kern_prot.c revision 84636
1/* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * Copyright (c) 2000, 2001 Robert N. M. Watson. All rights reserved. 5 * (c) UNIX System Laboratories, Inc. 6 * All or some portions of this file are derived from material licensed 7 * to the University of California by American Telephone and Telegraph 8 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 9 * the permission of UNIX System Laboratories, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the University of 22 * California, Berkeley and its contributors. 23 * 4. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 40 * $FreeBSD: head/sys/kern/kern_prot.c 84636 2001-10-07 20:06:03Z des $ 41 */ 42 43/* 44 * System calls related to processes and protection 45 */ 46 47#include "opt_compat.h" 48#include "opt_global.h" 49 50#include <sys/param.h> 51#include <sys/systm.h> 52#include <sys/acct.h> 53#include <sys/kernel.h> 54#include <sys/lock.h> 55#include <sys/mutex.h> 56#include <sys/proc.h> 57#include <sys/sysproto.h> 58#include <sys/malloc.h> 59#include <sys/pioctl.h> 60#include <sys/resourcevar.h> 61#include <sys/sysctl.h> 62#include <sys/jail.h> 63 64static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 65 66SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, 67 "Kernel security policy"); 68 69#ifndef _SYS_SYSPROTO_H_ 70struct getpid_args { 71 int dummy; 72}; 73#endif 74 75/* 76 * getpid 77 */ 78 79/* 80 * MPSAFE 81 */ 82/* ARGSUSED */ 83int 84getpid(td, uap) 85 struct thread *td; 86 struct getpid_args *uap; 87{ 88 struct proc *p = td->td_proc; 89 90 mtx_lock(&Giant); 91 td->td_retval[0] = p->p_pid; 92#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 93 PROC_LOCK(p); 94 td->td_retval[1] = p->p_pptr->p_pid; 95 PROC_UNLOCK(p); 96#endif 97 mtx_unlock(&Giant); 98 return (0); 99} 100 101/* 102 * getppid 103 */ 104 105#ifndef _SYS_SYSPROTO_H_ 106struct getppid_args { 107 int dummy; 108}; 109#endif 110/* 111 * MPSAFE 112 */ 113/* ARGSUSED */ 114int 115getppid(td, uap) 116 struct thread *td; 117 struct getppid_args *uap; 118{ 119 struct proc *p = td->td_proc; 120 121 mtx_lock(&Giant); 122 PROC_LOCK(p); 123 td->td_retval[0] = p->p_pptr->p_pid; 124 PROC_UNLOCK(p); 125 mtx_unlock(&Giant); 126 return (0); 127} 128 129/* 130 * Get process group ID; note that POSIX getpgrp takes no parameter 131 * 132 * MP SAFE 133 */ 134#ifndef _SYS_SYSPROTO_H_ 135struct getpgrp_args { 136 int dummy; 137}; 138#endif 139/* 140 * MPSAFE 141 */ 142int 143getpgrp(td, uap) 144 struct thread *td; 145 struct getpgrp_args *uap; 146{ 147 struct proc *p = td->td_proc; 148 149 mtx_lock(&Giant); 150 td->td_retval[0] = p->p_pgrp->pg_id; 151 mtx_unlock(&Giant); 152 return (0); 153} 154 155/* Get an arbitary pid's process group id */ 156#ifndef _SYS_SYSPROTO_H_ 157struct getpgid_args { 158 pid_t pid; 159}; 160#endif 161 162/* 163 * MPSAFE 164 */ 165int 166getpgid(td, uap) 167 struct thread *td; 168 struct getpgid_args *uap; 169{ 170 struct proc *p = td->td_proc; 171 struct proc *pt; 172 int error = 0; 173 174 mtx_lock(&Giant); 175 if (uap->pid == 0) 176 td->td_retval[0] = p->p_pgrp->pg_id; 177 else { 178 if ((pt = pfind(uap->pid)) == NULL) { 179 error = ESRCH; 180 goto done2; 181 } 182 if ((error = p_cansee(p, pt))) { 183 PROC_UNLOCK(pt); 184 goto done2; 185 } 186 td->td_retval[0] = pt->p_pgrp->pg_id; 187 PROC_UNLOCK(pt); 188 } 189done2: 190 mtx_unlock(&Giant); 191 return (error); 192} 193 194/* 195 * Get an arbitary pid's session id. 196 */ 197#ifndef _SYS_SYSPROTO_H_ 198struct getsid_args { 199 pid_t pid; 200}; 201#endif 202 203/* 204 * MPSAFE 205 */ 206int 207getsid(td, uap) 208 struct thread *td; 209 struct getsid_args *uap; 210{ 211 struct proc *p = td->td_proc; 212 struct proc *pt; 213 int error = 0; 214 215 mtx_lock(&Giant); 216 if (uap->pid == 0) { 217 td->td_retval[0] = p->p_session->s_sid; 218 } else { 219 if ((pt = pfind(uap->pid)) == NULL) { 220 error = ESRCH; 221 goto done2; 222 } 223 if ((error = p_cansee(p, pt))) { 224 PROC_UNLOCK(pt); 225 goto done2; 226 } 227 td->td_retval[0] = pt->p_session->s_sid; 228 PROC_UNLOCK(pt); 229 } 230done2: 231 mtx_unlock(&Giant); 232 return (error); 233} 234 235 236/* 237 * getuid() - MP SAFE 238 */ 239#ifndef _SYS_SYSPROTO_H_ 240struct getuid_args { 241 int dummy; 242}; 243#endif 244 245/* 246 * MPSAFE 247 */ 248/* ARGSUSED */ 249int 250getuid(td, uap) 251 struct thread *td; 252 struct getuid_args *uap; 253{ 254 struct proc *p = td->td_proc; 255 256 mtx_lock(&Giant); 257 td->td_retval[0] = p->p_ucred->cr_ruid; 258#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 259 td->td_retval[1] = p->p_ucred->cr_uid; 260#endif 261 mtx_unlock(&Giant); 262 return (0); 263} 264 265/* 266 * geteuid() - MP SAFE 267 */ 268#ifndef _SYS_SYSPROTO_H_ 269struct geteuid_args { 270 int dummy; 271}; 272#endif 273 274/* ARGSUSED */ 275int 276geteuid(td, uap) 277 struct thread *td; 278 struct geteuid_args *uap; 279{ 280 mtx_lock(&Giant); 281 td->td_retval[0] = td->td_proc->p_ucred->cr_uid; 282 mtx_unlock(&Giant); 283 return (0); 284} 285 286/* 287 * getgid() - MP SAFE 288 */ 289#ifndef _SYS_SYSPROTO_H_ 290struct getgid_args { 291 int dummy; 292}; 293#endif 294 295/* 296 * MPSAFE 297 */ 298/* ARGSUSED */ 299int 300getgid(td, uap) 301 struct thread *td; 302 struct getgid_args *uap; 303{ 304 struct proc *p = td->td_proc; 305 306 mtx_lock(&Giant); 307 td->td_retval[0] = p->p_ucred->cr_rgid; 308#if defined(COMPAT_43) || defined(COMPAT_SUNOS) 309 td->td_retval[1] = p->p_ucred->cr_groups[0]; 310#endif 311 mtx_unlock(&Giant); 312 return (0); 313} 314 315/* 316 * Get effective group ID. The "egid" is groups[0], and could be obtained 317 * via getgroups. This syscall exists because it is somewhat painful to do 318 * correctly in a library function. 319 */ 320#ifndef _SYS_SYSPROTO_H_ 321struct getegid_args { 322 int dummy; 323}; 324#endif 325 326/* 327 * MPSAFE 328 */ 329/* ARGSUSED */ 330int 331getegid(td, uap) 332 struct thread *td; 333 struct getegid_args *uap; 334{ 335 struct proc *p = td->td_proc; 336 337 mtx_lock(&Giant); 338 td->td_retval[0] = p->p_ucred->cr_groups[0]; 339 mtx_unlock(&Giant); 340 return (0); 341} 342 343#ifndef _SYS_SYSPROTO_H_ 344struct getgroups_args { 345 u_int gidsetsize; 346 gid_t *gidset; 347}; 348#endif 349/* 350 * MPSAFE 351 */ 352int 353getgroups(td, uap) 354 struct thread *td; 355 register struct getgroups_args *uap; 356{ 357 struct ucred *cred; 358 struct proc *p = td->td_proc; 359 u_int ngrp; 360 int error = 0; 361 362 mtx_lock(&Giant); 363 cred = p->p_ucred; 364 if ((ngrp = uap->gidsetsize) == 0) { 365 td->td_retval[0] = cred->cr_ngroups; 366 error = 0; 367 goto done2; 368 } 369 if (ngrp < cred->cr_ngroups) { 370 error = EINVAL; 371 goto done2; 372 } 373 ngrp = cred->cr_ngroups; 374 if ((error = copyout((caddr_t)cred->cr_groups, 375 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)))) { 376 goto done2; 377 } 378 td->td_retval[0] = ngrp; 379done2: 380 mtx_unlock(&Giant); 381 return (error); 382} 383 384#ifndef _SYS_SYSPROTO_H_ 385struct setsid_args { 386 int dummy; 387}; 388#endif 389 390/* 391 * MPSAFE 392 */ 393/* ARGSUSED */ 394int 395setsid(td, uap) 396 register struct thread *td; 397 struct setsid_args *uap; 398{ 399 int error; 400 struct proc *p = td->td_proc; 401 402 mtx_lock(&Giant); 403 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) { 404 error = EPERM; 405 } else { 406 (void)enterpgrp(p, p->p_pid, 1); 407 td->td_retval[0] = p->p_pid; 408 error = 0; 409 } 410 mtx_unlock(&Giant); 411 return (error); 412} 413 414/* 415 * set process group (setpgid/old setpgrp) 416 * 417 * caller does setpgid(targpid, targpgid) 418 * 419 * pid must be caller or child of caller (ESRCH) 420 * if a child 421 * pid must be in same session (EPERM) 422 * pid can't have done an exec (EACCES) 423 * if pgid != pid 424 * there must exist some pid in same session having pgid (EPERM) 425 * pid must not be session leader (EPERM) 426 */ 427#ifndef _SYS_SYSPROTO_H_ 428struct setpgid_args { 429 int pid; /* target process id */ 430 int pgid; /* target pgrp id */ 431}; 432#endif 433/* 434 * MPSAFE 435 */ 436/* ARGSUSED */ 437int 438setpgid(td, uap) 439 struct thread *td; 440 register struct setpgid_args *uap; 441{ 442 struct proc *curp = td->td_proc; 443 register struct proc *targp; /* target process */ 444 register struct pgrp *pgrp; /* target pgrp */ 445 int error; 446 447 if (uap->pgid < 0) 448 return (EINVAL); 449 450 mtx_lock(&Giant); 451 452 if (uap->pid != 0 && uap->pid != curp->p_pid) { 453 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 454 if (targp) 455 PROC_UNLOCK(targp); 456 error = ESRCH; 457 goto done2; 458 } 459 if ((error = p_cansee(curproc, targp))) { 460 PROC_UNLOCK(targp); 461 goto done2; 462 } 463 if (targp->p_pgrp == NULL || 464 targp->p_session != curp->p_session) { 465 PROC_UNLOCK(targp); 466 error = EPERM; 467 goto done2; 468 } 469 if (targp->p_flag & P_EXEC) { 470 PROC_UNLOCK(targp); 471 error = EACCES; 472 goto done2; 473 } 474 } else { 475 targp = curp; 476 PROC_LOCK(curp); /* XXX: not needed */ 477 } 478 if (SESS_LEADER(targp)) { 479 PROC_UNLOCK(targp); 480 error = EPERM; 481 goto done2; 482 } 483 if (uap->pgid == 0) { 484 uap->pgid = targp->p_pid; 485 } else if (uap->pgid != targp->p_pid) { 486 if ((pgrp = pgfind(uap->pgid)) == 0 || 487 pgrp->pg_session != curp->p_session) { 488 PROC_UNLOCK(targp); 489 error = EPERM; 490 goto done2; 491 } 492 } 493 /* XXX: We should probably hold the lock across enterpgrp. */ 494 PROC_UNLOCK(targp); 495 error = enterpgrp(targp, uap->pgid, 0); 496done2: 497 mtx_unlock(&Giant); 498 return (error); 499} 500 501/* 502 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 503 * compatible. It says that setting the uid/gid to euid/egid is a special 504 * case of "appropriate privilege". Once the rules are expanded out, this 505 * basically means that setuid(nnn) sets all three id's, in all permitted 506 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 507 * does not set the saved id - this is dangerous for traditional BSD 508 * programs. For this reason, we *really* do not want to set 509 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 510 */ 511#define POSIX_APPENDIX_B_4_2_2 512 513#ifndef _SYS_SYSPROTO_H_ 514struct setuid_args { 515 uid_t uid; 516}; 517#endif 518/* 519 * MPSAFE 520 */ 521/* ARGSUSED */ 522int 523setuid(td, uap) 524 struct thread *td; 525 struct setuid_args *uap; 526{ 527 struct proc *p = td->td_proc; 528 struct ucred *newcred, *oldcred; 529 uid_t uid; 530 int error = 0; 531 532 uid = uap->uid; 533 oldcred = p->p_ucred; 534 mtx_lock(&Giant); 535 536 /* 537 * See if we have "permission" by POSIX 1003.1 rules. 538 * 539 * Note that setuid(geteuid()) is a special case of 540 * "appropriate privileges" in appendix B.4.2.2. We need 541 * to use this clause to be compatible with traditional BSD 542 * semantics. Basically, it means that "setuid(xx)" sets all 543 * three id's (assuming you have privs). 544 * 545 * Notes on the logic. We do things in three steps. 546 * 1: We determine if the euid is going to change, and do EPERM 547 * right away. We unconditionally change the euid later if this 548 * test is satisfied, simplifying that part of the logic. 549 * 2: We determine if the real and/or saved uid's are going to 550 * change. Determined by compile options. 551 * 3: Change euid last. (after tests in #2 for "appropriate privs") 552 */ 553 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ 554#ifdef _POSIX_SAVED_IDS 555 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ 556#endif 557#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 558 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ 559#endif 560 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 561 goto done2; 562 563 newcred = crdup(oldcred); 564#ifdef _POSIX_SAVED_IDS 565 /* 566 * Do we have "appropriate privileges" (are we root or uid == euid) 567 * If so, we are changing the real uid and/or saved uid. 568 */ 569 if ( 570#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 571 uid == oldcred->cr_uid || 572#endif 573 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 574#endif 575 { 576 /* 577 * Set the real uid and transfer proc count to new user. 578 */ 579 if (uid != oldcred->cr_ruid) { 580 change_ruid(newcred, uid); 581 setsugid(p); 582 } 583 /* 584 * Set saved uid 585 * 586 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 587 * the security of seteuid() depends on it. B.4.2.2 says it 588 * is important that we should do this. 589 */ 590 if (uid != oldcred->cr_svuid) { 591 change_svuid(newcred, uid); 592 setsugid(p); 593 } 594 } 595 596 /* 597 * In all permitted cases, we are changing the euid. 598 * Copy credentials so other references do not see our changes. 599 */ 600 if (uid != oldcred->cr_uid) { 601 change_euid(newcred, uid); 602 setsugid(p); 603 } 604 p->p_ucred = newcred; 605 crfree(oldcred); 606done2: 607 mtx_unlock(&Giant); 608 return (error); 609} 610 611#ifndef _SYS_SYSPROTO_H_ 612struct seteuid_args { 613 uid_t euid; 614}; 615#endif 616/* 617 * MPSAFE 618 */ 619/* ARGSUSED */ 620int 621seteuid(td, uap) 622 struct thread *td; 623 struct seteuid_args *uap; 624{ 625 struct proc *p = td->td_proc; 626 struct ucred *newcred, *oldcred; 627 uid_t euid; 628 int error = 0; 629 630 euid = uap->euid; 631 632 mtx_lock(&Giant); 633 oldcred = p->p_ucred; 634 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ 635 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ 636 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 637 goto done2; 638 } 639 /* 640 * Everything's okay, do it. Copy credentials so other references do 641 * not see our changes. 642 */ 643 newcred = crdup(oldcred); 644 if (oldcred->cr_uid != euid) { 645 change_euid(newcred, euid); 646 setsugid(p); 647 } 648 p->p_ucred = newcred; 649 crfree(oldcred); 650done2: 651 mtx_unlock(&Giant); 652 return (error); 653} 654 655#ifndef _SYS_SYSPROTO_H_ 656struct setgid_args { 657 gid_t gid; 658}; 659#endif 660/* 661 * MPSAFE 662 */ 663/* ARGSUSED */ 664int 665setgid(td, uap) 666 struct thread *td; 667 struct setgid_args *uap; 668{ 669 struct proc *p = td->td_proc; 670 struct ucred *newcred, *oldcred; 671 gid_t gid; 672 int error = 0; 673 674 gid = uap->gid; 675 676 mtx_lock(&Giant); 677 oldcred = p->p_ucred; 678 /* 679 * See if we have "permission" by POSIX 1003.1 rules. 680 * 681 * Note that setgid(getegid()) is a special case of 682 * "appropriate privileges" in appendix B.4.2.2. We need 683 * to use this clause to be compatible with traditional BSD 684 * semantics. Basically, it means that "setgid(xx)" sets all 685 * three id's (assuming you have privs). 686 * 687 * For notes on the logic here, see setuid() above. 688 */ 689 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ 690#ifdef _POSIX_SAVED_IDS 691 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ 692#endif 693#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 694 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ 695#endif 696 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 697 goto done2; 698 } 699 700 newcred = crdup(oldcred); 701#ifdef _POSIX_SAVED_IDS 702 /* 703 * Do we have "appropriate privileges" (are we root or gid == egid) 704 * If so, we are changing the real uid and saved gid. 705 */ 706 if ( 707#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 708 gid == oldcred->cr_groups[0] || 709#endif 710 suser_xxx(oldcred, NULL, PRISON_ROOT) == 0) /* we are using privs */ 711#endif 712 { 713 /* 714 * Set real gid 715 */ 716 if (oldcred->cr_rgid != gid) { 717 change_rgid(newcred, gid); 718 setsugid(p); 719 } 720 /* 721 * Set saved gid 722 * 723 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 724 * the security of setegid() depends on it. B.4.2.2 says it 725 * is important that we should do this. 726 */ 727 if (oldcred->cr_svgid != gid) { 728 change_svgid(newcred, gid); 729 setsugid(p); 730 } 731 } 732 /* 733 * In all cases permitted cases, we are changing the egid. 734 * Copy credentials so other references do not see our changes. 735 */ 736 if (oldcred->cr_groups[0] != gid) { 737 change_egid(newcred, gid); 738 setsugid(p); 739 } 740 p->p_ucred = newcred; 741 crfree(oldcred); 742done2: 743 mtx_unlock(&Giant); 744 return (error); 745} 746 747#ifndef _SYS_SYSPROTO_H_ 748struct setegid_args { 749 gid_t egid; 750}; 751#endif 752/* 753 * MPSAFE 754 */ 755/* ARGSUSED */ 756int 757setegid(td, uap) 758 struct thread *td; 759 struct setegid_args *uap; 760{ 761 struct proc *p = td->td_proc; 762 struct ucred *newcred, *oldcred; 763 gid_t egid; 764 int error = 0; 765 766 egid = uap->egid; 767 768 mtx_lock(&Giant); 769 oldcred = p->p_ucred; 770 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ 771 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ 772 (error = suser_xxx(oldcred, NULL, PRISON_ROOT))) { 773 goto done2; 774 } 775 newcred = crdup(oldcred); 776 if (oldcred->cr_groups[0] != egid) { 777 change_egid(newcred, egid); 778 setsugid(p); 779 } 780 p->p_ucred = newcred; 781 crfree(oldcred); 782done2: 783 mtx_unlock(&Giant); 784 return (error); 785} 786 787#ifndef _SYS_SYSPROTO_H_ 788struct setgroups_args { 789 u_int gidsetsize; 790 gid_t *gidset; 791}; 792#endif 793/* 794 * MPSAFE 795 */ 796/* ARGSUSED */ 797int 798setgroups(td, uap) 799 struct thread *td; 800 struct setgroups_args *uap; 801{ 802 struct proc *p = td->td_proc; 803 struct ucred *newcred, *oldcred; 804 u_int ngrp; 805 int error; 806 807 mtx_lock(&Giant); 808 809 ngrp = uap->gidsetsize; 810 oldcred = p->p_ucred; 811 if ((error = suser_xxx(oldcred, NULL, PRISON_ROOT))) 812 goto done2; 813 if (ngrp > NGROUPS) { 814 error = EINVAL; 815 goto done2; 816 } 817 /* 818 * XXX A little bit lazy here. We could test if anything has 819 * changed before crcopy() and setting P_SUGID. 820 */ 821 newcred = crdup(oldcred); 822 if (ngrp < 1) { 823 /* 824 * setgroups(0, NULL) is a legitimate way of clearing the 825 * groups vector on non-BSD systems (which generally do not 826 * have the egid in the groups[0]). We risk security holes 827 * when running non-BSD software if we do not do the same. 828 */ 829 newcred->cr_ngroups = 1; 830 } else { 831 if ((error = copyin((caddr_t)uap->gidset, 832 (caddr_t)newcred->cr_groups, ngrp * sizeof(gid_t)))) { 833 crfree(newcred); 834 goto done2; 835 } 836 newcred->cr_ngroups = ngrp; 837 } 838 setsugid(p); 839 p->p_ucred = newcred; 840 crfree(oldcred); 841done2: 842 mtx_unlock(&Giant); 843 return (error); 844} 845 846#ifndef _SYS_SYSPROTO_H_ 847struct setreuid_args { 848 uid_t ruid; 849 uid_t euid; 850}; 851#endif 852/* 853 * MPSAFE 854 */ 855/* ARGSUSED */ 856int 857setreuid(td, uap) 858 register struct thread *td; 859 struct setreuid_args *uap; 860{ 861 struct proc *p = td->td_proc; 862 struct ucred *newcred, *oldcred; 863 uid_t ruid, euid; 864 int error = 0; 865 866 ruid = uap->ruid; 867 euid = uap->euid; 868 869 mtx_lock(&Giant); 870 871 oldcred = p->p_ucred; 872 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 873 ruid != oldcred->cr_svuid) || 874 (euid != (uid_t)-1 && euid != oldcred->cr_uid && 875 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && 876 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 877 goto done2; 878 } 879 newcred = crdup(oldcred); 880 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 881 change_euid(newcred, euid); 882 setsugid(p); 883 } 884 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 885 change_ruid(newcred, ruid); 886 setsugid(p); 887 } 888 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && 889 newcred->cr_svuid != newcred->cr_uid) { 890 change_svuid(newcred, newcred->cr_uid); 891 setsugid(p); 892 } 893 p->p_ucred = newcred; 894 crfree(oldcred); 895done2: 896 mtx_unlock(&Giant); 897 return (error); 898} 899 900#ifndef _SYS_SYSPROTO_H_ 901struct setregid_args { 902 gid_t rgid; 903 gid_t egid; 904}; 905#endif 906/* 907 * MPSAFE 908 */ 909/* ARGSUSED */ 910int 911setregid(td, uap) 912 register struct thread *td; 913 struct setregid_args *uap; 914{ 915 struct proc *p = td->td_proc; 916 struct ucred *newcred, *oldcred; 917 gid_t rgid, egid; 918 int error = 0; 919 920 rgid = uap->rgid; 921 egid = uap->egid; 922 923 mtx_lock(&Giant); 924 925 oldcred = p->p_ucred; 926 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 927 rgid != oldcred->cr_svgid) || 928 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && 929 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && 930 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 931 goto done2; 932 } 933 934 newcred = crdup(oldcred); 935 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 936 change_egid(newcred, egid); 937 setsugid(p); 938 } 939 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 940 change_rgid(newcred, rgid); 941 setsugid(p); 942 } 943 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && 944 newcred->cr_svgid != newcred->cr_groups[0]) { 945 change_svgid(newcred, newcred->cr_groups[0]); 946 setsugid(p); 947 } 948 p->p_ucred = newcred; 949 crfree(oldcred); 950done2: 951 mtx_unlock(&Giant); 952 return (error); 953} 954 955/* 956 * setresuid(ruid, euid, suid) is like setreuid except control over the 957 * saved uid is explicit. 958 */ 959 960#ifndef _SYS_SYSPROTO_H_ 961struct setresuid_args { 962 uid_t ruid; 963 uid_t euid; 964 uid_t suid; 965}; 966#endif 967/* 968 * MPSAFE 969 */ 970/* ARGSUSED */ 971int 972setresuid(td, uap) 973 register struct thread *td; 974 struct setresuid_args *uap; 975{ 976 struct proc *p = td->td_proc; 977 struct ucred *newcred, *oldcred; 978 uid_t ruid, euid, suid; 979 int error; 980 981 ruid = uap->ruid; 982 euid = uap->euid; 983 suid = uap->suid; 984 985 mtx_lock(&Giant); 986 oldcred = p->p_ucred; 987 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && 988 ruid != oldcred->cr_svuid && 989 ruid != oldcred->cr_uid) || 990 (euid != (uid_t)-1 && euid != oldcred->cr_ruid && 991 euid != oldcred->cr_svuid && 992 euid != oldcred->cr_uid) || 993 (suid != (uid_t)-1 && suid != oldcred->cr_ruid && 994 suid != oldcred->cr_svuid && 995 suid != oldcred->cr_uid)) && 996 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 997 goto done2; 998 } 999 1000 newcred = crdup(oldcred); 1001 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { 1002 change_euid(newcred, euid); 1003 setsugid(p); 1004 } 1005 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { 1006 change_ruid(newcred, ruid); 1007 setsugid(p); 1008 } 1009 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { 1010 change_svuid(newcred, suid); 1011 setsugid(p); 1012 } 1013 p->p_ucred = newcred; 1014 crfree(oldcred); 1015 error = 0; 1016done2: 1017 mtx_unlock(&Giant); 1018 return (error); 1019} 1020 1021/* 1022 * setresgid(rgid, egid, sgid) is like setregid except control over the 1023 * saved gid is explicit. 1024 */ 1025 1026#ifndef _SYS_SYSPROTO_H_ 1027struct setresgid_args { 1028 gid_t rgid; 1029 gid_t egid; 1030 gid_t sgid; 1031}; 1032#endif 1033/* 1034 * MPSAFE 1035 */ 1036/* ARGSUSED */ 1037int 1038setresgid(td, uap) 1039 register struct thread *td; 1040 struct setresgid_args *uap; 1041{ 1042 struct proc *p = td->td_proc; 1043 struct ucred *newcred, *oldcred; 1044 gid_t rgid, egid, sgid; 1045 int error; 1046 1047 rgid = uap->rgid; 1048 egid = uap->egid; 1049 sgid = uap->sgid; 1050 1051 mtx_lock(&Giant); 1052 oldcred = p->p_ucred; 1053 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && 1054 rgid != oldcred->cr_svgid && 1055 rgid != oldcred->cr_groups[0]) || 1056 (egid != (gid_t)-1 && egid != oldcred->cr_rgid && 1057 egid != oldcred->cr_svgid && 1058 egid != oldcred->cr_groups[0]) || 1059 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && 1060 sgid != oldcred->cr_svgid && 1061 sgid != oldcred->cr_groups[0])) && 1062 (error = suser_xxx(oldcred, NULL, PRISON_ROOT)) != 0) { 1063 goto done2; 1064 } 1065 newcred = crdup(oldcred); 1066 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { 1067 change_egid(newcred, egid); 1068 setsugid(p); 1069 } 1070 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { 1071 change_rgid(newcred, rgid); 1072 setsugid(p); 1073 } 1074 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { 1075 change_svgid(newcred, sgid); 1076 setsugid(p); 1077 } 1078 p->p_ucred = newcred; 1079 crfree(oldcred); 1080 error = 0; 1081done2: 1082 mtx_unlock(&Giant); 1083 return (error); 1084} 1085 1086#ifndef _SYS_SYSPROTO_H_ 1087struct getresuid_args { 1088 uid_t *ruid; 1089 uid_t *euid; 1090 uid_t *suid; 1091}; 1092#endif 1093/* 1094 * MPSAFE 1095 */ 1096/* ARGSUSED */ 1097int 1098getresuid(td, uap) 1099 register struct thread *td; 1100 struct getresuid_args *uap; 1101{ 1102 struct ucred *cred; 1103 struct proc *p = td->td_proc; 1104 int error1 = 0, error2 = 0, error3 = 0; 1105 1106 mtx_lock(&Giant); 1107 cred = p->p_ucred; 1108 1109 if (uap->ruid) 1110 error1 = copyout((caddr_t)&cred->cr_ruid, 1111 (caddr_t)uap->ruid, sizeof(cred->cr_ruid)); 1112 if (uap->euid) 1113 error2 = copyout((caddr_t)&cred->cr_uid, 1114 (caddr_t)uap->euid, sizeof(cred->cr_uid)); 1115 if (uap->suid) 1116 error3 = copyout((caddr_t)&cred->cr_svuid, 1117 (caddr_t)uap->suid, sizeof(cred->cr_svuid)); 1118 mtx_unlock(&Giant); 1119 return error1 ? error1 : (error2 ? error2 : error3); 1120} 1121 1122#ifndef _SYS_SYSPROTO_H_ 1123struct getresgid_args { 1124 gid_t *rgid; 1125 gid_t *egid; 1126 gid_t *sgid; 1127}; 1128#endif 1129/* 1130 * MPSAFE 1131 */ 1132/* ARGSUSED */ 1133int 1134getresgid(td, uap) 1135 register struct thread *td; 1136 struct getresgid_args *uap; 1137{ 1138 struct ucred *cred; 1139 struct proc *p = td->td_proc; 1140 int error1 = 0, error2 = 0, error3 = 0; 1141 1142 mtx_lock(&Giant); 1143 cred = p->p_ucred; 1144 1145 if (uap->rgid) 1146 error1 = copyout((caddr_t)&cred->cr_rgid, 1147 (caddr_t)uap->rgid, sizeof(cred->cr_rgid)); 1148 if (uap->egid) 1149 error2 = copyout((caddr_t)&cred->cr_groups[0], 1150 (caddr_t)uap->egid, sizeof(cred->cr_groups[0])); 1151 if (uap->sgid) 1152 error3 = copyout((caddr_t)&cred->cr_svgid, 1153 (caddr_t)uap->sgid, sizeof(cred->cr_svgid)); 1154 mtx_unlock(&Giant); 1155 return error1 ? error1 : (error2 ? error2 : error3); 1156} 1157 1158 1159#ifndef _SYS_SYSPROTO_H_ 1160struct issetugid_args { 1161 int dummy; 1162}; 1163#endif 1164/* ARGSUSED */ 1165int 1166issetugid(td, uap) 1167 register struct thread *td; 1168 struct issetugid_args *uap; 1169{ 1170 struct proc *p = td->td_proc; 1171 1172 /* 1173 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 1174 * we use P_SUGID because we consider changing the owners as 1175 * "tainting" as well. 1176 * This is significant for procs that start as root and "become" 1177 * a user without an exec - programs cannot know *everything* 1178 * that libc *might* have put in their data segment. 1179 */ 1180 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; 1181 return (0); 1182} 1183 1184/* 1185 * MPSAFE 1186 */ 1187int 1188__setugid(td, uap) 1189 struct thread *td; 1190 struct __setugid_args *uap; 1191{ 1192#ifdef REGRESSION 1193 int error = 0; 1194 1195 mtx_lock(&Giant); 1196 switch (uap->flag) { 1197 case 0: 1198 td->td_proc->p_flag &= ~P_SUGID; 1199 break; 1200 case 1: 1201 td->td_proc->p_flag |= P_SUGID; 1202 break; 1203 default: 1204 error = EINVAL; 1205 break; 1206 } 1207 mtx_unlock(&Giant); 1208 return (error); 1209#else /* !REGRESSION */ 1210 return (ENOSYS); 1211#endif /* !REGRESSION */ 1212} 1213 1214/* 1215 * Check if gid is a member of the group set. 1216 */ 1217int 1218groupmember(gid, cred) 1219 gid_t gid; 1220 struct ucred *cred; 1221{ 1222 register gid_t *gp; 1223 gid_t *egp; 1224 1225 egp = &(cred->cr_groups[cred->cr_ngroups]); 1226 for (gp = cred->cr_groups; gp < egp; gp++) 1227 if (*gp == gid) 1228 return (1); 1229 return (0); 1230} 1231 1232/* 1233 * `suser_enabled' (which can be set by the kern.security.suser_enabled 1234 * sysctl) determines whether the system 'super-user' policy is in effect. 1235 * If it is nonzero, an effective uid of 0 connotes special privilege, 1236 * overriding many mandatory and discretionary protections. If it is zero, 1237 * uid 0 is offered no special privilege in the kernel security policy. 1238 * Setting it to zero may seriously impact the functionality of many 1239 * existing userland programs, and should not be done without careful 1240 * consideration of the consequences. 1241 */ 1242int suser_enabled = 1; 1243SYSCTL_INT(_kern_security, OID_AUTO, suser_enabled, CTLFLAG_RW, 1244 &suser_enabled, 0, "processes with uid 0 have privilege"); 1245 1246/* 1247 * Test whether the specified credentials imply "super-user" privilege. 1248 * Return 0 or EPERM. 1249 */ 1250int 1251suser(p) 1252 struct proc *p; 1253{ 1254 return suser_xxx(0, p, 0); 1255} 1256 1257/* 1258 * version for when the thread pointer is available and not the proc. 1259 * (saves having to include proc.h into every file that needs to do the change.) 1260 */ 1261int 1262suser_td(td) 1263 1264 struct thread *td; 1265{ 1266 return suser_xxx(0, td->td_proc, 0); 1267} 1268 1269/* 1270 * wrapper to use if you have the thread on hand but not the proc. 1271 */ 1272int 1273suser_xxx_td(cred, td, flag) 1274 struct ucred *cred; 1275 struct thread *td; 1276 int flag; 1277{ 1278 return(suser_xxx(cred, td->td_proc, flag)); 1279} 1280 1281int 1282suser_xxx(cred, proc, flag) 1283 struct ucred *cred; 1284 struct proc *proc; 1285 int flag; 1286{ 1287 if (!suser_enabled) 1288 return (EPERM); 1289 if (!cred && !proc) { 1290 printf("suser_xxx(): THINK!\n"); 1291 return (EPERM); 1292 } 1293 if (!cred) 1294 cred = proc->p_ucred; 1295 if (cred->cr_uid != 0) 1296 return (EPERM); 1297 if (jailed(cred) && !(flag & PRISON_ROOT)) 1298 return (EPERM); 1299 return (0); 1300} 1301 1302 1303/* 1304 * Test (local, globale) securelevel values against passed required 1305 * securelevel. _gt implements (level > securelevel), and _ge implements 1306 * (level >= securelevel). Returns 0 oer EPERM. 1307 * 1308 * cr is permitted to be NULL for the time being, as there were some 1309 * existing securelevel checks that occurred without a process/credential 1310 * context. In the future this will be disallowed, so a kernel 1311 * message is displayed. 1312 */ 1313int 1314securelevel_gt(struct ucred *cr, int level) 1315{ 1316 1317 if (cr == NULL) { 1318 printf("securelevel_gt: cr is NULL\n"); 1319 if (level > securelevel) 1320 return (0); 1321 else 1322 return (EPERM); 1323 } else if (cr->cr_prison == NULL) { 1324 if (level > securelevel) 1325 return (0); 1326 else 1327 return (EPERM); 1328 } else { 1329 if (level > imax(cr->cr_prison->pr_securelevel, securelevel)) 1330 return (0); 1331 else 1332 return (EPERM); 1333 } 1334 1335} 1336 1337int 1338securelevel_ge(struct ucred *cr, int level) 1339{ 1340 1341 if (cr == NULL) { 1342 printf("securelevel_ge: cr is NULL\n"); 1343 if (level >= securelevel) 1344 return (0); 1345 else 1346 return (EPERM); 1347 } if (cr->cr_prison == NULL) { 1348 if (level >= securelevel) 1349 return (0); 1350 else 1351 return (EPERM); 1352 } else { 1353 if (level >= imax(cr->cr_prison->pr_securelevel, securelevel)) 1354 return (0); 1355 else 1356 return (EPERM); 1357 } 1358} 1359 1360/*- 1361 * Determine if u1 "can see" the subject specified by u2. 1362 * Returns: 0 for permitted, an errno value otherwise 1363 * Locks: none 1364 * References: u1 and u2 must be immutable credentials 1365 * u1 and u2 must be valid for the lifetime of the call 1366 * u1 may equal u2, in which case only one reference is required 1367 */ 1368int 1369cr_cansee(struct ucred *u1, struct ucred *u2) 1370{ 1371 int error; 1372 1373 if ((error = prison_check(u1, u2))) 1374 return (error); 1375 if (!ps_showallprocs && u1->cr_ruid != u2->cr_ruid) { 1376 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) 1377 return (ESRCH); 1378 } 1379 return (0); 1380} 1381 1382/*- 1383 * Determine if p1 "can see" the subject specified by p2. 1384 * Returns: 0 for permitted, an errno value otherwise 1385 * Locks: Sufficient locks to protect p1->p_ucred and p2->p_ucred must 1386 * be held. Normally, p1 will be curproc, and a lock must be held 1387 * for p2. 1388 * References: p1 and p2 must be valid for the lifetime of the call 1389 */ 1390int 1391p_cansee(struct proc *p1, struct proc *p2) 1392{ 1393 1394 /* Wrap cr_cansee() for all functionality. */ 1395 return (cr_cansee(p1->p_ucred, p2->p_ucred)); 1396} 1397 1398/*- 1399 * Determine whether p1 may deliver the specified signal to p2. 1400 * Returns: 0 for permitted, an errno value otherwise 1401 * Locks: Sufficient locks to protect various components of p1 and p2 1402 * must be held. Normally, p1 will be curproc, and a lock must 1403 * be held for p2. 1404 * References: p1 and p2 must be valid for the lifetime of the call 1405 */ 1406int 1407p_cansignal(struct proc *p1, struct proc *p2, int signum) 1408{ 1409 int error; 1410 1411 if (p1 == p2) 1412 return (0); 1413 1414 /* 1415 * Jail semantics limit the scope of signalling to p2 in the same 1416 * jail as p1, if p1 is in jail. 1417 */ 1418 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1419 return (error); 1420 1421 /* 1422 * UNIX signalling semantics require that processes in the same 1423 * session always be able to deliver SIGCONT to one another, 1424 * overriding the remaining protections. 1425 */ 1426 if (signum == SIGCONT && p1->p_session == p2->p_session) 1427 return (0); 1428 1429 /* 1430 * UNIX signal semantics depend on the status of the P_SUGID 1431 * bit on the target process. If the bit is set, then additional 1432 * restrictions are placed on the set of available signals. 1433 */ 1434 if (p2->p_flag & P_SUGID) { 1435 switch (signum) { 1436 case 0: 1437 case SIGKILL: 1438 case SIGINT: 1439 case SIGTERM: 1440 case SIGSTOP: 1441 case SIGTTIN: 1442 case SIGTTOU: 1443 case SIGTSTP: 1444 case SIGHUP: 1445 case SIGUSR1: 1446 case SIGUSR2: 1447 /* 1448 * Generally, permit job and terminal control 1449 * signals. 1450 */ 1451 break; 1452 default: 1453 /* Not permitted, privilege is required. */ 1454 error = suser_xxx(NULL, p1, PRISON_ROOT); 1455 if (error) 1456 return (error); 1457 } 1458 } 1459 1460 /* 1461 * Generally, the target credential's ruid or svuid must match the 1462 * subject credential's ruid or euid. 1463 */ 1464 if (p1->p_ucred->cr_ruid != p2->p_ucred->cr_ruid && 1465 p1->p_ucred->cr_ruid != p2->p_ucred->cr_svuid && 1466 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid && 1467 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid) { 1468 /* Not permitted, try privilege. */ 1469 error = suser_xxx(NULL, p1, PRISON_ROOT); 1470 if (error) 1471 return (error); 1472 } 1473 1474 return (0); 1475} 1476 1477/*- 1478 * Determine whether p1 may reschedule p2 1479 * Returns: 0 for permitted, an errno value otherwise 1480 * Locks: Sufficient locks to protect various components of p1 and p2 1481 * must be held. Normally, p1 will be curproc, and a lock must 1482 * be held for p2. 1483 * References: p1 and p2 must be valid for the lifetime of the call 1484 */ 1485int 1486p_cansched(struct proc *p1, struct proc *p2) 1487{ 1488 int error; 1489 1490 if (p1 == p2) 1491 return (0); 1492 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1493 return (error); 1494 if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) 1495 return (0); 1496 if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) 1497 return (0); 1498 if (suser_xxx(0, p1, PRISON_ROOT) == 0) 1499 return (0); 1500 1501#ifdef CAPABILITIES 1502 if (!cap_check_xxx(0, p1, CAP_SYS_NICE, PRISON_ROOT)) 1503 return (0); 1504#endif 1505 1506 return (EPERM); 1507} 1508 1509/* 1510 * The kern_unprivileged_procdebug_permitted flag may be used to disable 1511 * a variety of unprivileged inter-process debugging services, including 1512 * some procfs functionality, ptrace(), and ktrace(). In the past, 1513 * inter-process debugging has been involved in a variety of security 1514 * problems, and sites not requiring the service might choose to disable it 1515 * when hardening systems. 1516 * 1517 * XXX: Should modifying and reading this variable require locking? 1518 */ 1519static int kern_unprivileged_procdebug_permitted = 1; 1520SYSCTL_INT(_kern_security, OID_AUTO, unprivileged_procdebug_permitted, 1521 CTLFLAG_RW, &kern_unprivileged_procdebug_permitted, 0, 1522 "Unprivileged processes may use process debugging facilities"); 1523 1524/*- 1525 * Determine whether p1 may debug p2. 1526 * Returns: 0 for permitted, an errno value otherwise 1527 * Locks: Sufficient locks to protect various components of p1 and p2 1528 * must be held. Normally, p1 will be curproc, and a lock must 1529 * be held for p2. 1530 * References: p1 and p2 must be valid for the lifetime of the call 1531 */ 1532int 1533p_candebug(struct proc *p1, struct proc *p2) 1534{ 1535 int error; 1536 1537 if (p1 == p2) 1538 return (0); 1539 1540 if ((error = prison_check(p1->p_ucred, p2->p_ucred))) 1541 return (error); 1542 1543 /* 1544 * Not owned by you, has done setuid (unless you're root). 1545 * XXX add a CAP_SYS_PTRACE here? 1546 */ 1547 if (p1->p_ucred->cr_uid != p2->p_ucred->cr_uid || 1548 p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid || 1549 p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid || 1550 p2->p_flag & P_SUGID || !kern_unprivileged_procdebug_permitted) { 1551 if ((error = suser_xxx(0, p1, PRISON_ROOT)) != 0) 1552 return (error); 1553 } 1554 1555 /* can't trace init when securelevel > 0 */ 1556 if (p2->p_pid == 1) { 1557 error = securelevel_gt(p1->p_ucred, 0); 1558 if (error) 1559 return (error); 1560 } 1561 1562 return (0); 1563} 1564 1565/* 1566 * Allocate a zeroed cred structure. 1567 */ 1568struct ucred * 1569crget() 1570{ 1571 register struct ucred *cr; 1572 1573 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK|M_ZERO); 1574 cr->cr_ref = 1; 1575 mtx_init(&cr->cr_mtx, "ucred", MTX_DEF); 1576 return (cr); 1577} 1578 1579/* 1580 * Claim another reference to a ucred structure. 1581 */ 1582void 1583crhold(cr) 1584 struct ucred *cr; 1585{ 1586 1587 mtx_lock(&cr->cr_mtx); 1588 cr->cr_ref++; 1589 mtx_unlock(&(cr)->cr_mtx); 1590} 1591 1592 1593/* 1594 * Free a cred structure. 1595 * Throws away space when ref count gets to 0. 1596 */ 1597void 1598crfree(cr) 1599 struct ucred *cr; 1600{ 1601 1602 mtx_lock(&cr->cr_mtx); 1603 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); 1604 if (--cr->cr_ref == 0) { 1605 mtx_destroy(&cr->cr_mtx); 1606 /* 1607 * Some callers of crget(), such as nfs_statfs(), 1608 * allocate a temporary credential, but don't 1609 * allocate a uidinfo structure. 1610 */ 1611 if (cr->cr_uidinfo != NULL) 1612 uifree(cr->cr_uidinfo); 1613 if (cr->cr_ruidinfo != NULL) 1614 uifree(cr->cr_ruidinfo); 1615 /* 1616 * Free a prison, if any. 1617 */ 1618 if (jailed(cr)) 1619 prison_free(cr->cr_prison); 1620 FREE((caddr_t)cr, M_CRED); 1621 } else { 1622 mtx_unlock(&cr->cr_mtx); 1623 } 1624} 1625 1626/* 1627 * Copy cred structure to a new one and free the old one. 1628 */ 1629struct ucred * 1630crcopy(cr) 1631 struct ucred *cr; 1632{ 1633 struct ucred *newcr; 1634 1635 mtx_lock(&cr->cr_mtx); 1636 if (cr->cr_ref == 1) { 1637 mtx_unlock(&cr->cr_mtx); 1638 return (cr); 1639 } 1640 mtx_unlock(&cr->cr_mtx); 1641 newcr = crdup(cr); 1642 crfree(cr); 1643 return (newcr); 1644} 1645 1646/* 1647 * Dup cred struct to a new held one. 1648 */ 1649struct ucred * 1650crdup(cr) 1651 struct ucred *cr; 1652{ 1653 struct ucred *newcr; 1654 1655 MALLOC(newcr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK); 1656 *newcr = *cr; 1657 mtx_init(&newcr->cr_mtx, "ucred", MTX_DEF); 1658 uihold(newcr->cr_uidinfo); 1659 uihold(newcr->cr_ruidinfo); 1660 if (jailed(newcr)) 1661 prison_hold(newcr->cr_prison); 1662 newcr->cr_ref = 1; 1663 return (newcr); 1664} 1665 1666/* 1667 * Get login name, if available. 1668 */ 1669#ifndef _SYS_SYSPROTO_H_ 1670struct getlogin_args { 1671 char *namebuf; 1672 u_int namelen; 1673}; 1674#endif 1675/* 1676 * MPSAFE 1677 */ 1678/* ARGSUSED */ 1679int 1680getlogin(td, uap) 1681 struct thread *td; 1682 struct getlogin_args *uap; 1683{ 1684 int error; 1685 struct proc *p = td->td_proc; 1686 1687 mtx_lock(&Giant); 1688 if (uap->namelen > MAXLOGNAME) 1689 uap->namelen = MAXLOGNAME; 1690 error = copyout((caddr_t) p->p_pgrp->pg_session->s_login, 1691 (caddr_t) uap->namebuf, uap->namelen); 1692 mtx_unlock(&Giant); 1693 return(error); 1694} 1695 1696/* 1697 * Set login name. 1698 */ 1699#ifndef _SYS_SYSPROTO_H_ 1700struct setlogin_args { 1701 char *namebuf; 1702}; 1703#endif 1704/* 1705 * MPSAFE 1706 */ 1707/* ARGSUSED */ 1708int 1709setlogin(td, uap) 1710 struct thread *td; 1711 struct setlogin_args *uap; 1712{ 1713 struct proc *p = td->td_proc; 1714 int error; 1715 char logintmp[MAXLOGNAME]; 1716 1717 mtx_lock(&Giant); 1718 if ((error = suser_xxx(0, p, PRISON_ROOT))) 1719 goto done2; 1720 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, 1721 sizeof(logintmp), (size_t *)0); 1722 if (error == ENAMETOOLONG) { 1723 error = EINVAL; 1724 } else if (!error) { 1725 (void) memcpy(p->p_pgrp->pg_session->s_login, logintmp, 1726 sizeof(logintmp)); 1727 } 1728done2: 1729 mtx_unlock(&Giant); 1730 return (error); 1731} 1732 1733void 1734setsugid(p) 1735 struct proc *p; 1736{ 1737 p->p_flag |= P_SUGID; 1738 if (!(p->p_pfsflags & PF_ISUGID)) 1739 p->p_stops = 0; 1740} 1741 1742/*- 1743 * Change a process's effective uid. 1744 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. 1745 * References: newcred must be an exclusive credential reference for the 1746 * duration of the call. 1747 */ 1748void 1749change_euid(newcred, euid) 1750 struct ucred *newcred; 1751 uid_t euid; 1752{ 1753 1754 newcred->cr_uid = euid; 1755 uifree(newcred->cr_uidinfo); 1756 newcred->cr_uidinfo = uifind(euid); 1757} 1758 1759/*- 1760 * Change a process's effective gid. 1761 * Side effects: newcred->cr_gid will be modified. 1762 * References: newcred must be an exclusive credential reference for the 1763 * duration of the call. 1764 */ 1765void 1766change_egid(newcred, egid) 1767 struct ucred *newcred; 1768 gid_t egid; 1769{ 1770 1771 newcred->cr_groups[0] = egid; 1772} 1773 1774/*- 1775 * Change a process's real uid. 1776 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo 1777 * will be updated, and the old and new cr_ruidinfo proc 1778 * counts will be updated. 1779 * References: newcred must be an exclusive credential reference for the 1780 * duration of the call. 1781 */ 1782void 1783change_ruid(newcred, ruid) 1784 struct ucred *newcred; 1785 uid_t ruid; 1786{ 1787 1788 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); 1789 newcred->cr_ruid = ruid; 1790 uifree(newcred->cr_ruidinfo); 1791 newcred->cr_ruidinfo = uifind(ruid); 1792 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); 1793} 1794 1795/*- 1796 * Change a process's real gid. 1797 * Side effects: newcred->cr_rgid will be updated. 1798 * References: newcred must be an exclusive credential reference for the 1799 * duration of the call. 1800 */ 1801void 1802change_rgid(newcred, rgid) 1803 struct ucred *newcred; 1804 gid_t rgid; 1805{ 1806 1807 newcred->cr_rgid = rgid; 1808} 1809 1810/*- 1811 * Change a process's saved uid. 1812 * Side effects: newcred->cr_svuid will be updated. 1813 * References: newcred must be an exclusive credential reference for the 1814 * duration of the call. 1815 */ 1816void 1817change_svuid(newcred, svuid) 1818 struct ucred *newcred; 1819 uid_t svuid; 1820{ 1821 1822 newcred->cr_svuid = svuid; 1823} 1824 1825/*- 1826 * Change a process's saved gid. 1827 * Side effects: newcred->cr_svgid will be updated. 1828 * References: newcred must be an exclusive credential reference for the 1829 * duration of the call. 1830 */ 1831void 1832change_svgid(newcred, svgid) 1833 struct ucred *newcred; 1834 gid_t svgid; 1835{ 1836 1837 newcred->cr_svgid = svgid; 1838} 1839