on the logic here, see setuid() above. 678 */ 679 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 680#ifdef _POSIX_SAVED_IDS 681 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 682#endif 683#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 684 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 685#endif 686 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) 687 goto fail; 688 689#ifdef _POSIX_SAVED_IDS 690 /* 691 * Do we have "appropriate privileges" (are we root or gid == egid) 692 * If so, we are changing the real uid and saved gid. 693 */ 694 if ( 695#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 696 gid == oldcred->cr_groups[0] || 697#endif 698 /* We are using privs. */ 699 priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) 700#endif 701 { 702 /* 703 * Set real gid 704 */ 705 if (oldcred->cr_rgid != gid) { 706 change_rgid(newcred, gid); 707 setsugid(p); 708 } 709 /* 710 * Set saved gid 711 * 712 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 713 * the security of setegid() depends on it. B.4.2.2 says it 714 * is important that we should do this. 715 */ 716 if (oldcred->cr_svgid != gid) { 717 change_svgid(newcred, gid); 718 setsugid(p); 719 } 720 } 721 /* 722 * In all cases permitted cases, we are changing the egid. 723 * Copy credentials so other references do not see our changes. 724 */ 725 if (oldcred->cr_groups[0] != gid) { 726 change_egid(newcred, gid); 727 setsugid(p); 728 } 729 p->p_ucred = newcred; 730 PROC_UNLOCK(p); 731 crfree(oldcred); 732 return (0); 733 734fail: 735 PROC_UNLOCK(p); 736 crfree(newcred); 737 return (error); 738} 739 740#ifndef _SYS_SYSPROTO_H_ 741struct setegid_args { 742 gid_t egid; 743}; 744#endif 745/* ARGSUSED */ 746int 747setegid(struct thread *td, struct setegid_args *uap) 748{ 749 struct proc *p = td->td_proc; 750 struct ucred *newcred, *oldcred; 751 gid_t egid; 752 int error; 753 754 egid = uap->egid; 755 AUDIT_ARG_EGID(egid); 756 newcred = crget(); 757 PROC_LOCK(p); 758 oldcred = crcopysafe(p, newcred); 759 760#ifdef MAC 761 error = mac_cred_check_setegid(oldcred, egid); 762 if (error) 763 goto fail; 764#endif 765 766 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 767 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 768 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) 769 goto fail; 770 771 if (oldcred->cr_groups[0] != egid) { 772 change_egid(newcred, egid); 773 setsugid(p); 774 } 775 p->p_ucred = newcred; 776 PROC_UNLOCK(p); 777 crfree(oldcred); 778 return (0); 779 780fail: 781 PROC_UNLOCK(p); 782 crfree(newcred); 783 return (error); 784} 785 786#ifndef _SYS_SYSPROTO_H_ 787struct setgroups_args { 788 u_int gidsetsize; 789 gid_t *gidset; 790}; 791#endif 792/* ARGSUSED */ 793int 794setgroups(struct thread *td, struct setgroups_args *uap) 795{ 796 gid_t *groups = NULL; 797 int error; 798 799 if (uap->gidsetsize > ngroups_max + 1) 800 return (EINVAL); 801 groups = malloc(uap->gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); 802 error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); 803 if (error) 804 goto out; 805 error = kern_setgroups(td, uap->gidsetsize, groups); 806out: 807 free(groups, M_TEMP); 808 return (error); 809} 810 811int 812kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) 813{ 814 struct proc *p = td->td_proc; 815 struct ucred *newcred, *oldcred; 816 int error; 817 818 if (ngrp > ngroups_max + 1) 819 return (EINVAL); 820 AUDIT_ARG_GROUPSET(groups, ngrp); 821 newcred = crget(); 822 crextend(newcred, ngrp); 823 PROC_LOCK(p); 824 oldcred = crcopysafe(p, newcred); 825 826#ifdef MAC 827 error = mac_cred_check_setgroups(oldcred, ngrp, groups); 828 if (error) 829 goto fail; 830#endif 831 832 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); 833 if (error) 834 goto fail; 835 836 if (ngrp < 1) { 837 /* 838 * setgroups(0, NULL) is a legitimate way of clearing the 839 * groups vector on non-BSD systems (which generally do not 840 * have the egid in the groups[0]). We risk security holes 841 * when running non-BSD software if we do not do the same. 842 */ 843 newcred->cr_ngroups = 1; 844 } else { 845 crsetgroups_locked(newcred, ngrp, groups); 846 } 847 setsugid(p); 848 p->p_ucred = newcred; 849 PROC_UNLOCK(p); 850 crfree(oldcred); 851 return (0); 852 853fail: 854 PROC_UNLOCK(p); 855 crfree(newcred); 856 return (error); 857} 858 859#ifndef _SYS_SYSPROTO_H_ 860struct setreuid_args { 861 uid_t ruid; 862 uid_t euid; 863}; 864#endif 865/* ARGSUSED */ 866int 867setreuid(register struct thread *td, struct setreuid_args *uap) 868{ 869 struct proc *p = td->td_proc; 870 struct ucred *newcred, *oldcred; 871 uid_t euid, ruid; 872 struct uidinfo *euip, *ruip; 873 int error; 874 875 euid = uap->euid; 876 ruid = uap->ruid; 877 AUDIT_ARG_EUID(euid); 878 AUDIT_ARG_RUID(ruid); 879 newcred = crget(); 880 euip = uifind(euid); 881 ruip = uifind(ruid); 882 PROC_LOCK(p); 883 oldcred = crcopysafe(p, newcred); 884 885#ifdef MAC 886 error = mac_cred_check_setreuid(oldcred, ruid, euid); 887 if (error) 888 goto fail; 889#endif 890 891 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 892 ruid != oldcred->cr_svuid) || 893 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 894 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 895 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) 896 goto fail; 897 898 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 899 change_euid(newcred, euip); 900 setsugid(p); 901 } 902 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 903 change_ruid(newcred, ruip); 904 setsugid(p); 905 } 906 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 907 newcred->cr_svuid != newcred->cr_uid) { 908 change_svuid(newcred, newcred->cr_uid); 909 setsugid(p); 910 } 911 p->p_ucred = newcred; 912 PROC_UNLOCK(p); 913 uifree(ruip); 914 uifree(euip); 915 crfree(oldcred); 916 return (0); 917 918fail: 919 PROC_UNLOCK(p); 920 uifree(ruip); 921 uifree(euip); 922 crfree(newcred); 923 return (error); 924} 925 926#ifndef _SYS_SYSPROTO_H_ 927struct setregid_args { 928 gid_t rgid; 929 gid_t egid; 930}; 931#endif 932/* ARGSUSED */ 933int 934setregid(register struct thread *td, struct setregid_args *uap) 935{ 936 struct proc *p = td->td_proc; 937 struct ucred *newcred, *oldcred; 938 gid_t egid, rgid; 939 int error; 940 941 egid = uap->egid; 942 rgid = uap->rgid; 943 AUDIT_ARG_EGID(egid); 944 AUDIT_ARG_RGID(rgid); 945 newcred = crget(); 946 PROC_LOCK(p); 947 oldcred = crcopysafe(p, newcred); 948 949#ifdef MAC 950 error = mac_cred_check_setregid(oldcred, rgid, egid); 951 if (error) 952 goto fail; 953#endif 954 955 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 956 rgid != oldcred->cr_svgid) || 957 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 958 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 959 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) 960 goto fail; 961 962 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 963 change_egid(newcred, egid); 964 setsugid(p); 965 } 966 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 967 change_rgid(newcred, rgid); 968 setsugid(p); 969 } 970 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 971 newcred->cr_svgid != newcred->cr_groups[0]) { 972 change_svgid(newcred, newcred->cr_groups[0]); 973 setsugid(p); 974 } 975 p->p_ucred = newcred; 976 PROC_UNLOCK(p); 977 crfree(oldcred); 978 return (0); 979 980fail: 981 PROC_UNLOCK(p); 982 crfree(newcred); 983 return (error); 984} 985 986/* 987 * setresuid(ruid, euid, suid) is like setreuid except control over the saved 988 * uid is explicit. 989 */ 990#ifndef _SYS_SYSPROTO_H_ 991struct setresuid_args { 992 uid_t ruid; 993 uid_t euid; 994 uid_t suid; 995}; 996#endif 997/* ARGSUSED */ 998int 999setresuid(register struct thread *td, struct setresuid_args *uap) 1000{ 1001 struct proc *p = td->td_proc; 1002 struct ucred *newcred, *oldcred; 1003 uid_t euid, ruid, suid; 1004 struct uidinfo *euip, *ruip; 1005 int error; 1006 1007 euid = uap->euid; 1008 ruid = uap->ruid; 1009 suid = uap->suid; 1010 AUDIT_ARG_EUID(euid); 1011 AUDIT_ARG_RUID(ruid); 1012 AUDIT_ARG_SUID(suid); 1013 newcred = crget(); 1014 euip = uifind(euid); 1015 ruip = uifind(ruid); 1016 PROC_LOCK(p); 1017 oldcred = crcopysafe(p, newcred); 1018 1019#ifdef MAC 1020 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); 1021 if (error) 1022 goto fail; 1023#endif 1024 1025 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 1026 ruid != oldcred->cr_svuid && 1027 ruid != oldcred->cr_uid) || 1028 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 1029 euid != oldcred->cr_svuid && 1030 euid != oldcred->cr_uid) || 1031 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 1032 suid != oldcred->cr_svuid && 1033 suid != oldcred->cr_uid)) && 1034 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) 1035 goto fail; 1036 1037 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1038 change_euid(newcred, euip); 1039 setsugid(p); 1040 } 1041 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1042 change_ruid(newcred, ruip); 1043 setsugid(p); 1044 } 1045 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1046 change_svuid(newcred, suid); 1047 setsugid(p); 1048 } 1049 p->p_ucred = newcred; 1050 PROC_UNLOCK(p); 1051 uifree(ruip); 1052 uifree(euip); 1053 crfree(oldcred); 1054 return (0); 1055 1056fail: 1057 PROC_UNLOCK(p); 1058 uifree(ruip); 1059 uifree(euip); 1060 crfree(newcred); 1061 return (error); 1062 1063} 1064 1065/* 1066 * setresgid(rgid, egid, sgid) is like setregid except control over the saved 1067 * gid is explicit. 1068 */ 1069#ifndef _SYS_SYSPROTO_H_ 1070struct setresgid_args { 1071 gid_t rgid; 1072 gid_t egid; 1073 gid_t sgid; 1074}; 1075#endif 1076/* ARGSUSED */ 1077int 1078setresgid(register struct thread *td, struct setresgid_args *uap) 1079{ 1080 struct proc *p = td->td_proc; 1081 struct ucred *newcred, *oldcred; 1082 gid_t egid, rgid, sgid; 1083 int error; 1084 1085 egid = uap->egid; 1086 rgid = uap->rgid; 1087 sgid = uap->sgid; 1088 AUDIT_ARG_EGID(egid); 1089 AUDIT_ARG_RGID(rgid); 1090 AUDIT_ARG_SGID(sgid); 1091 newcred = crget(); 1092 PROC_LOCK(p); 1093 oldcred = crcopysafe(p, newcred); 1094 1095#ifdef MAC 1096 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); 1097 if (error) 1098 goto fail; 1099#endif 1100 1101 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1102 rgid != oldcred->cr_svgid && 1103 rgid != oldcred->cr_groups[0]) || 1104 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1105 egid != oldcred->cr_svgid && 1106 egid != oldcred->cr_groups[0]) || 1107 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1108 sgid != oldcred->cr_svgid && 1109 sgid != oldcred->cr_groups[0])) && 1110 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) 1111 goto fail; 1112 1113 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1114 change_egid(newcred, egid); 1115 setsugid(p); 1116 } 1117 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1118 change_rgid(newcred, rgid); 1119 setsugid(p); 1120 } 1121 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1122 change_svgid(newcred, sgid); 1123 setsugid(p); 1124 } 1125 p->p_ucred = newcred; 1126 PROC_UNLOCK(p); 1127 crfree(oldcred); 1128 return (0); 1129 1130fail: 1131 PROC_UNLOCK(p); 1132 crfree(newcred); 1133 return (error); 1134} 1135 1136#ifndef _SYS_SYSPROTO_H_ 1137struct getresuid_args { 1138 uid_t *ruid; 1139 uid_t *euid; 1140 uid_t *suid; 1141}; 1142#endif 1143/* ARGSUSED */ 1144int 1145getresuid(register struct thread *td, struct getresuid_args *uap) 1146{ 1147 struct ucred *cred; 1148 int error1 = 0, error2 = 0, error3 = 0; 1149 1150 cred = td->td_ucred; 1151 if (uap->ruid) 1152 error1 = copyout(&cred->cr_ruid, 1153 uap->ruid, sizeof(cred->cr_ruid)); 1154 if (uap->euid) 1155 error2 = copyout(&cred->cr_uid, 1156 uap->euid, sizeof(cred->cr_uid)); 1157 if (uap->suid) 1158 error3 = copyout(&cred->cr_svuid, 1159 uap->suid, sizeof(cred->cr_svuid)); 1160 return (error1 ? error1 : error2 ? error2 : error3); 1161} 1162 1163#ifndef _SYS_SYSPROTO_H_ 1164struct getresgid_args { 1165 gid_t *rgid; 1166 gid_t *egid; 1167 gid_t *sgid; 1168}; 1169#endif 1170/* ARGSUSED */ 1171int 1172getresgid(register struct thread *td, struct getresgid_args *uap) 1173{ 1174 struct ucred *cred; 1175 int error1 = 0, error2 = 0, error3 = 0; 1176 1177 cred = td->td_ucred; 1178 if (uap->rgid) 1179 error1 = copyout(&cred->cr_rgid, 1180 uap->rgid, sizeof(cred->cr_rgid)); 1181 if (uap->egid) 1182 error2 = copyout(&cred->cr_groups[0], 1183 uap->egid, sizeof(cred->cr_groups[0])); 1184 if (uap->sgid) 1185 error3 = copyout(&cred->cr_svgid, 1186 uap->sgid, sizeof(cred->cr_svgid)); 1187 return (error1 ? error1 : error2 ? error2 : error3); 1188} 1189 1190#ifndef _SYS_SYSPROTO_H_ 1191struct issetugid_args { 1192 int dummy; 1193}; 1194#endif 1195/* ARGSUSED */ 1196int 1197issetugid(register struct thread *td, struct issetugid_args *uap) 1198{ 1199 struct proc *p = td->td_proc; 1200 1201 /* 1202 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1203 * we use P_SUGID because we consider changing the owners as 1204 * "tainting" as well. 1205 * This is significant for procs that start as root and "become" 1206 * a user without an exec - programs cannot know *everything* 1207 * that libc *might* have put in their data segment. 1208 */ 1209 PROC_LOCK(p); 1210 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1211 PROC_UNLOCK(p); 1212 return (0); 1213} 1214 1215int 1216__setugid(struct thread *td, struct __setugid_args *uap) 1217{ 1218#ifdef REGRESSION 1219 struct proc *p; 1220 1221 p = td->td_proc; 1222 switch (uap->flag) { 1223 case 0: 1224 PROC_LOCK(p); 1225 p->p_flag &= ~P_SUGID; 1226 PROC_UNLOCK(p); 1227 return (0); 1228 case 1: 1229 PROC_LOCK(p); 1230 p->p_flag |= P_SUGID; 1231 PROC_UNLOCK(p); 1232 return (0); 1233 default: 1234 return (EINVAL); 1235 } 1236#else /* !REGRESSION */ 1237 1238 return (ENOSYS); 1239#endif /* REGRESSION */ 1240} 1241 1242/* 1243 * Check if gid is a member of the group set. 1244 */ 1245int 1246groupmember(gid_t gid, struct ucred *cred) 1247{ 1248 int l; 1249 int h; 1250 int m; 1251 1252 if (cred->cr_groups[0] == gid) 1253 return(1); 1254 1255 /* 1256 * If gid was not our primary group, perform a binary search 1257 * of the supplemental groups. This is possible because we 1258 * sort the groups in crsetgroups(). 1259 */ 1260 l = 1; 1261 h = cred->cr_ngroups; 1262 while (l < h) { 1263 m = l + ((h - l) / 2); 1264 if (cred->cr_groups[m] < gid) 1265 l = m + 1; 1266 else 1267 h = m; 1268 } 1269 if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid)) 1270 return (1); 1271 1272 return (0); 1273} 1274 1275/* 1276 * Test the active securelevel against a given level. securelevel_gt() 1277 * implements (securelevel > level). securelevel_ge() implements 1278 * (securelevel >= level). Note that the logic is inverted -- these 1279 * functions return EPERM on "success" and 0 on "failure". 1280 * 1281 * Due to care taken when setting the securelevel, we know that no jail will 1282 * be less secure that its parent (or the physical system), so it is sufficient 1283 * to test the current jail only. 1284 * 1285 * XXXRW: Possibly since this has to do with privilege, it should move to 1286 * kern_priv.c. 1287 */ 1288int 1289securelevel_gt(struct ucred *cr, int level) 1290{ 1291 1292 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); 1293} 1294 1295int 1296securelevel_ge(struct ucred *cr, int level) 1297{ 1298 1299 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); 1300} 1301 1302/* 1303 * 'see_other_uids' determines whether or not visibility of processes 1304 * and sockets with credentials holding different real uids is possible 1305 * using a variety of system MIBs. 1306 * XXX: data declarations should be together near the beginning of the file. 1307 */ 1308static int see_other_uids = 1; 1309SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, 1310 &see_other_uids, 0, 1311 "Unprivileged processes may see subjects/objects with different real uid"); 1312 1313/*- 1314 * Determine if u1 "can see" the subject specified by u2, according to the 1315 * 'see_other_uids' policy. 1316 * Returns: 0 for permitted, ESRCH otherwise 1317 * Locks: none 1318 * References: *u1 and *u2 must not change during the call 1319 * u1 may equal u2, in which case only one reference is required 1320 */ 1321static int 1322cr_seeotheruids(struct ucred *u1, struct ucred *u2) 1323{ 1324 1325 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { 1326 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) 1327 return (ESRCH); 1328 } 1329 return (0); 1330} 1331 1332/* 1333 * 'see_other_gids' determines whether or not visibility of processes 1334 * and sockets with credentials holding different real gids is possible 1335 * using a variety of system MIBs. 1336 * XXX: data declarations should be together near the beginning of the file. 1337 */ 1338static int see_other_gids = 1; 1339SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, 1340 &see_other_gids, 0, 1341 "Unprivileged processes may see subjects/objects with different real gid"); 1342 1343/* 1344 * Determine if u1 can "see" the subject specified by u2, according to the 1345 * 'see_other_gids' policy. 1346 * Returns: 0 for permitted, ESRCH otherwise 1347 * Locks: none 1348 * References: *u1 and *u2 must not change during the call 1349 * u1 may equal u2, in which case only one reference is required 1350 */ 1351static int 1352cr_seeothergids(struct ucred *u1, struct ucred *u2) 1353{ 1354 int i, match; 1355 1356 if (!see_other_gids) { 1357 match = 0; 1358 for (i = 0; i < u1->cr_ngroups; i++) { 1359 if (groupmember(u1->cr_groups[i], u2)) 1360 match = 1; 1361 if (match) 1362 break; 1363 } 1364 if (!match) { 1365 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) 1366 return (ESRCH); 1367 } 1368 } 1369 return (0); 1370} 1371 1372/*- 1373 * Determine if u1 "can see" the subject specified by u2. 1374 * Returns: 0 for permitted, an errno value otherwise 1375 * Locks: none 1376 * References: *u1 and *u2 must not change during the call 1377 * u1 may equal u2, in which case only one reference is required 1378 */ 1379int 1380cr_cansee(struct ucred *u1, struct ucred *u2) 1381{ 1382 int error; 1383 1384 if ((error = prison_check(u1, u2))) 1385 return (error); 1386#ifdef MAC 1387 if ((error = mac_cred_check_visible(u1, u2))) 1388 return (error); 1389#endif 1390 if ((error = cr_seeotheruids(u1, u2))) 1391 return (error); 1392 if ((error = cr_seeothergids(u1, u2))) 1393 return (error); 1394 return (0); 1395} 1396 1397/*- 1398 * Determine if td "can see" the subject specified by p. 1399 * Returns: 0 for permitted, an errno value otherwise 1400 * Locks: Sufficient locks to protect p->p_ucred must be held. td really 1401 * should be curthread. 1402 * References: td and p must be valid for the lifetime of the call 1403 */ 1404int 1405p_cansee(struct thread *td, struct proc *p) 1406{ 1407 1408 /* Wrap cr_cansee() for all functionality. */ 1409 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1410 PROC_LOCK_ASSERT(p, MA_OWNED); 1411 return (cr_cansee(td->td_ucred, p->p_ucred)); 1412} 1413 1414/* 1415 * 'conservative_signals' prevents the delivery of a broad class of 1416 * signals by unprivileged processes to processes that have changed their 1417 * credentials since the last invocation of execve(). This can prevent 1418 * the leakage of cached information or retained privileges as a result 1419 * of a common class of signal-related vulnerabilities. However, this 1420 * may interfere with some applications that expect to be able to 1421 * deliver these signals to peer processes after having given up 1422 * privilege. 1423 */ 1424static int conservative_signals = 1; 1425SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, 1426 &conservative_signals, 0, "Unprivileged processes prevented from " 1427 "sending certain signals to processes whose credentials have changed"); 1428/*- 1429 * Determine whether cred may deliver the specified signal to proc. 1430 * Returns: 0 for permitted, an errno value otherwise. 1431 * Locks: A lock must be held for proc. 1432 * References: cred and proc must be valid for the lifetime of the call. 1433 */ 1434int 1435cr_cansignal(struct ucred *cred, struct proc *proc, int signum) 1436{ 1437 int error; 1438 1439 PROC_LOCK_ASSERT(proc, MA_OWNED); 1440 /* 1441 * Jail semantics limit the scope of signalling to proc in the 1442 * same jail as cred, if cred is in jail. 1443 */ 1444 error = prison_check(cred, proc->p_ucred); 1445 if (error) 1446 return (error); 1447#ifdef MAC 1448 if ((error = mac_proc_check_signal(cred, proc, signum))) 1449 return (error); 1450#endif 1451 if ((error = cr_seeotheruids(cred, proc->p_ucred))) 1452 return (error); 1453 if ((error = cr_seeothergids(cred, proc->p_ucred))) 1454 return (error); 1455 1456 /* 1457 * UNIX signal semantics depend on the status of the P_SUGID 1458 * bit on the target process. If the bit is set, then additional 1459 * restrictions are placed on the set of available signals. 1460 */ 1461 if (conservative_signals && (proc->p_flag & P_SUGID)) { 1462 switch (signum) { 1463 case 0: 1464 case SIGKILL: 1465 case SIGINT: 1466 case SIGTERM: 1467 case SIGALRM: 1468 case SIGSTOP: 1469 case SIGTTIN: 1470 case SIGTTOU: 1471 case SIGTSTP: 1472 case SIGHUP: 1473 case SIGUSR1: 1474 case SIGUSR2: 1475 /* 1476 * Generally, permit job and terminal control 1477 * signals. 1478 */ 1479 break; 1480 default: 1481 /* Not permitted without privilege. */ 1482 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); 1483 if (error) 1484 return (error); 1485 } 1486 } 1487 1488 /* 1489 * Generally, the target credential's ruid or svuid must match the 1490 * subject credential's ruid or euid. 1491 */ 1492 if (cred->cr_ruid != proc->p_ucred->cr_ruid && 1493 cred->cr_ruid != proc->p_ucred->cr_svuid && 1494 cred->cr_uid != proc->p_ucred->cr_ruid && 1495 cred->cr_uid != proc->p_ucred->cr_svuid) { 1496 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); 1497 if (error) 1498 return (error); 1499 } 1500 1501 return (0); 1502} 1503 1504/*- 1505 * Determine whether td may deliver the specified signal to p. 1506 * Returns: 0 for permitted, an errno value otherwise 1507 * Locks: Sufficient locks to protect various components of td and p 1508 * must be held. td must be curthread, and a lock must be 1509 * held for p. 1510 * References: td and p must be valid for the lifetime of the call 1511 */ 1512int 1513p_cansignal(struct thread *td, struct proc *p, int signum) 1514{ 1515 1516 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1517 PROC_LOCK_ASSERT(p, MA_OWNED); 1518 if (td->td_proc == p) 1519 return (0); 1520 1521 /* 1522 * UNIX signalling semantics require that processes in the same 1523 * session always be able to deliver SIGCONT to one another, 1524 * overriding the remaining protections. 1525 */ 1526 /* XXX: This will require an additional lock of some sort. */ 1527 if (signum == SIGCONT && td->td_proc->p_session == p->p_session) 1528 return (0); 1529 /* 1530 * Some compat layers use SIGTHR and higher signals for 1531 * communication between different kernel threads of the same 1532 * process, so that they expect that it's always possible to 1533 * deliver them, even for suid applications where cr_cansignal() can 1534 * deny such ability for security consideration. It should be 1535 * pretty safe to do since the only way to create two processes 1536 * with the same p_leader is via rfork(2). 1537 */ 1538 if (td->td_proc->p_leader != NULL && signum >= SIGTHR && 1539 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) 1540 return (0); 1541 1542 return (cr_cansignal(td->td_ucred, p, signum)); 1543} 1544 1545/*- 1546 * Determine whether td may reschedule p. 1547 * Returns: 0 for permitted, an errno value otherwise 1548 * Locks: Sufficient locks to protect various components of td and p 1549 * must be held. td must be curthread, and a lock must 1550 * be held for p. 1551 * References: td and p must be valid for the lifetime of the call 1552 */ 1553int 1554p_cansched(struct thread *td, struct proc *p) 1555{ 1556 int error; 1557 1558 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1559 PROC_LOCK_ASSERT(p, MA_OWNED); 1560 if (td->td_proc == p) 1561 return (0); 1562 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1563 return (error); 1564#ifdef MAC 1565 if ((error = mac_proc_check_sched(td->td_ucred, p))) 1566 return (error); 1567#endif 1568 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1569 return (error); 1570 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1571 return (error); 1572 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && 1573 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { 1574 error = priv_check(td, PRIV_SCHED_DIFFCRED); 1575 if (error) 1576 return (error); 1577 } 1578 return (0); 1579} 1580 1581/* 1582 * The 'unprivileged_proc_debug' flag may be used to disable a variety of 1583 * unprivileged inter-process debugging services, including some procfs 1584 * functionality, ptrace(), and ktrace(). In the past, inter-process 1585 * debugging has been involved in a variety of security problems, and sites 1586 * not requiring the service might choose to disable it when hardening 1587 * systems. 1588 * 1589 * XXX: Should modifying and reading this variable require locking? 1590 * XXX: data declarations should be together near the beginning of the file. 1591 */ 1592static int unprivileged_proc_debug = 1; 1593SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, 1594 &unprivileged_proc_debug, 0, 1595 "Unprivileged processes may use process debugging facilities"); 1596 1597/*- 1598 * Determine whether td may debug p. 1599 * Returns: 0 for permitted, an errno value otherwise 1600 * Locks: Sufficient locks to protect various components of td and p 1601 * must be held. td must be curthread, and a lock must 1602 * be held for p. 1603 * References: td and p must be valid for the lifetime of the call 1604 */ 1605int 1606p_candebug(struct thread *td, struct proc *p) 1607{ 1608 int credentialchanged, error, grpsubset, i, uidsubset; 1609 1610 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1611 PROC_LOCK_ASSERT(p, MA_OWNED); 1612 if (!unprivileged_proc_debug) { 1613 error = priv_check(td, PRIV_DEBUG_UNPRIV); 1614 if (error) 1615 return (error); 1616 } 1617 if (td->td_proc == p) 1618 return (0); 1619 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1620 return (error); 1621#ifdef MAC 1622 if ((error = mac_proc_check_debug(td->td_ucred, p))) 1623 return (error); 1624#endif 1625 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1626 return (error); 1627 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) 1628 return (error); 1629 1630 /* 1631 * Is p's group set a subset of td's effective group set? This 1632 * includes p's egid, group access list, rgid, and svgid. 1633 */ 1634 grpsubset = 1; 1635 for (i = 0; i < p->p_ucred->cr_ngroups; i++) { 1636 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { 1637 grpsubset = 0; 1638 break; 1639 } 1640 } 1641 grpsubset = grpsubset && 1642 groupmember(p->p_ucred->cr_rgid, td->td_ucred) && 1643 groupmember(p->p_ucred->cr_svgid, td->td_ucred); 1644 1645 /* 1646 * Are the uids present in p's credential equal to td's 1647 * effective uid? This includes p's euid, svuid, and ruid. 1648 */ 1649 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && 1650 td->td_ucred->cr_uid == p->p_ucred->cr_svuid && 1651 td->td_ucred->cr_uid == p->p_ucred->cr_ruid); 1652 1653 /* 1654 * Has the credential of the process changed since the last exec()? 1655 */ 1656 credentialchanged = (p->p_flag & P_SUGID); 1657 1658 /* 1659 * If p's gids aren't a subset, or the uids aren't a subset, 1660 * or the credential has changed, require appropriate privilege 1661 * for td to debug p. 1662 */ 1663 if (!grpsubset || !uidsubset) { 1664 error = priv_check(td, PRIV_DEBUG_DIFFCRED); 1665 if (error) 1666 return (error); 1667 } 1668 1669 if (credentialchanged) { 1670 error = priv_check(td, PRIV_DEBUG_SUGID); 1671 if (error) 1672 return (error); 1673 } 1674 1675 /* Can't trace init when securelevel > 0. */ 1676 if (p == initproc) { 1677 error = securelevel_gt(td->td_ucred, 0); 1678 if (error) 1679 return (error); 1680 } 1681 1682 /* 1683 * Can't trace a process that's currently exec'ing. 1684 * 1685 * XXX: Note, this is not a security policy decision, it's a 1686 * basic correctness/functionality decision. Therefore, this check 1687 * should be moved to the caller's of p_candebug(). 1688 */ 1689 if ((p->p_flag & P_INEXEC) != 0) 1690 return (EBUSY); 1691 1692 return (0); 1693} 1694 1695/*- 1696 * Determine whether the subject represented by cred can "see" a socket. 1697 * Returns: 0 for permitted, ENOENT otherwise. 1698 */ 1699int 1700cr_canseesocket(struct ucred *cred, struct socket *so) 1701{ 1702 int error; 1703 1704 error = prison_check(cred, so->so_cred); 1705 if (error) 1706 return (ENOENT); 1707#ifdef MAC 1708 error = mac_socket_check_visible(cred, so); 1709 if (error) 1710 return (error); 1711#endif 1712 if (cr_seeotheruids(cred, so->so_cred)) 1713 return (ENOENT); 1714 if (cr_seeothergids(cred, so->so_cred)) 1715 return (ENOENT); 1716 1717 return (0); 1718} 1719 1720#if defined(INET) || defined(INET6) 1721/*- 1722 * Determine whether the subject represented by cred can "see" a socket. 1723 * Returns: 0 for permitted, ENOENT otherwise. 1724 */ 1725int 1726cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) 1727{ 1728 int error; 1729 1730 error = prison_check(cred, inp->inp_cred); 1731 if (error) 1732 return (ENOENT); 1733#ifdef MAC 1734 INP_LOCK_ASSERT(inp); 1735 error = mac_inpcb_check_visible(cred, inp); 1736 if (error) 1737 return (error); 1738#endif 1739 if (cr_seeotheruids(cred, inp->inp_cred)) 1740 return (ENOENT); 1741 if (cr_seeothergids(cred, inp->inp_cred)) 1742 return (ENOENT); 1743 1744 return (0); 1745} 1746#endif 1747 1748/*- 1749 * Determine whether td can wait for the exit of p. 1750 * Returns: 0 for permitted, an errno value otherwise 1751 * Locks: Sufficient locks to protect various components of td and p 1752 * must be held. td must be curthread, and a lock must 1753 * be held for p. 1754 * References: td and p must be valid for the lifetime of the call 1755 1756 */ 1757int 1758p_canwait(struct thread *td, struct proc *p) 1759{ 1760 int error; 1761 1762 KASSERT(td == curthread, ("%s: td not curthread", __func__)); 1763 PROC_LOCK_ASSERT(p, MA_OWNED); 1764 if ((error = prison_check(td->td_ucred, p->p_ucred))) 1765 return (error); 1766#ifdef MAC 1767 if ((error = mac_proc_check_wait(td->td_ucred, p))) 1768 return (error); 1769#endif 1770#if 0 1771 /* XXXMAC: This could have odd effects on some shells. */ 1772 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) 1773 return (error); 1774#endif 1775 1776 return (0); 1777} 1778 1779/* 1780 * Allocate a zeroed cred structure. 1781 */ 1782struct ucred * 1783crget(void) 1784{ 1785 register struct ucred *cr; 1786 1787 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); 1788 refcount_init(&cr->cr_ref, 1); 1789#ifdef AUDIT 1790 audit_cred_init(cr); 1791#endif 1792#ifdef MAC 1793 mac_cred_init(cr); 1794#endif 1795 crextend(cr, XU_NGROUPS); 1796 return (cr); 1797} 1798 1799/* 1800 * Claim another reference to a ucred structure. 1801 */ 1802struct ucred * 1803crhold(struct ucred *cr) 1804{ 1805 1806 refcount_acquire(&cr->cr_ref); 1807 return (cr); 1808} 1809 1810/* 1811 * Free a cred structure. Throws away space when ref count gets to 0. 1812 */ 1813void 1814crfree(struct ucred *cr) 1815{ 1816 1817 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1818 KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); 1819 if (refcount_release(&cr->cr_ref)) { 1820 /* 1821 * Some callers of crget(), such as nfs_statfs(), 1822 * allocate a temporary credential, but don't 1823 * allocate a uidinfo structure. 1824 */ 1825 if (cr->cr_uidinfo != NULL) 1826 uifree(cr->cr_uidinfo); 1827 if (cr->cr_ruidinfo != NULL) 1828 uifree(cr->cr_ruidinfo); 1829 /* 1830 * Free a prison, if any. 1831 */ 1832 if (cr->cr_prison != NULL) 1833 prison_free(cr->cr_prison); 1834#ifdef AUDIT 1835 audit_cred_destroy(cr); 1836#endif 1837#ifdef MAC 1838 mac_cred_destroy(cr); 1839#endif 1840 free(cr->cr_groups, M_CRED); 1841 free(cr, M_CRED); 1842 } 1843} 1844 1845/* 1846 * Check to see if this ucred is shared. 1847 */ 1848int 1849crshared(struct ucred *cr) 1850{ 1851 1852 return (cr->cr_ref > 1); 1853} 1854 1855/* 1856 * Copy a ucred's contents from a template. Does not block. 1857 */ 1858void 1859crcopy(struct ucred *dest, struct ucred *src) 1860{ 1861 1862 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); 1863 bcopy(&src->cr_startcopy, &dest->cr_startcopy, 1864 (unsigned)((caddr_t)&src->cr_endcopy - 1865 (caddr_t)&src->cr_startcopy)); 1866 crsetgroups(dest, src->cr_ngroups, src->cr_groups); 1867 uihold(dest->cr_uidinfo); 1868 uihold(dest->cr_ruidinfo); 1869 prison_hold(dest->cr_prison); 1870#ifdef AUDIT 1871 audit_cred_copy(src, dest); 1872#endif 1873#ifdef MAC 1874 mac_cred_copy(src, dest); 1875#endif 1876} 1877 1878/* 1879 * Dup cred struct to a new held one. 1880 */ 1881struct ucred * 1882crdup(struct ucred *cr) 1883{ 1884 struct ucred *newcr; 1885 1886 newcr = crget(); 1887 crcopy(newcr, cr); 1888 return (newcr); 1889} 1890 1891/* 1892 * Fill in a struct xucred based on a struct ucred. 1893 */ 1894void 1895cru2x(struct ucred *cr, struct xucred *xcr) 1896{ 1897 int ngroups; 1898 1899 bzero(xcr, sizeof(*xcr)); 1900 xcr->cr_version = XUCRED_VERSION; 1901 xcr->cr_uid = cr->cr_uid; 1902 1903 ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); 1904 xcr->cr_ngroups = ngroups; 1905 bcopy(cr->cr_groups, xcr->cr_groups, 1906 ngroups * sizeof(*cr->cr_groups)); 1907} 1908 1909/* 1910 * small routine to swap a thread's current ucred for the correct one taken 1911 * from the process. 1912 */ 1913void 1914cred_update_thread(struct thread *td) 1915{ 1916 struct proc *p; 1917 struct ucred *cred; 1918 1919 p = td->td_proc; 1920 cred = td->td_ucred; 1921 PROC_LOCK(p); 1922 td->td_ucred = crhold(p->p_ucred); 1923 PROC_UNLOCK(p); 1924 if (cred != NULL) 1925 crfree(cred); 1926} 1927 1928struct ucred * 1929crcopysafe(struct proc *p, struct ucred *cr) 1930{ 1931 struct ucred *oldcred; 1932 int groups; 1933 1934 PROC_LOCK_ASSERT(p, MA_OWNED); 1935 1936 oldcred = p->p_ucred; 1937 while (cr->cr_agroups < oldcred->cr_agroups) { 1938 groups = oldcred->cr_agroups; 1939 PROC_UNLOCK(p); 1940 crextend(cr, groups); 1941 PROC_LOCK(p); 1942 oldcred = p->p_ucred; 1943 } 1944 crcopy(cr, oldcred); 1945 1946 return (oldcred); 1947} 1948 1949/* 1950 * Extend the passed in credential to hold n items. 1951 */ 1952static void 1953crextend(struct ucred *cr, int n) 1954{ 1955 int cnt; 1956 1957 /* Truncate? */ 1958 if (n <= cr->cr_agroups) 1959 return; 1960 1961 /* 1962 * We extend by 2 each time since we're using a power of two 1963 * allocator until we need enough groups to fill a page. 1964 * Once we're allocating multiple pages, only allocate as many 1965 * as we actually need. The case of processes needing a 1966 * non-power of two number of pages seems more likely than 1967 * a real world process that adds thousands of groups one at a 1968 * time. 1969 */ 1970 if ( n < PAGE_SIZE / sizeof(gid_t) ) { 1971 if (cr->cr_agroups == 0) 1972 cnt = MINALLOCSIZE / sizeof(gid_t); 1973 else 1974 cnt = cr->cr_agroups * 2; 1975 1976 while (cnt < n) 1977 cnt *= 2; 1978 } else 1979 cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t)); 1980 1981 /* Free the old array. */ 1982 if (cr->cr_groups) 1983 free(cr->cr_groups, M_CRED); 1984 1985 cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO); 1986 cr->cr_agroups = cnt; 1987} 1988 1989/* 1990 * Copy groups in to a credential, preserving any necessary invariants. 1991 * Currently this includes the sorting of all supplemental gids. 1992 * crextend() must have been called before hand to ensure sufficient 1993 * space is available. 1994 */ 1995static void 1996crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups) 1997{ 1998 int i; 1999 int j; 2000 gid_t g; 2001 2002 KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small")); 2003 2004 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); 2005 cr->cr_ngroups = ngrp; 2006 2007 /* 2008 * Sort all groups except cr_groups[0] to allow groupmember to 2009 * perform a binary search. 2010 * 2011 * XXX: If large numbers of groups become common this should 2012 * be replaced with shell sort like linux uses or possibly 2013 * heap sort. 2014 */ 2015 for (i = 2; i < ngrp; i++) { 2016 g = cr->cr_groups[i]; 2017 for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--) 2018 cr->cr_groups[j + 1] = cr->cr_groups[j]; 2019 cr->cr_groups[j + 1] = g; 2020 } 2021} 2022 2023/* 2024 * Copy groups in to a credential after expanding it if required. 2025 * Truncate the list to (ngroups_max + 1) if it is too large. 2026 */ 2027void 2028crsetgroups(struct ucred *cr, int ngrp, gid_t *groups) 2029{ 2030 2031 if (ngrp > ngroups_max + 1) 2032 ngrp = ngroups_max + 1; 2033 2034 crextend(cr, ngrp); 2035 crsetgroups_locked(cr, ngrp, groups); 2036} 2037 2038/* 2039 * Get login name, if available. 2040 */ 2041#ifndef _SYS_SYSPROTO_H_ 2042struct getlogin_args { 2043 char *namebuf; 2044 u_int namelen; 2045}; 2046#endif 2047/* ARGSUSED */ 2048int 2049getlogin(struct thread *td, struct getlogin_args *uap) 2050{ 2051 int error; 2052 char login[MAXLOGNAME]; 2053 struct proc *p = td->td_proc; 2054 2055 if (uap->namelen > MAXLOGNAME) 2056 uap->namelen = MAXLOGNAME; 2057 PROC_LOCK(p); 2058 SESS_LOCK(p->p_session); 2059 bcopy(p->p_session->s_login, login, uap->namelen); 2060 SESS_UNLOCK(p->p_session); 2061 PROC_UNLOCK(p); 2062 error = copyout(login, uap->namebuf, uap->namelen); 2063 return(error); 2064} 2065 2066/* 2067 * Set login name. 2068 */ 2069#ifndef _SYS_SYSPROTO_H_ 2070struct setlogin_args { 2071 char *namebuf; 2072}; 2073#endif 2074/* ARGSUSED */ 2075int 2076setlogin(struct thread *td, struct setlogin_args *uap) 2077{ 2078 struct proc *p = td->td_proc; 2079 int error; 2080 char logintmp[MAXLOGNAME]; 2081 2082 error = priv_check(td, PRIV_PROC_SETLOGIN); 2083 if (error) 2084 return (error); 2085 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); 2086 if (error == ENAMETOOLONG) 2087 error = EINVAL; 2088 else if (!error) { 2089 PROC_LOCK(p); 2090 SESS_LOCK(p->p_session); 2091 (void) memcpy(p->p_session->s_login, logintmp, 2092 sizeof(logintmp)); 2093 SESS_UNLOCK(p->p_session); 2094 PROC_UNLOCK(p); 2095 } 2096 return (error); 2097} 2098 2099void 2100setsugid(struct proc *p) 2101{ 2102 2103 PROC_LOCK_ASSERT(p, MA_OWNED); 2104 p->p_flag |= P_SUGID; 2105 if (!(p->p_pfsflags & PF_ISUGID)) 2106 p->p_stops = 0; 2107} 2108 2109/*- 2110 * Change a process's effective uid. 2111 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 2112 * References: newcred must be an exclusive credential reference for the 2113 * duration of the call. 2114 */ 2115void 2116change_euid(struct ucred *newcred, struct uidinfo *euip) 2117{ 2118 2119 newcred->cr_uid = euip->ui_uid; 2120 uihold(euip); 2121 uifree(newcred->cr_uidinfo); 2122 newcred->cr_uidinfo = euip; 2123} 2124 2125/*- 2126 * Change a process's effective gid. 2127 * Side effects: newcred->cr_gid will be modified. 2128 * References: newcred must be an exclusive credential reference for the 2129 * duration of the call. 2130 */ 2131void 2132change_egid(struct ucred *newcred, gid_t egid) 2133{ 2134 2135 newcred->cr_groups[0] = egid; 2136} 2137 2138/*- 2139 * Change a process's real uid. 2140 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 2141 * will be updated, and the old and new cr_ruidinfo proc 2142 * counts will be updated. 2143 * References: newcred must be an exclusive credential reference for the 2144 * duration of the call. 2145 */ 2146void 2147change_ruid(struct ucred *newcred, struct uidinfo *ruip) 2148{ 2149 2150 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 2151 newcred->cr_ruid = ruip->ui_uid; 2152 uihold(ruip); 2153 uifree(newcred->cr_ruidinfo); 2154 newcred->cr_ruidinfo = ruip; 2155 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 2156} 2157 2158/*- 2159 * Change a process's real gid. 2160 * Side effects: newcred->cr_rgid will be updated. 2161 * References: newcred must be an exclusive credential reference for the 2162 * duration of the call. 2163 */ 2164void 2165change_rgid(struct ucred *newcred, gid_t rgid) 2166{ 2167 2168 newcred->cr_rgid = rgid; 2169} 2170 2171/*- 2172 * Change a process's saved uid. 2173 * Side effects: newcred->cr_svuid will be updated. 2174 * References: newcred must be an exclusive credential reference for the 2175 * duration of the call. 2176 */ 2177void 2178change_svuid(struct ucred *newcred, uid_t svuid) 2179{ 2180 2181 newcred->cr_svuid = svuid; 2182} 2183 2184/*- 2185 * Change a process's saved gid. 2186 * Side effects: newcred->cr_svgid will be updated. 2187 * References: newcred must be an exclusive credential reference for the 2188 * duration of the call. 2189 */ 2190void 2191change_svgid(struct ucred *newcred, gid_t svgid) 2192{ 2193 2194 newcred->cr_svgid = svgid; 2195} 2196