xref: /freebsd-12.1/sys/kern/kern_prot.c (revision 8542f5df)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
5  *	The Regents of the University of California.
6  * (c) UNIX System Laboratories, Inc.
7  * Copyright (c) 2000-2001 Robert N. M. Watson.
8  * All rights reserved.
9  *
10  * All or some portions of this file are derived from material licensed
11  * to the University of California by American Telephone and Telegraph
12  * Co. or Unix System Laboratories, Inc. and are reproduced herein with
13  * the permission of UNIX System Laboratories, Inc.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  * 1. Redistributions of source code must retain the above copyright
19  *    notice, this list of conditions and the following disclaimer.
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in the
22  *    documentation and/or other materials provided with the distribution.
23  * 3. Neither the name of the University nor the names of its contributors
24  *    may be used to endorse or promote products derived from this software
25  *    without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37  * SUCH DAMAGE.
38  *
39  *	@(#)kern_prot.c	8.6 (Berkeley) 1/21/94
40  */
41 
42 /*
43  * System calls related to processes and protection
44  */
45 
46 #include <sys/cdefs.h>
47 __FBSDID("$FreeBSD$");
48 
49 #include "opt_inet.h"
50 #include "opt_inet6.h"
51 
52 #include <sys/param.h>
53 #include <sys/systm.h>
54 #include <sys/acct.h>
55 #include <sys/kdb.h>
56 #include <sys/kernel.h>
57 #include <sys/lock.h>
58 #include <sys/loginclass.h>
59 #include <sys/malloc.h>
60 #include <sys/mutex.h>
61 #include <sys/refcount.h>
62 #include <sys/sx.h>
63 #include <sys/priv.h>
64 #include <sys/proc.h>
65 #include <sys/sysent.h>
66 #include <sys/sysproto.h>
67 #include <sys/jail.h>
68 #include <sys/pioctl.h>
69 #include <sys/racct.h>
70 #include <sys/rctl.h>
71 #include <sys/resourcevar.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/syscallsubr.h>
75 #include <sys/sysctl.h>
76 
77 #ifdef REGRESSION
78 FEATURE(regression,
79     "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)");
80 #endif
81 
82 #include <security/audit/audit.h>
83 #include <security/mac/mac_framework.h>
84 
85 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
86 
87 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy");
88 
89 static void crsetgroups_locked(struct ucred *cr, int ngrp,
90     gid_t *groups);
91 
92 #ifndef _SYS_SYSPROTO_H_
93 struct getpid_args {
94 	int	dummy;
95 };
96 #endif
97 /* ARGSUSED */
98 int
sys_getpid(struct thread * td,struct getpid_args * uap)99 sys_getpid(struct thread *td, struct getpid_args *uap)
100 {
101 	struct proc *p = td->td_proc;
102 
103 	td->td_retval[0] = p->p_pid;
104 #if defined(COMPAT_43)
105 	if (SV_PROC_FLAG(p, SV_AOUT))
106 		td->td_retval[1] = kern_getppid(td);
107 #endif
108 	return (0);
109 }
110 
111 #ifndef _SYS_SYSPROTO_H_
112 struct getppid_args {
113         int     dummy;
114 };
115 #endif
116 /* ARGSUSED */
117 int
sys_getppid(struct thread * td,struct getppid_args * uap)118 sys_getppid(struct thread *td, struct getppid_args *uap)
119 {
120 
121 	td->td_retval[0] = kern_getppid(td);
122 	return (0);
123 }
124 
125 int
kern_getppid(struct thread * td)126 kern_getppid(struct thread *td)
127 {
128 	struct proc *p = td->td_proc;
129 
130 	return (p->p_oppid);
131 }
132 
133 /*
134  * Get process group ID; note that POSIX getpgrp takes no parameter.
135  */
136 #ifndef _SYS_SYSPROTO_H_
137 struct getpgrp_args {
138         int     dummy;
139 };
140 #endif
141 int
sys_getpgrp(struct thread * td,struct getpgrp_args * uap)142 sys_getpgrp(struct thread *td, struct getpgrp_args *uap)
143 {
144 	struct proc *p = td->td_proc;
145 
146 	PROC_LOCK(p);
147 	td->td_retval[0] = p->p_pgrp->pg_id;
148 	PROC_UNLOCK(p);
149 	return (0);
150 }
151 
152 /* Get an arbitrary pid's process group id */
153 #ifndef _SYS_SYSPROTO_H_
154 struct getpgid_args {
155 	pid_t	pid;
156 };
157 #endif
158 int
sys_getpgid(struct thread * td,struct getpgid_args * uap)159 sys_getpgid(struct thread *td, struct getpgid_args *uap)
160 {
161 	struct proc *p;
162 	int error;
163 
164 	if (uap->pid == 0) {
165 		p = td->td_proc;
166 		PROC_LOCK(p);
167 	} else {
168 		p = pfind(uap->pid);
169 		if (p == NULL)
170 			return (ESRCH);
171 		error = p_cansee(td, p);
172 		if (error) {
173 			PROC_UNLOCK(p);
174 			return (error);
175 		}
176 	}
177 	td->td_retval[0] = p->p_pgrp->pg_id;
178 	PROC_UNLOCK(p);
179 	return (0);
180 }
181 
182 /*
183  * Get an arbitrary pid's session id.
184  */
185 #ifndef _SYS_SYSPROTO_H_
186 struct getsid_args {
187 	pid_t	pid;
188 };
189 #endif
190 int
sys_getsid(struct thread * td,struct getsid_args * uap)191 sys_getsid(struct thread *td, struct getsid_args *uap)
192 {
193 	struct proc *p;
194 	int error;
195 
196 	if (uap->pid == 0) {
197 		p = td->td_proc;
198 		PROC_LOCK(p);
199 	} else {
200 		p = pfind(uap->pid);
201 		if (p == NULL)
202 			return (ESRCH);
203 		error = p_cansee(td, p);
204 		if (error) {
205 			PROC_UNLOCK(p);
206 			return (error);
207 		}
208 	}
209 	td->td_retval[0] = p->p_session->s_sid;
210 	PROC_UNLOCK(p);
211 	return (0);
212 }
213 
214 #ifndef _SYS_SYSPROTO_H_
215 struct getuid_args {
216         int     dummy;
217 };
218 #endif
219 /* ARGSUSED */
220 int
sys_getuid(struct thread * td,struct getuid_args * uap)221 sys_getuid(struct thread *td, struct getuid_args *uap)
222 {
223 
224 	td->td_retval[0] = td->td_ucred->cr_ruid;
225 #if defined(COMPAT_43)
226 	td->td_retval[1] = td->td_ucred->cr_uid;
227 #endif
228 	return (0);
229 }
230 
231 #ifndef _SYS_SYSPROTO_H_
232 struct geteuid_args {
233         int     dummy;
234 };
235 #endif
236 /* ARGSUSED */
237 int
sys_geteuid(struct thread * td,struct geteuid_args * uap)238 sys_geteuid(struct thread *td, struct geteuid_args *uap)
239 {
240 
241 	td->td_retval[0] = td->td_ucred->cr_uid;
242 	return (0);
243 }
244 
245 #ifndef _SYS_SYSPROTO_H_
246 struct getgid_args {
247         int     dummy;
248 };
249 #endif
250 /* ARGSUSED */
251 int
sys_getgid(struct thread * td,struct getgid_args * uap)252 sys_getgid(struct thread *td, struct getgid_args *uap)
253 {
254 
255 	td->td_retval[0] = td->td_ucred->cr_rgid;
256 #if defined(COMPAT_43)
257 	td->td_retval[1] = td->td_ucred->cr_groups[0];
258 #endif
259 	return (0);
260 }
261 
262 /*
263  * Get effective group ID.  The "egid" is groups[0], and could be obtained
264  * via getgroups.  This syscall exists because it is somewhat painful to do
265  * correctly in a library function.
266  */
267 #ifndef _SYS_SYSPROTO_H_
268 struct getegid_args {
269         int     dummy;
270 };
271 #endif
272 /* ARGSUSED */
273 int
sys_getegid(struct thread * td,struct getegid_args * uap)274 sys_getegid(struct thread *td, struct getegid_args *uap)
275 {
276 
277 	td->td_retval[0] = td->td_ucred->cr_groups[0];
278 	return (0);
279 }
280 
281 #ifndef _SYS_SYSPROTO_H_
282 struct getgroups_args {
283 	u_int	gidsetsize;
284 	gid_t	*gidset;
285 };
286 #endif
287 int
sys_getgroups(struct thread * td,struct getgroups_args * uap)288 sys_getgroups(struct thread *td, struct getgroups_args *uap)
289 {
290 	struct ucred *cred;
291 	u_int ngrp;
292 	int error;
293 
294 	cred = td->td_ucred;
295 	ngrp = cred->cr_ngroups;
296 
297 	if (uap->gidsetsize == 0) {
298 		error = 0;
299 		goto out;
300 	}
301 	if (uap->gidsetsize < ngrp)
302 		return (EINVAL);
303 
304 	error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
305 out:
306 	td->td_retval[0] = ngrp;
307 	return (error);
308 }
309 
310 #ifndef _SYS_SYSPROTO_H_
311 struct setsid_args {
312         int     dummy;
313 };
314 #endif
315 /* ARGSUSED */
316 int
sys_setsid(struct thread * td,struct setsid_args * uap)317 sys_setsid(struct thread *td, struct setsid_args *uap)
318 {
319 	struct pgrp *pgrp;
320 	int error;
321 	struct proc *p = td->td_proc;
322 	struct pgrp *newpgrp;
323 	struct session *newsess;
324 
325 	error = 0;
326 	pgrp = NULL;
327 
328 	newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
329 	newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
330 
331 	sx_xlock(&proctree_lock);
332 
333 	if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
334 		if (pgrp != NULL)
335 			PGRP_UNLOCK(pgrp);
336 		error = EPERM;
337 	} else {
338 		(void)enterpgrp(p, p->p_pid, newpgrp, newsess);
339 		td->td_retval[0] = p->p_pid;
340 		newpgrp = NULL;
341 		newsess = NULL;
342 	}
343 
344 	sx_xunlock(&proctree_lock);
345 
346 	if (newpgrp != NULL)
347 		free(newpgrp, M_PGRP);
348 	if (newsess != NULL)
349 		free(newsess, M_SESSION);
350 
351 	return (error);
352 }
353 
354 /*
355  * set process group (setpgid/old setpgrp)
356  *
357  * caller does setpgid(targpid, targpgid)
358  *
359  * pid must be caller or child of caller (ESRCH)
360  * if a child
361  *	pid must be in same session (EPERM)
362  *	pid can't have done an exec (EACCES)
363  * if pgid != pid
364  * 	there must exist some pid in same session having pgid (EPERM)
365  * pid must not be session leader (EPERM)
366  */
367 #ifndef _SYS_SYSPROTO_H_
368 struct setpgid_args {
369 	int	pid;		/* target process id */
370 	int	pgid;		/* target pgrp id */
371 };
372 #endif
373 /* ARGSUSED */
374 int
sys_setpgid(struct thread * td,struct setpgid_args * uap)375 sys_setpgid(struct thread *td, struct setpgid_args *uap)
376 {
377 	struct proc *curp = td->td_proc;
378 	struct proc *targp;	/* target process */
379 	struct pgrp *pgrp;	/* target pgrp */
380 	int error;
381 	struct pgrp *newpgrp;
382 
383 	if (uap->pgid < 0)
384 		return (EINVAL);
385 
386 	error = 0;
387 
388 	newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
389 
390 	sx_xlock(&proctree_lock);
391 	if (uap->pid != 0 && uap->pid != curp->p_pid) {
392 		if ((targp = pfind(uap->pid)) == NULL) {
393 			error = ESRCH;
394 			goto done;
395 		}
396 		if (!inferior(targp)) {
397 			PROC_UNLOCK(targp);
398 			error = ESRCH;
399 			goto done;
400 		}
401 		if ((error = p_cansee(td, targp))) {
402 			PROC_UNLOCK(targp);
403 			goto done;
404 		}
405 		if (targp->p_pgrp == NULL ||
406 		    targp->p_session != curp->p_session) {
407 			PROC_UNLOCK(targp);
408 			error = EPERM;
409 			goto done;
410 		}
411 		if (targp->p_flag & P_EXEC) {
412 			PROC_UNLOCK(targp);
413 			error = EACCES;
414 			goto done;
415 		}
416 		PROC_UNLOCK(targp);
417 	} else
418 		targp = curp;
419 	if (SESS_LEADER(targp)) {
420 		error = EPERM;
421 		goto done;
422 	}
423 	if (uap->pgid == 0)
424 		uap->pgid = targp->p_pid;
425 	if ((pgrp = pgfind(uap->pgid)) == NULL) {
426 		if (uap->pgid == targp->p_pid) {
427 			error = enterpgrp(targp, uap->pgid, newpgrp,
428 			    NULL);
429 			if (error == 0)
430 				newpgrp = NULL;
431 		} else
432 			error = EPERM;
433 	} else {
434 		if (pgrp == targp->p_pgrp) {
435 			PGRP_UNLOCK(pgrp);
436 			goto done;
437 		}
438 		if (pgrp->pg_id != targp->p_pid &&
439 		    pgrp->pg_session != curp->p_session) {
440 			PGRP_UNLOCK(pgrp);
441 			error = EPERM;
442 			goto done;
443 		}
444 		PGRP_UNLOCK(pgrp);
445 		error = enterthispgrp(targp, pgrp);
446 	}
447 done:
448 	sx_xunlock(&proctree_lock);
449 	KASSERT((error == 0) || (newpgrp != NULL),
450 	    ("setpgid failed and newpgrp is NULL"));
451 	if (newpgrp != NULL)
452 		free(newpgrp, M_PGRP);
453 	return (error);
454 }
455 
456 /*
457  * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
458  * compatible.  It says that setting the uid/gid to euid/egid is a special
459  * case of "appropriate privilege".  Once the rules are expanded out, this
460  * basically means that setuid(nnn) sets all three id's, in all permitted
461  * cases unless _POSIX_SAVED_IDS is enabled.  In that case, setuid(getuid())
462  * does not set the saved id - this is dangerous for traditional BSD
463  * programs.  For this reason, we *really* do not want to set
464  * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
465  */
466 #define POSIX_APPENDIX_B_4_2_2
467 
468 #ifndef _SYS_SYSPROTO_H_
469 struct setuid_args {
470 	uid_t	uid;
471 };
472 #endif
473 /* ARGSUSED */
474 int
sys_setuid(struct thread * td,struct setuid_args * uap)475 sys_setuid(struct thread *td, struct setuid_args *uap)
476 {
477 	struct proc *p = td->td_proc;
478 	struct ucred *newcred, *oldcred;
479 	uid_t uid;
480 	struct uidinfo *uip;
481 	int error;
482 
483 	uid = uap->uid;
484 	AUDIT_ARG_UID(uid);
485 	newcred = crget();
486 	uip = uifind(uid);
487 	PROC_LOCK(p);
488 	/*
489 	 * Copy credentials so other references do not see our changes.
490 	 */
491 	oldcred = crcopysafe(p, newcred);
492 
493 #ifdef MAC
494 	error = mac_cred_check_setuid(oldcred, uid);
495 	if (error)
496 		goto fail;
497 #endif
498 
499 	/*
500 	 * See if we have "permission" by POSIX 1003.1 rules.
501 	 *
502 	 * Note that setuid(geteuid()) is a special case of
503 	 * "appropriate privileges" in appendix B.4.2.2.  We need
504 	 * to use this clause to be compatible with traditional BSD
505 	 * semantics.  Basically, it means that "setuid(xx)" sets all
506 	 * three id's (assuming you have privs).
507 	 *
508 	 * Notes on the logic.  We do things in three steps.
509 	 * 1: We determine if the euid is going to change, and do EPERM
510 	 *    right away.  We unconditionally change the euid later if this
511 	 *    test is satisfied, simplifying that part of the logic.
512 	 * 2: We determine if the real and/or saved uids are going to
513 	 *    change.  Determined by compile options.
514 	 * 3: Change euid last. (after tests in #2 for "appropriate privs")
515 	 */
516 	if (uid != oldcred->cr_ruid &&		/* allow setuid(getuid()) */
517 #ifdef _POSIX_SAVED_IDS
518 	    uid != oldcred->cr_svuid &&		/* allow setuid(saved gid) */
519 #endif
520 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
521 	    uid != oldcred->cr_uid &&		/* allow setuid(geteuid()) */
522 #endif
523 	    (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0)
524 		goto fail;
525 
526 #ifdef _POSIX_SAVED_IDS
527 	/*
528 	 * Do we have "appropriate privileges" (are we root or uid == euid)
529 	 * If so, we are changing the real uid and/or saved uid.
530 	 */
531 	if (
532 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use the clause from B.4.2.2 */
533 	    uid == oldcred->cr_uid ||
534 #endif
535 	    /* We are using privs. */
536 	    priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0)
537 #endif
538 	{
539 		/*
540 		 * Set the real uid and transfer proc count to new user.
541 		 */
542 		if (uid != oldcred->cr_ruid) {
543 			change_ruid(newcred, uip);
544 			setsugid(p);
545 		}
546 		/*
547 		 * Set saved uid
548 		 *
549 		 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
550 		 * the security of seteuid() depends on it.  B.4.2.2 says it
551 		 * is important that we should do this.
552 		 */
553 		if (uid != oldcred->cr_svuid) {
554 			change_svuid(newcred, uid);
555 			setsugid(p);
556 		}
557 	}
558 
559 	/*
560 	 * In all permitted cases, we are changing the euid.
561 	 */
562 	if (uid != oldcred->cr_uid) {
563 		change_euid(newcred, uip);
564 		setsugid(p);
565 	}
566 	proc_set_cred(p, newcred);
567 #ifdef RACCT
568 	racct_proc_ucred_changed(p, oldcred, newcred);
569 	crhold(newcred);
570 #endif
571 	PROC_UNLOCK(p);
572 #ifdef RCTL
573 	rctl_proc_ucred_changed(p, newcred);
574 	crfree(newcred);
575 #endif
576 	uifree(uip);
577 	crfree(oldcred);
578 	return (0);
579 
580 fail:
581 	PROC_UNLOCK(p);
582 	uifree(uip);
583 	crfree(newcred);
584 	return (error);
585 }
586 
587 #ifndef _SYS_SYSPROTO_H_
588 struct seteuid_args {
589 	uid_t	euid;
590 };
591 #endif
592 /* ARGSUSED */
593 int
sys_seteuid(struct thread * td,struct seteuid_args * uap)594 sys_seteuid(struct thread *td, struct seteuid_args *uap)
595 {
596 	struct proc *p = td->td_proc;
597 	struct ucred *newcred, *oldcred;
598 	uid_t euid;
599 	struct uidinfo *euip;
600 	int error;
601 
602 	euid = uap->euid;
603 	AUDIT_ARG_EUID(euid);
604 	newcred = crget();
605 	euip = uifind(euid);
606 	PROC_LOCK(p);
607 	/*
608 	 * Copy credentials so other references do not see our changes.
609 	 */
610 	oldcred = crcopysafe(p, newcred);
611 
612 #ifdef MAC
613 	error = mac_cred_check_seteuid(oldcred, euid);
614 	if (error)
615 		goto fail;
616 #endif
617 
618 	if (euid != oldcred->cr_ruid &&		/* allow seteuid(getuid()) */
619 	    euid != oldcred->cr_svuid &&	/* allow seteuid(saved uid) */
620 	    (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0)
621 		goto fail;
622 
623 	/*
624 	 * Everything's okay, do it.
625 	 */
626 	if (oldcred->cr_uid != euid) {
627 		change_euid(newcred, euip);
628 		setsugid(p);
629 	}
630 	proc_set_cred(p, newcred);
631 	PROC_UNLOCK(p);
632 	uifree(euip);
633 	crfree(oldcred);
634 	return (0);
635 
636 fail:
637 	PROC_UNLOCK(p);
638 	uifree(euip);
639 	crfree(newcred);
640 	return (error);
641 }
642 
643 #ifndef _SYS_SYSPROTO_H_
644 struct setgid_args {
645 	gid_t	gid;
646 };
647 #endif
648 /* ARGSUSED */
649 int
sys_setgid(struct thread * td,struct setgid_args * uap)650 sys_setgid(struct thread *td, struct setgid_args *uap)
651 {
652 	struct proc *p = td->td_proc;
653 	struct ucred *newcred, *oldcred;
654 	gid_t gid;
655 	int error;
656 
657 	gid = uap->gid;
658 	AUDIT_ARG_GID(gid);
659 	newcred = crget();
660 	PROC_LOCK(p);
661 	oldcred = crcopysafe(p, newcred);
662 
663 #ifdef MAC
664 	error = mac_cred_check_setgid(oldcred, gid);
665 	if (error)
666 		goto fail;
667 #endif
668 
669 	/*
670 	 * See if we have "permission" by POSIX 1003.1 rules.
671 	 *
672 	 * Note that setgid(getegid()) is a special case of
673 	 * "appropriate privileges" in appendix B.4.2.2.  We need
674 	 * to use this clause to be compatible with traditional BSD
675 	 * semantics.  Basically, it means that "setgid(xx)" sets all
676 	 * three id's (assuming you have privs).
677 	 *
678 	 * For notes on the logic here, see setuid() above.
679 	 */
680 	if (gid != oldcred->cr_rgid &&		/* allow setgid(getgid()) */
681 #ifdef _POSIX_SAVED_IDS
682 	    gid != oldcred->cr_svgid &&		/* allow setgid(saved gid) */
683 #endif
684 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
685 	    gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
686 #endif
687 	    (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0)
688 		goto fail;
689 
690 #ifdef _POSIX_SAVED_IDS
691 	/*
692 	 * Do we have "appropriate privileges" (are we root or gid == egid)
693 	 * If so, we are changing the real uid and saved gid.
694 	 */
695 	if (
696 #ifdef POSIX_APPENDIX_B_4_2_2	/* use the clause from B.4.2.2 */
697 	    gid == oldcred->cr_groups[0] ||
698 #endif
699 	    /* We are using privs. */
700 	    priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0)
701 #endif
702 	{
703 		/*
704 		 * Set real gid
705 		 */
706 		if (oldcred->cr_rgid != gid) {
707 			change_rgid(newcred, gid);
708 			setsugid(p);
709 		}
710 		/*
711 		 * Set saved gid
712 		 *
713 		 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
714 		 * the security of setegid() depends on it.  B.4.2.2 says it
715 		 * is important that we should do this.
716 		 */
717 		if (oldcred->cr_svgid != gid) {
718 			change_svgid(newcred, gid);
719 			setsugid(p);
720 		}
721 	}
722 	/*
723 	 * In all cases permitted cases, we are changing the egid.
724 	 * Copy credentials so other references do not see our changes.
725 	 */
726 	if (oldcred->cr_groups[0] != gid) {
727 		change_egid(newcred, gid);
728 		setsugid(p);
729 	}
730 	proc_set_cred(p, newcred);
731 	PROC_UNLOCK(p);
732 	crfree(oldcred);
733 	return (0);
734 
735 fail:
736 	PROC_UNLOCK(p);
737 	crfree(newcred);
738 	return (error);
739 }
740 
741 #ifndef _SYS_SYSPROTO_H_
742 struct setegid_args {
743 	gid_t	egid;
744 };
745 #endif
746 /* ARGSUSED */
747 int
sys_setegid(struct thread * td,struct setegid_args * uap)748 sys_setegid(struct thread *td, struct setegid_args *uap)
749 {
750 	struct proc *p = td->td_proc;
751 	struct ucred *newcred, *oldcred;
752 	gid_t egid;
753 	int error;
754 
755 	egid = uap->egid;
756 	AUDIT_ARG_EGID(egid);
757 	newcred = crget();
758 	PROC_LOCK(p);
759 	oldcred = crcopysafe(p, newcred);
760 
761 #ifdef MAC
762 	error = mac_cred_check_setegid(oldcred, egid);
763 	if (error)
764 		goto fail;
765 #endif
766 
767 	if (egid != oldcred->cr_rgid &&		/* allow setegid(getgid()) */
768 	    egid != oldcred->cr_svgid &&	/* allow setegid(saved gid) */
769 	    (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0)
770 		goto fail;
771 
772 	if (oldcred->cr_groups[0] != egid) {
773 		change_egid(newcred, egid);
774 		setsugid(p);
775 	}
776 	proc_set_cred(p, newcred);
777 	PROC_UNLOCK(p);
778 	crfree(oldcred);
779 	return (0);
780 
781 fail:
782 	PROC_UNLOCK(p);
783 	crfree(newcred);
784 	return (error);
785 }
786 
787 #ifndef _SYS_SYSPROTO_H_
788 struct setgroups_args {
789 	u_int	gidsetsize;
790 	gid_t	*gidset;
791 };
792 #endif
793 /* ARGSUSED */
794 int
sys_setgroups(struct thread * td,struct setgroups_args * uap)795 sys_setgroups(struct thread *td, struct setgroups_args *uap)
796 {
797 	gid_t smallgroups[XU_NGROUPS];
798 	gid_t *groups;
799 	u_int gidsetsize;
800 	int error;
801 
802 	gidsetsize = uap->gidsetsize;
803 	if (gidsetsize > ngroups_max + 1)
804 		return (EINVAL);
805 
806 	if (gidsetsize > XU_NGROUPS)
807 		groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
808 	else
809 		groups = smallgroups;
810 
811 	error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
812 	if (error == 0)
813 		error = kern_setgroups(td, gidsetsize, groups);
814 
815 	if (gidsetsize > XU_NGROUPS)
816 		free(groups, M_TEMP);
817 	return (error);
818 }
819 
820 int
kern_setgroups(struct thread * td,u_int ngrp,gid_t * groups)821 kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
822 {
823 	struct proc *p = td->td_proc;
824 	struct ucred *newcred, *oldcred;
825 	int error;
826 
827 	MPASS(ngrp <= ngroups_max + 1);
828 	AUDIT_ARG_GROUPSET(groups, ngrp);
829 	newcred = crget();
830 	crextend(newcred, ngrp);
831 	PROC_LOCK(p);
832 	oldcred = crcopysafe(p, newcred);
833 
834 #ifdef MAC
835 	error = mac_cred_check_setgroups(oldcred, ngrp, groups);
836 	if (error)
837 		goto fail;
838 #endif
839 
840 	error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0);
841 	if (error)
842 		goto fail;
843 
844 	if (ngrp == 0) {
845 		/*
846 		 * setgroups(0, NULL) is a legitimate way of clearing the
847 		 * groups vector on non-BSD systems (which generally do not
848 		 * have the egid in the groups[0]).  We risk security holes
849 		 * when running non-BSD software if we do not do the same.
850 		 */
851 		newcred->cr_ngroups = 1;
852 	} else {
853 		crsetgroups_locked(newcred, ngrp, groups);
854 	}
855 	setsugid(p);
856 	proc_set_cred(p, newcred);
857 	PROC_UNLOCK(p);
858 	crfree(oldcred);
859 	return (0);
860 
861 fail:
862 	PROC_UNLOCK(p);
863 	crfree(newcred);
864 	return (error);
865 }
866 
867 #ifndef _SYS_SYSPROTO_H_
868 struct setreuid_args {
869 	uid_t	ruid;
870 	uid_t	euid;
871 };
872 #endif
873 /* ARGSUSED */
874 int
sys_setreuid(struct thread * td,struct setreuid_args * uap)875 sys_setreuid(struct thread *td, struct setreuid_args *uap)
876 {
877 	struct proc *p = td->td_proc;
878 	struct ucred *newcred, *oldcred;
879 	uid_t euid, ruid;
880 	struct uidinfo *euip, *ruip;
881 	int error;
882 
883 	euid = uap->euid;
884 	ruid = uap->ruid;
885 	AUDIT_ARG_EUID(euid);
886 	AUDIT_ARG_RUID(ruid);
887 	newcred = crget();
888 	euip = uifind(euid);
889 	ruip = uifind(ruid);
890 	PROC_LOCK(p);
891 	oldcred = crcopysafe(p, newcred);
892 
893 #ifdef MAC
894 	error = mac_cred_check_setreuid(oldcred, ruid, euid);
895 	if (error)
896 		goto fail;
897 #endif
898 
899 	if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
900 	      ruid != oldcred->cr_svuid) ||
901 	     (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
902 	      euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
903 	    (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0)
904 		goto fail;
905 
906 	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
907 		change_euid(newcred, euip);
908 		setsugid(p);
909 	}
910 	if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
911 		change_ruid(newcred, ruip);
912 		setsugid(p);
913 	}
914 	if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
915 	    newcred->cr_svuid != newcred->cr_uid) {
916 		change_svuid(newcred, newcred->cr_uid);
917 		setsugid(p);
918 	}
919 	proc_set_cred(p, newcred);
920 #ifdef RACCT
921 	racct_proc_ucred_changed(p, oldcred, newcred);
922 	crhold(newcred);
923 #endif
924 	PROC_UNLOCK(p);
925 #ifdef RCTL
926 	rctl_proc_ucred_changed(p, newcred);
927 	crfree(newcred);
928 #endif
929 	uifree(ruip);
930 	uifree(euip);
931 	crfree(oldcred);
932 	return (0);
933 
934 fail:
935 	PROC_UNLOCK(p);
936 	uifree(ruip);
937 	uifree(euip);
938 	crfree(newcred);
939 	return (error);
940 }
941 
942 #ifndef _SYS_SYSPROTO_H_
943 struct setregid_args {
944 	gid_t	rgid;
945 	gid_t	egid;
946 };
947 #endif
948 /* ARGSUSED */
949 int
sys_setregid(struct thread * td,struct setregid_args * uap)950 sys_setregid(struct thread *td, struct setregid_args *uap)
951 {
952 	struct proc *p = td->td_proc;
953 	struct ucred *newcred, *oldcred;
954 	gid_t egid, rgid;
955 	int error;
956 
957 	egid = uap->egid;
958 	rgid = uap->rgid;
959 	AUDIT_ARG_EGID(egid);
960 	AUDIT_ARG_RGID(rgid);
961 	newcred = crget();
962 	PROC_LOCK(p);
963 	oldcred = crcopysafe(p, newcred);
964 
965 #ifdef MAC
966 	error = mac_cred_check_setregid(oldcred, rgid, egid);
967 	if (error)
968 		goto fail;
969 #endif
970 
971 	if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
972 	    rgid != oldcred->cr_svgid) ||
973 	     (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
974 	     egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
975 	    (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0)
976 		goto fail;
977 
978 	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
979 		change_egid(newcred, egid);
980 		setsugid(p);
981 	}
982 	if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
983 		change_rgid(newcred, rgid);
984 		setsugid(p);
985 	}
986 	if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
987 	    newcred->cr_svgid != newcred->cr_groups[0]) {
988 		change_svgid(newcred, newcred->cr_groups[0]);
989 		setsugid(p);
990 	}
991 	proc_set_cred(p, newcred);
992 	PROC_UNLOCK(p);
993 	crfree(oldcred);
994 	return (0);
995 
996 fail:
997 	PROC_UNLOCK(p);
998 	crfree(newcred);
999 	return (error);
1000 }
1001 
1002 /*
1003  * setresuid(ruid, euid, suid) is like setreuid except control over the saved
1004  * uid is explicit.
1005  */
1006 #ifndef _SYS_SYSPROTO_H_
1007 struct setresuid_args {
1008 	uid_t	ruid;
1009 	uid_t	euid;
1010 	uid_t	suid;
1011 };
1012 #endif
1013 /* ARGSUSED */
1014 int
sys_setresuid(struct thread * td,struct setresuid_args * uap)1015 sys_setresuid(struct thread *td, struct setresuid_args *uap)
1016 {
1017 	struct proc *p = td->td_proc;
1018 	struct ucred *newcred, *oldcred;
1019 	uid_t euid, ruid, suid;
1020 	struct uidinfo *euip, *ruip;
1021 	int error;
1022 
1023 	euid = uap->euid;
1024 	ruid = uap->ruid;
1025 	suid = uap->suid;
1026 	AUDIT_ARG_EUID(euid);
1027 	AUDIT_ARG_RUID(ruid);
1028 	AUDIT_ARG_SUID(suid);
1029 	newcred = crget();
1030 	euip = uifind(euid);
1031 	ruip = uifind(ruid);
1032 	PROC_LOCK(p);
1033 	oldcred = crcopysafe(p, newcred);
1034 
1035 #ifdef MAC
1036 	error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
1037 	if (error)
1038 		goto fail;
1039 #endif
1040 
1041 	if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1042 	     ruid != oldcred->cr_svuid &&
1043 	      ruid != oldcred->cr_uid) ||
1044 	     (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1045 	    euid != oldcred->cr_svuid &&
1046 	      euid != oldcred->cr_uid) ||
1047 	     (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1048 	    suid != oldcred->cr_svuid &&
1049 	      suid != oldcred->cr_uid)) &&
1050 	    (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0)
1051 		goto fail;
1052 
1053 	if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1054 		change_euid(newcred, euip);
1055 		setsugid(p);
1056 	}
1057 	if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1058 		change_ruid(newcred, ruip);
1059 		setsugid(p);
1060 	}
1061 	if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1062 		change_svuid(newcred, suid);
1063 		setsugid(p);
1064 	}
1065 	proc_set_cred(p, newcred);
1066 #ifdef RACCT
1067 	racct_proc_ucred_changed(p, oldcred, newcred);
1068 	crhold(newcred);
1069 #endif
1070 	PROC_UNLOCK(p);
1071 #ifdef RCTL
1072 	rctl_proc_ucred_changed(p, newcred);
1073 	crfree(newcred);
1074 #endif
1075 	uifree(ruip);
1076 	uifree(euip);
1077 	crfree(oldcred);
1078 	return (0);
1079 
1080 fail:
1081 	PROC_UNLOCK(p);
1082 	uifree(ruip);
1083 	uifree(euip);
1084 	crfree(newcred);
1085 	return (error);
1086 
1087 }
1088 
1089 /*
1090  * setresgid(rgid, egid, sgid) is like setregid except control over the saved
1091  * gid is explicit.
1092  */
1093 #ifndef _SYS_SYSPROTO_H_
1094 struct setresgid_args {
1095 	gid_t	rgid;
1096 	gid_t	egid;
1097 	gid_t	sgid;
1098 };
1099 #endif
1100 /* ARGSUSED */
1101 int
sys_setresgid(struct thread * td,struct setresgid_args * uap)1102 sys_setresgid(struct thread *td, struct setresgid_args *uap)
1103 {
1104 	struct proc *p = td->td_proc;
1105 	struct ucred *newcred, *oldcred;
1106 	gid_t egid, rgid, sgid;
1107 	int error;
1108 
1109 	egid = uap->egid;
1110 	rgid = uap->rgid;
1111 	sgid = uap->sgid;
1112 	AUDIT_ARG_EGID(egid);
1113 	AUDIT_ARG_RGID(rgid);
1114 	AUDIT_ARG_SGID(sgid);
1115 	newcred = crget();
1116 	PROC_LOCK(p);
1117 	oldcred = crcopysafe(p, newcred);
1118 
1119 #ifdef MAC
1120 	error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
1121 	if (error)
1122 		goto fail;
1123 #endif
1124 
1125 	if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1126 	      rgid != oldcred->cr_svgid &&
1127 	      rgid != oldcred->cr_groups[0]) ||
1128 	     (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1129 	      egid != oldcred->cr_svgid &&
1130 	      egid != oldcred->cr_groups[0]) ||
1131 	     (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1132 	      sgid != oldcred->cr_svgid &&
1133 	      sgid != oldcred->cr_groups[0])) &&
1134 	    (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0)
1135 		goto fail;
1136 
1137 	if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1138 		change_egid(newcred, egid);
1139 		setsugid(p);
1140 	}
1141 	if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1142 		change_rgid(newcred, rgid);
1143 		setsugid(p);
1144 	}
1145 	if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1146 		change_svgid(newcred, sgid);
1147 		setsugid(p);
1148 	}
1149 	proc_set_cred(p, newcred);
1150 	PROC_UNLOCK(p);
1151 	crfree(oldcred);
1152 	return (0);
1153 
1154 fail:
1155 	PROC_UNLOCK(p);
1156 	crfree(newcred);
1157 	return (error);
1158 }
1159 
1160 #ifndef _SYS_SYSPROTO_H_
1161 struct getresuid_args {
1162 	uid_t	*ruid;
1163 	uid_t	*euid;
1164 	uid_t	*suid;
1165 };
1166 #endif
1167 /* ARGSUSED */
1168 int
sys_getresuid(struct thread * td,struct getresuid_args * uap)1169 sys_getresuid(struct thread *td, struct getresuid_args *uap)
1170 {
1171 	struct ucred *cred;
1172 	int error1 = 0, error2 = 0, error3 = 0;
1173 
1174 	cred = td->td_ucred;
1175 	if (uap->ruid)
1176 		error1 = copyout(&cred->cr_ruid,
1177 		    uap->ruid, sizeof(cred->cr_ruid));
1178 	if (uap->euid)
1179 		error2 = copyout(&cred->cr_uid,
1180 		    uap->euid, sizeof(cred->cr_uid));
1181 	if (uap->suid)
1182 		error3 = copyout(&cred->cr_svuid,
1183 		    uap->suid, sizeof(cred->cr_svuid));
1184 	return (error1 ? error1 : error2 ? error2 : error3);
1185 }
1186 
1187 #ifndef _SYS_SYSPROTO_H_
1188 struct getresgid_args {
1189 	gid_t	*rgid;
1190 	gid_t	*egid;
1191 	gid_t	*sgid;
1192 };
1193 #endif
1194 /* ARGSUSED */
1195 int
sys_getresgid(struct thread * td,struct getresgid_args * uap)1196 sys_getresgid(struct thread *td, struct getresgid_args *uap)
1197 {
1198 	struct ucred *cred;
1199 	int error1 = 0, error2 = 0, error3 = 0;
1200 
1201 	cred = td->td_ucred;
1202 	if (uap->rgid)
1203 		error1 = copyout(&cred->cr_rgid,
1204 		    uap->rgid, sizeof(cred->cr_rgid));
1205 	if (uap->egid)
1206 		error2 = copyout(&cred->cr_groups[0],
1207 		    uap->egid, sizeof(cred->cr_groups[0]));
1208 	if (uap->sgid)
1209 		error3 = copyout(&cred->cr_svgid,
1210 		    uap->sgid, sizeof(cred->cr_svgid));
1211 	return (error1 ? error1 : error2 ? error2 : error3);
1212 }
1213 
1214 #ifndef _SYS_SYSPROTO_H_
1215 struct issetugid_args {
1216 	int dummy;
1217 };
1218 #endif
1219 /* ARGSUSED */
1220 int
sys_issetugid(struct thread * td,struct issetugid_args * uap)1221 sys_issetugid(struct thread *td, struct issetugid_args *uap)
1222 {
1223 	struct proc *p = td->td_proc;
1224 
1225 	/*
1226 	 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1227 	 * we use P_SUGID because we consider changing the owners as
1228 	 * "tainting" as well.
1229 	 * This is significant for procs that start as root and "become"
1230 	 * a user without an exec - programs cannot know *everything*
1231 	 * that libc *might* have put in their data segment.
1232 	 */
1233 	td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1234 	return (0);
1235 }
1236 
1237 int
sys___setugid(struct thread * td,struct __setugid_args * uap)1238 sys___setugid(struct thread *td, struct __setugid_args *uap)
1239 {
1240 #ifdef REGRESSION
1241 	struct proc *p;
1242 
1243 	p = td->td_proc;
1244 	switch (uap->flag) {
1245 	case 0:
1246 		PROC_LOCK(p);
1247 		p->p_flag &= ~P_SUGID;
1248 		PROC_UNLOCK(p);
1249 		return (0);
1250 	case 1:
1251 		PROC_LOCK(p);
1252 		p->p_flag |= P_SUGID;
1253 		PROC_UNLOCK(p);
1254 		return (0);
1255 	default:
1256 		return (EINVAL);
1257 	}
1258 #else /* !REGRESSION */
1259 
1260 	return (ENOSYS);
1261 #endif /* REGRESSION */
1262 }
1263 
1264 /*
1265  * Check if gid is a member of the group set.
1266  */
1267 int
groupmember(gid_t gid,struct ucred * cred)1268 groupmember(gid_t gid, struct ucred *cred)
1269 {
1270 	int l;
1271 	int h;
1272 	int m;
1273 
1274 	if (cred->cr_groups[0] == gid)
1275 		return(1);
1276 
1277 	/*
1278 	 * If gid was not our primary group, perform a binary search
1279 	 * of the supplemental groups.  This is possible because we
1280 	 * sort the groups in crsetgroups().
1281 	 */
1282 	l = 1;
1283 	h = cred->cr_ngroups;
1284 	while (l < h) {
1285 		m = l + ((h - l) / 2);
1286 		if (cred->cr_groups[m] < gid)
1287 			l = m + 1;
1288 		else
1289 			h = m;
1290 	}
1291 	if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid))
1292 		return (1);
1293 
1294 	return (0);
1295 }
1296 
1297 /*
1298  * Test the active securelevel against a given level.  securelevel_gt()
1299  * implements (securelevel > level).  securelevel_ge() implements
1300  * (securelevel >= level).  Note that the logic is inverted -- these
1301  * functions return EPERM on "success" and 0 on "failure".
1302  *
1303  * Due to care taken when setting the securelevel, we know that no jail will
1304  * be less secure that its parent (or the physical system), so it is sufficient
1305  * to test the current jail only.
1306  *
1307  * XXXRW: Possibly since this has to do with privilege, it should move to
1308  * kern_priv.c.
1309  */
1310 int
securelevel_gt(struct ucred * cr,int level)1311 securelevel_gt(struct ucred *cr, int level)
1312 {
1313 
1314 	return (cr->cr_prison->pr_securelevel > level ? EPERM : 0);
1315 }
1316 
1317 int
securelevel_ge(struct ucred * cr,int level)1318 securelevel_ge(struct ucred *cr, int level)
1319 {
1320 
1321 	return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0);
1322 }
1323 
1324 /*
1325  * 'see_other_uids' determines whether or not visibility of processes
1326  * and sockets with credentials holding different real uids is possible
1327  * using a variety of system MIBs.
1328  * XXX: data declarations should be together near the beginning of the file.
1329  */
1330 static int	see_other_uids = 1;
1331 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1332     &see_other_uids, 0,
1333     "Unprivileged processes may see subjects/objects with different real uid");
1334 
1335 /*-
1336  * Determine if u1 "can see" the subject specified by u2, according to the
1337  * 'see_other_uids' policy.
1338  * Returns: 0 for permitted, ESRCH otherwise
1339  * Locks: none
1340  * References: *u1 and *u2 must not change during the call
1341  *             u1 may equal u2, in which case only one reference is required
1342  */
1343 int
cr_canseeotheruids(struct ucred * u1,struct ucred * u2)1344 cr_canseeotheruids(struct ucred *u1, struct ucred *u2)
1345 {
1346 
1347 	if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1348 		if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0)
1349 			return (ESRCH);
1350 	}
1351 	return (0);
1352 }
1353 
1354 /*
1355  * 'see_other_gids' determines whether or not visibility of processes
1356  * and sockets with credentials holding different real gids is possible
1357  * using a variety of system MIBs.
1358  * XXX: data declarations should be together near the beginning of the file.
1359  */
1360 static int	see_other_gids = 1;
1361 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1362     &see_other_gids, 0,
1363     "Unprivileged processes may see subjects/objects with different real gid");
1364 
1365 /*
1366  * Determine if u1 can "see" the subject specified by u2, according to the
1367  * 'see_other_gids' policy.
1368  * Returns: 0 for permitted, ESRCH otherwise
1369  * Locks: none
1370  * References: *u1 and *u2 must not change during the call
1371  *             u1 may equal u2, in which case only one reference is required
1372  */
1373 int
cr_canseeothergids(struct ucred * u1,struct ucred * u2)1374 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
1375 {
1376 	int i, match;
1377 
1378 	if (!see_other_gids) {
1379 		match = 0;
1380 		for (i = 0; i < u1->cr_ngroups; i++) {
1381 			if (groupmember(u1->cr_groups[i], u2))
1382 				match = 1;
1383 			if (match)
1384 				break;
1385 		}
1386 		if (!match) {
1387 			if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0)
1388 				return (ESRCH);
1389 		}
1390 	}
1391 	return (0);
1392 }
1393 
1394 /*
1395  * 'see_jail_proc' determines whether or not visibility of processes and
1396  * sockets with credentials holding different jail ids is possible using a
1397  * variety of system MIBs.
1398  *
1399  * XXX: data declarations should be together near the beginning of the file.
1400  */
1401 
1402 static int	see_jail_proc = 1;
1403 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
1404     &see_jail_proc, 0,
1405     "Unprivileged processes may see subjects/objects with different jail ids");
1406 
1407 /*-
1408  * Determine if u1 "can see" the subject specified by u2, according to the
1409  * 'see_jail_proc' policy.
1410  * Returns: 0 for permitted, ESRCH otherwise
1411  * Locks: none
1412  * References: *u1 and *u2 must not change during the call
1413  *             u1 may equal u2, in which case only one reference is required
1414  */
1415 int
cr_canseejailproc(struct ucred * u1,struct ucred * u2)1416 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
1417 {
1418 	if (u1->cr_uid == 0)
1419 		return (0);
1420 	return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
1421 }
1422 
1423 /*-
1424  * Determine if u1 "can see" the subject specified by u2.
1425  * Returns: 0 for permitted, an errno value otherwise
1426  * Locks: none
1427  * References: *u1 and *u2 must not change during the call
1428  *             u1 may equal u2, in which case only one reference is required
1429  */
1430 int
cr_cansee(struct ucred * u1,struct ucred * u2)1431 cr_cansee(struct ucred *u1, struct ucred *u2)
1432 {
1433 	int error;
1434 
1435 	if ((error = prison_check(u1, u2)))
1436 		return (error);
1437 #ifdef MAC
1438 	if ((error = mac_cred_check_visible(u1, u2)))
1439 		return (error);
1440 #endif
1441 	if ((error = cr_canseeotheruids(u1, u2)))
1442 		return (error);
1443 	if ((error = cr_canseeothergids(u1, u2)))
1444 		return (error);
1445 	if ((error = cr_canseejailproc(u1, u2)))
1446 		return (error);
1447 	return (0);
1448 }
1449 
1450 /*-
1451  * Determine if td "can see" the subject specified by p.
1452  * Returns: 0 for permitted, an errno value otherwise
1453  * Locks: Sufficient locks to protect p->p_ucred must be held.  td really
1454  *        should be curthread.
1455  * References: td and p must be valid for the lifetime of the call
1456  */
1457 int
p_cansee(struct thread * td,struct proc * p)1458 p_cansee(struct thread *td, struct proc *p)
1459 {
1460 
1461 	/* Wrap cr_cansee() for all functionality. */
1462 	KASSERT(td == curthread, ("%s: td not curthread", __func__));
1463 	PROC_LOCK_ASSERT(p, MA_OWNED);
1464 	return (cr_cansee(td->td_ucred, p->p_ucred));
1465 }
1466 
1467 /*
1468  * 'conservative_signals' prevents the delivery of a broad class of
1469  * signals by unprivileged processes to processes that have changed their
1470  * credentials since the last invocation of execve().  This can prevent
1471  * the leakage of cached information or retained privileges as a result
1472  * of a common class of signal-related vulnerabilities.  However, this
1473  * may interfere with some applications that expect to be able to
1474  * deliver these signals to peer processes after having given up
1475  * privilege.
1476  */
1477 static int	conservative_signals = 1;
1478 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1479     &conservative_signals, 0, "Unprivileged processes prevented from "
1480     "sending certain signals to processes whose credentials have changed");
1481 /*-
1482  * Determine whether cred may deliver the specified signal to proc.
1483  * Returns: 0 for permitted, an errno value otherwise.
1484  * Locks: A lock must be held for proc.
1485  * References: cred and proc must be valid for the lifetime of the call.
1486  */
1487 int
cr_cansignal(struct ucred * cred,struct proc * proc,int signum)1488 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1489 {
1490 	int error;
1491 
1492 	PROC_LOCK_ASSERT(proc, MA_OWNED);
1493 	/*
1494 	 * Jail semantics limit the scope of signalling to proc in the
1495 	 * same jail as cred, if cred is in jail.
1496 	 */
1497 	error = prison_check(cred, proc->p_ucred);
1498 	if (error)
1499 		return (error);
1500 #ifdef MAC
1501 	if ((error = mac_proc_check_signal(cred, proc, signum)))
1502 		return (error);
1503 #endif
1504 	if ((error = cr_canseeotheruids(cred, proc->p_ucred)))
1505 		return (error);
1506 	if ((error = cr_canseeothergids(cred, proc->p_ucred)))
1507 		return (error);
1508 
1509 	/*
1510 	 * UNIX signal semantics depend on the status of the P_SUGID
1511 	 * bit on the target process.  If the bit is set, then additional
1512 	 * restrictions are placed on the set of available signals.
1513 	 */
1514 	if (conservative_signals && (proc->p_flag & P_SUGID)) {
1515 		switch (signum) {
1516 		case 0:
1517 		case SIGKILL:
1518 		case SIGINT:
1519 		case SIGTERM:
1520 		case SIGALRM:
1521 		case SIGSTOP:
1522 		case SIGTTIN:
1523 		case SIGTTOU:
1524 		case SIGTSTP:
1525 		case SIGHUP:
1526 		case SIGUSR1:
1527 		case SIGUSR2:
1528 			/*
1529 			 * Generally, permit job and terminal control
1530 			 * signals.
1531 			 */
1532 			break;
1533 		default:
1534 			/* Not permitted without privilege. */
1535 			error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0);
1536 			if (error)
1537 				return (error);
1538 		}
1539 	}
1540 
1541 	/*
1542 	 * Generally, the target credential's ruid or svuid must match the
1543 	 * subject credential's ruid or euid.
1544 	 */
1545 	if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1546 	    cred->cr_ruid != proc->p_ucred->cr_svuid &&
1547 	    cred->cr_uid != proc->p_ucred->cr_ruid &&
1548 	    cred->cr_uid != proc->p_ucred->cr_svuid) {
1549 		error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0);
1550 		if (error)
1551 			return (error);
1552 	}
1553 
1554 	return (0);
1555 }
1556 
1557 /*-
1558  * Determine whether td may deliver the specified signal to p.
1559  * Returns: 0 for permitted, an errno value otherwise
1560  * Locks: Sufficient locks to protect various components of td and p
1561  *        must be held.  td must be curthread, and a lock must be
1562  *        held for p.
1563  * References: td and p must be valid for the lifetime of the call
1564  */
1565 int
p_cansignal(struct thread * td,struct proc * p,int signum)1566 p_cansignal(struct thread *td, struct proc *p, int signum)
1567 {
1568 
1569 	KASSERT(td == curthread, ("%s: td not curthread", __func__));
1570 	PROC_LOCK_ASSERT(p, MA_OWNED);
1571 	if (td->td_proc == p)
1572 		return (0);
1573 
1574 	/*
1575 	 * UNIX signalling semantics require that processes in the same
1576 	 * session always be able to deliver SIGCONT to one another,
1577 	 * overriding the remaining protections.
1578 	 */
1579 	/* XXX: This will require an additional lock of some sort. */
1580 	if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1581 		return (0);
1582 	/*
1583 	 * Some compat layers use SIGTHR and higher signals for
1584 	 * communication between different kernel threads of the same
1585 	 * process, so that they expect that it's always possible to
1586 	 * deliver them, even for suid applications where cr_cansignal() can
1587 	 * deny such ability for security consideration.  It should be
1588 	 * pretty safe to do since the only way to create two processes
1589 	 * with the same p_leader is via rfork(2).
1590 	 */
1591 	if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
1592 	    signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
1593 		return (0);
1594 
1595 	return (cr_cansignal(td->td_ucred, p, signum));
1596 }
1597 
1598 /*-
1599  * Determine whether td may reschedule p.
1600  * Returns: 0 for permitted, an errno value otherwise
1601  * Locks: Sufficient locks to protect various components of td and p
1602  *        must be held.  td must be curthread, and a lock must
1603  *        be held for p.
1604  * References: td and p must be valid for the lifetime of the call
1605  */
1606 int
p_cansched(struct thread * td,struct proc * p)1607 p_cansched(struct thread *td, struct proc *p)
1608 {
1609 	int error;
1610 
1611 	KASSERT(td == curthread, ("%s: td not curthread", __func__));
1612 	PROC_LOCK_ASSERT(p, MA_OWNED);
1613 	if (td->td_proc == p)
1614 		return (0);
1615 	if ((error = prison_check(td->td_ucred, p->p_ucred)))
1616 		return (error);
1617 #ifdef MAC
1618 	if ((error = mac_proc_check_sched(td->td_ucred, p)))
1619 		return (error);
1620 #endif
1621 	if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
1622 		return (error);
1623 	if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
1624 		return (error);
1625 	if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
1626 	    td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
1627 		error = priv_check(td, PRIV_SCHED_DIFFCRED);
1628 		if (error)
1629 			return (error);
1630 	}
1631 	return (0);
1632 }
1633 
1634 /*
1635  * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1636  * unprivileged inter-process debugging services, including some procfs
1637  * functionality, ptrace(), and ktrace().  In the past, inter-process
1638  * debugging has been involved in a variety of security problems, and sites
1639  * not requiring the service might choose to disable it when hardening
1640  * systems.
1641  *
1642  * XXX: Should modifying and reading this variable require locking?
1643  * XXX: data declarations should be together near the beginning of the file.
1644  */
1645 static int	unprivileged_proc_debug = 1;
1646 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1647     &unprivileged_proc_debug, 0,
1648     "Unprivileged processes may use process debugging facilities");
1649 
1650 /*-
1651  * Determine whether td may debug p.
1652  * Returns: 0 for permitted, an errno value otherwise
1653  * Locks: Sufficient locks to protect various components of td and p
1654  *        must be held.  td must be curthread, and a lock must
1655  *        be held for p.
1656  * References: td and p must be valid for the lifetime of the call
1657  */
1658 int
p_candebug(struct thread * td,struct proc * p)1659 p_candebug(struct thread *td, struct proc *p)
1660 {
1661 	int credentialchanged, error, grpsubset, i, uidsubset;
1662 
1663 	KASSERT(td == curthread, ("%s: td not curthread", __func__));
1664 	PROC_LOCK_ASSERT(p, MA_OWNED);
1665 	if (!unprivileged_proc_debug) {
1666 		error = priv_check(td, PRIV_DEBUG_UNPRIV);
1667 		if (error)
1668 			return (error);
1669 	}
1670 	if (td->td_proc == p)
1671 		return (0);
1672 	if ((error = prison_check(td->td_ucred, p->p_ucred)))
1673 		return (error);
1674 #ifdef MAC
1675 	if ((error = mac_proc_check_debug(td->td_ucred, p)))
1676 		return (error);
1677 #endif
1678 	if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
1679 		return (error);
1680 	if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
1681 		return (error);
1682 
1683 	/*
1684 	 * Is p's group set a subset of td's effective group set?  This
1685 	 * includes p's egid, group access list, rgid, and svgid.
1686 	 */
1687 	grpsubset = 1;
1688 	for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1689 		if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1690 			grpsubset = 0;
1691 			break;
1692 		}
1693 	}
1694 	grpsubset = grpsubset &&
1695 	    groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1696 	    groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1697 
1698 	/*
1699 	 * Are the uids present in p's credential equal to td's
1700 	 * effective uid?  This includes p's euid, svuid, and ruid.
1701 	 */
1702 	uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1703 	    td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1704 	    td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1705 
1706 	/*
1707 	 * Has the credential of the process changed since the last exec()?
1708 	 */
1709 	credentialchanged = (p->p_flag & P_SUGID);
1710 
1711 	/*
1712 	 * If p's gids aren't a subset, or the uids aren't a subset,
1713 	 * or the credential has changed, require appropriate privilege
1714 	 * for td to debug p.
1715 	 */
1716 	if (!grpsubset || !uidsubset) {
1717 		error = priv_check(td, PRIV_DEBUG_DIFFCRED);
1718 		if (error)
1719 			return (error);
1720 	}
1721 
1722 	if (credentialchanged) {
1723 		error = priv_check(td, PRIV_DEBUG_SUGID);
1724 		if (error)
1725 			return (error);
1726 	}
1727 
1728 	/* Can't trace init when securelevel > 0. */
1729 	if (p == initproc) {
1730 		error = securelevel_gt(td->td_ucred, 0);
1731 		if (error)
1732 			return (error);
1733 	}
1734 
1735 	/*
1736 	 * Can't trace a process that's currently exec'ing.
1737 	 *
1738 	 * XXX: Note, this is not a security policy decision, it's a
1739 	 * basic correctness/functionality decision.  Therefore, this check
1740 	 * should be moved to the caller's of p_candebug().
1741 	 */
1742 	if ((p->p_flag & P_INEXEC) != 0)
1743 		return (EBUSY);
1744 
1745 	/* Denied explicitely */
1746 	if ((p->p_flag2 & P2_NOTRACE) != 0) {
1747 		error = priv_check(td, PRIV_DEBUG_DENIED);
1748 		if (error != 0)
1749 			return (error);
1750 	}
1751 
1752 	return (0);
1753 }
1754 
1755 /*-
1756  * Determine whether the subject represented by cred can "see" a socket.
1757  * Returns: 0 for permitted, ENOENT otherwise.
1758  */
1759 int
cr_canseesocket(struct ucred * cred,struct socket * so)1760 cr_canseesocket(struct ucred *cred, struct socket *so)
1761 {
1762 	int error;
1763 
1764 	error = prison_check(cred, so->so_cred);
1765 	if (error)
1766 		return (ENOENT);
1767 #ifdef MAC
1768 	error = mac_socket_check_visible(cred, so);
1769 	if (error)
1770 		return (error);
1771 #endif
1772 	if (cr_canseeotheruids(cred, so->so_cred))
1773 		return (ENOENT);
1774 	if (cr_canseeothergids(cred, so->so_cred))
1775 		return (ENOENT);
1776 
1777 	return (0);
1778 }
1779 
1780 /*-
1781  * Determine whether td can wait for the exit of p.
1782  * Returns: 0 for permitted, an errno value otherwise
1783  * Locks: Sufficient locks to protect various components of td and p
1784  *        must be held.  td must be curthread, and a lock must
1785  *        be held for p.
1786  * References: td and p must be valid for the lifetime of the call
1787 
1788  */
1789 int
p_canwait(struct thread * td,struct proc * p)1790 p_canwait(struct thread *td, struct proc *p)
1791 {
1792 	int error;
1793 
1794 	KASSERT(td == curthread, ("%s: td not curthread", __func__));
1795 	PROC_LOCK_ASSERT(p, MA_OWNED);
1796 	if ((error = prison_check(td->td_ucred, p->p_ucred)))
1797 		return (error);
1798 #ifdef MAC
1799 	if ((error = mac_proc_check_wait(td->td_ucred, p)))
1800 		return (error);
1801 #endif
1802 #if 0
1803 	/* XXXMAC: This could have odd effects on some shells. */
1804 	if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
1805 		return (error);
1806 #endif
1807 
1808 	return (0);
1809 }
1810 
1811 /*
1812  * Allocate a zeroed cred structure.
1813  */
1814 struct ucred *
crget(void)1815 crget(void)
1816 {
1817 	struct ucred *cr;
1818 
1819 	cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1820 	refcount_init(&cr->cr_ref, 1);
1821 #ifdef AUDIT
1822 	audit_cred_init(cr);
1823 #endif
1824 #ifdef MAC
1825 	mac_cred_init(cr);
1826 #endif
1827 	cr->cr_groups = cr->cr_smallgroups;
1828 	cr->cr_agroups =
1829 	    sizeof(cr->cr_smallgroups) / sizeof(cr->cr_smallgroups[0]);
1830 	return (cr);
1831 }
1832 
1833 /*
1834  * Claim another reference to a ucred structure.
1835  */
1836 struct ucred *
crhold(struct ucred * cr)1837 crhold(struct ucred *cr)
1838 {
1839 
1840 	refcount_acquire(&cr->cr_ref);
1841 	return (cr);
1842 }
1843 
1844 /*
1845  * Free a cred structure.  Throws away space when ref count gets to 0.
1846  */
1847 void
crfree(struct ucred * cr)1848 crfree(struct ucred *cr)
1849 {
1850 
1851 	KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1852 	KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred"));
1853 	if (refcount_release(&cr->cr_ref)) {
1854 		/*
1855 		 * Some callers of crget(), such as nfs_statfs(),
1856 		 * allocate a temporary credential, but don't
1857 		 * allocate a uidinfo structure.
1858 		 */
1859 		if (cr->cr_uidinfo != NULL)
1860 			uifree(cr->cr_uidinfo);
1861 		if (cr->cr_ruidinfo != NULL)
1862 			uifree(cr->cr_ruidinfo);
1863 		/*
1864 		 * Free a prison, if any.
1865 		 */
1866 		if (cr->cr_prison != NULL)
1867 			prison_free(cr->cr_prison);
1868 		if (cr->cr_loginclass != NULL)
1869 			loginclass_free(cr->cr_loginclass);
1870 #ifdef AUDIT
1871 		audit_cred_destroy(cr);
1872 #endif
1873 #ifdef MAC
1874 		mac_cred_destroy(cr);
1875 #endif
1876 		if (cr->cr_groups != cr->cr_smallgroups)
1877 			free(cr->cr_groups, M_CRED);
1878 		free(cr, M_CRED);
1879 	}
1880 }
1881 
1882 /*
1883  * Copy a ucred's contents from a template.  Does not block.
1884  */
1885 void
crcopy(struct ucred * dest,struct ucred * src)1886 crcopy(struct ucred *dest, struct ucred *src)
1887 {
1888 
1889 	KASSERT(dest->cr_ref == 1, ("crcopy of shared ucred"));
1890 	bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1891 	    (unsigned)((caddr_t)&src->cr_endcopy -
1892 		(caddr_t)&src->cr_startcopy));
1893 	crsetgroups(dest, src->cr_ngroups, src->cr_groups);
1894 	uihold(dest->cr_uidinfo);
1895 	uihold(dest->cr_ruidinfo);
1896 	prison_hold(dest->cr_prison);
1897 	loginclass_hold(dest->cr_loginclass);
1898 #ifdef AUDIT
1899 	audit_cred_copy(src, dest);
1900 #endif
1901 #ifdef MAC
1902 	mac_cred_copy(src, dest);
1903 #endif
1904 }
1905 
1906 /*
1907  * Dup cred struct to a new held one.
1908  */
1909 struct ucred *
crdup(struct ucred * cr)1910 crdup(struct ucred *cr)
1911 {
1912 	struct ucred *newcr;
1913 
1914 	newcr = crget();
1915 	crcopy(newcr, cr);
1916 	return (newcr);
1917 }
1918 
1919 /*
1920  * Fill in a struct xucred based on a struct ucred.
1921  */
1922 void
cru2x(struct ucred * cr,struct xucred * xcr)1923 cru2x(struct ucred *cr, struct xucred *xcr)
1924 {
1925 	int ngroups;
1926 
1927 	bzero(xcr, sizeof(*xcr));
1928 	xcr->cr_version = XUCRED_VERSION;
1929 	xcr->cr_uid = cr->cr_uid;
1930 
1931 	ngroups = MIN(cr->cr_ngroups, XU_NGROUPS);
1932 	xcr->cr_ngroups = ngroups;
1933 	bcopy(cr->cr_groups, xcr->cr_groups,
1934 	    ngroups * sizeof(*cr->cr_groups));
1935 }
1936 
1937 /*
1938  * Set initial process credentials.
1939  * Callers are responsible for providing the reference for provided credentials.
1940  */
1941 void
proc_set_cred_init(struct proc * p,struct ucred * newcred)1942 proc_set_cred_init(struct proc *p, struct ucred *newcred)
1943 {
1944 
1945 	p->p_ucred = newcred;
1946 }
1947 
1948 /*
1949  * Change process credentials.
1950  * Callers are responsible for providing the reference for passed credentials
1951  * and for freeing old ones.
1952  *
1953  * Process has to be locked except when it does not have credentials (as it
1954  * should not be visible just yet) or when newcred is NULL (as this can be
1955  * only used when the process is about to be freed, at which point it should
1956  * not be visible anymore).
1957  */
1958 struct ucred *
proc_set_cred(struct proc * p,struct ucred * newcred)1959 proc_set_cred(struct proc *p, struct ucred *newcred)
1960 {
1961 	struct ucred *oldcred;
1962 
1963 	MPASS(p->p_ucred != NULL);
1964 	if (newcred == NULL)
1965 		MPASS(p->p_state == PRS_ZOMBIE);
1966 	else
1967 		PROC_LOCK_ASSERT(p, MA_OWNED);
1968 
1969 	oldcred = p->p_ucred;
1970 	p->p_ucred = newcred;
1971 	if (newcred != NULL)
1972 		PROC_UPDATE_COW(p);
1973 	return (oldcred);
1974 }
1975 
1976 struct ucred *
crcopysafe(struct proc * p,struct ucred * cr)1977 crcopysafe(struct proc *p, struct ucred *cr)
1978 {
1979 	struct ucred *oldcred;
1980 	int groups;
1981 
1982 	PROC_LOCK_ASSERT(p, MA_OWNED);
1983 
1984 	oldcred = p->p_ucred;
1985 	while (cr->cr_agroups < oldcred->cr_agroups) {
1986 		groups = oldcred->cr_agroups;
1987 		PROC_UNLOCK(p);
1988 		crextend(cr, groups);
1989 		PROC_LOCK(p);
1990 		oldcred = p->p_ucred;
1991 	}
1992 	crcopy(cr, oldcred);
1993 
1994 	return (oldcred);
1995 }
1996 
1997 /*
1998  * Extend the passed in credential to hold n items.
1999  */
2000 void
crextend(struct ucred * cr,int n)2001 crextend(struct ucred *cr, int n)
2002 {
2003 	int cnt;
2004 
2005 	/* Truncate? */
2006 	if (n <= cr->cr_agroups)
2007 		return;
2008 
2009 	/*
2010 	 * We extend by 2 each time since we're using a power of two
2011 	 * allocator until we need enough groups to fill a page.
2012 	 * Once we're allocating multiple pages, only allocate as many
2013 	 * as we actually need.  The case of processes needing a
2014 	 * non-power of two number of pages seems more likely than
2015 	 * a real world process that adds thousands of groups one at a
2016 	 * time.
2017 	 */
2018 	if ( n < PAGE_SIZE / sizeof(gid_t) ) {
2019 		if (cr->cr_agroups == 0)
2020 			cnt = MINALLOCSIZE / sizeof(gid_t);
2021 		else
2022 			cnt = cr->cr_agroups * 2;
2023 
2024 		while (cnt < n)
2025 			cnt *= 2;
2026 	} else
2027 		cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t));
2028 
2029 	/* Free the old array. */
2030 	if (cr->cr_groups != cr->cr_smallgroups)
2031 		free(cr->cr_groups, M_CRED);
2032 
2033 	cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO);
2034 	cr->cr_agroups = cnt;
2035 }
2036 
2037 /*
2038  * Copy groups in to a credential, preserving any necessary invariants.
2039  * Currently this includes the sorting of all supplemental gids.
2040  * crextend() must have been called before hand to ensure sufficient
2041  * space is available.
2042  */
2043 static void
crsetgroups_locked(struct ucred * cr,int ngrp,gid_t * groups)2044 crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups)
2045 {
2046 	int i;
2047 	int j;
2048 	gid_t g;
2049 
2050 	KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small"));
2051 
2052 	bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t));
2053 	cr->cr_ngroups = ngrp;
2054 
2055 	/*
2056 	 * Sort all groups except cr_groups[0] to allow groupmember to
2057 	 * perform a binary search.
2058 	 *
2059 	 * XXX: If large numbers of groups become common this should
2060 	 * be replaced with shell sort like linux uses or possibly
2061 	 * heap sort.
2062 	 */
2063 	for (i = 2; i < ngrp; i++) {
2064 		g = cr->cr_groups[i];
2065 		for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--)
2066 			cr->cr_groups[j + 1] = cr->cr_groups[j];
2067 		cr->cr_groups[j + 1] = g;
2068 	}
2069 }
2070 
2071 /*
2072  * Copy groups in to a credential after expanding it if required.
2073  * Truncate the list to (ngroups_max + 1) if it is too large.
2074  */
2075 void
crsetgroups(struct ucred * cr,int ngrp,gid_t * groups)2076 crsetgroups(struct ucred *cr, int ngrp, gid_t *groups)
2077 {
2078 
2079 	if (ngrp > ngroups_max + 1)
2080 		ngrp = ngroups_max + 1;
2081 
2082 	crextend(cr, ngrp);
2083 	crsetgroups_locked(cr, ngrp, groups);
2084 }
2085 
2086 /*
2087  * Get login name, if available.
2088  */
2089 #ifndef _SYS_SYSPROTO_H_
2090 struct getlogin_args {
2091 	char	*namebuf;
2092 	u_int	namelen;
2093 };
2094 #endif
2095 /* ARGSUSED */
2096 int
sys_getlogin(struct thread * td,struct getlogin_args * uap)2097 sys_getlogin(struct thread *td, struct getlogin_args *uap)
2098 {
2099 	char login[MAXLOGNAME];
2100 	struct proc *p = td->td_proc;
2101 	size_t len;
2102 
2103 	if (uap->namelen > MAXLOGNAME)
2104 		uap->namelen = MAXLOGNAME;
2105 	PROC_LOCK(p);
2106 	SESS_LOCK(p->p_session);
2107 	len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
2108 	SESS_UNLOCK(p->p_session);
2109 	PROC_UNLOCK(p);
2110 	if (len > uap->namelen)
2111 		return (ERANGE);
2112 	return (copyout(login, uap->namebuf, len));
2113 }
2114 
2115 /*
2116  * Set login name.
2117  */
2118 #ifndef _SYS_SYSPROTO_H_
2119 struct setlogin_args {
2120 	char	*namebuf;
2121 };
2122 #endif
2123 /* ARGSUSED */
2124 int
sys_setlogin(struct thread * td,struct setlogin_args * uap)2125 sys_setlogin(struct thread *td, struct setlogin_args *uap)
2126 {
2127 	struct proc *p = td->td_proc;
2128 	int error;
2129 	char logintmp[MAXLOGNAME];
2130 
2131 	CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
2132 
2133 	error = priv_check(td, PRIV_PROC_SETLOGIN);
2134 	if (error)
2135 		return (error);
2136 	error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
2137 	if (error != 0) {
2138 		if (error == ENAMETOOLONG)
2139 			error = EINVAL;
2140 		return (error);
2141 	}
2142 	AUDIT_ARG_LOGIN(logintmp);
2143 	PROC_LOCK(p);
2144 	SESS_LOCK(p->p_session);
2145 	strcpy(p->p_session->s_login, logintmp);
2146 	SESS_UNLOCK(p->p_session);
2147 	PROC_UNLOCK(p);
2148 	return (0);
2149 }
2150 
2151 void
setsugid(struct proc * p)2152 setsugid(struct proc *p)
2153 {
2154 
2155 	PROC_LOCK_ASSERT(p, MA_OWNED);
2156 	p->p_flag |= P_SUGID;
2157 	if (!(p->p_pfsflags & PF_ISUGID))
2158 		p->p_stops = 0;
2159 }
2160 
2161 /*-
2162  * Change a process's effective uid.
2163  * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
2164  * References: newcred must be an exclusive credential reference for the
2165  *             duration of the call.
2166  */
2167 void
change_euid(struct ucred * newcred,struct uidinfo * euip)2168 change_euid(struct ucred *newcred, struct uidinfo *euip)
2169 {
2170 
2171 	newcred->cr_uid = euip->ui_uid;
2172 	uihold(euip);
2173 	uifree(newcred->cr_uidinfo);
2174 	newcred->cr_uidinfo = euip;
2175 }
2176 
2177 /*-
2178  * Change a process's effective gid.
2179  * Side effects: newcred->cr_gid will be modified.
2180  * References: newcred must be an exclusive credential reference for the
2181  *             duration of the call.
2182  */
2183 void
change_egid(struct ucred * newcred,gid_t egid)2184 change_egid(struct ucred *newcred, gid_t egid)
2185 {
2186 
2187 	newcred->cr_groups[0] = egid;
2188 }
2189 
2190 /*-
2191  * Change a process's real uid.
2192  * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
2193  *               will be updated, and the old and new cr_ruidinfo proc
2194  *               counts will be updated.
2195  * References: newcred must be an exclusive credential reference for the
2196  *             duration of the call.
2197  */
2198 void
change_ruid(struct ucred * newcred,struct uidinfo * ruip)2199 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
2200 {
2201 
2202 	(void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
2203 	newcred->cr_ruid = ruip->ui_uid;
2204 	uihold(ruip);
2205 	uifree(newcred->cr_ruidinfo);
2206 	newcred->cr_ruidinfo = ruip;
2207 	(void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2208 }
2209 
2210 /*-
2211  * Change a process's real gid.
2212  * Side effects: newcred->cr_rgid will be updated.
2213  * References: newcred must be an exclusive credential reference for the
2214  *             duration of the call.
2215  */
2216 void
change_rgid(struct ucred * newcred,gid_t rgid)2217 change_rgid(struct ucred *newcred, gid_t rgid)
2218 {
2219 
2220 	newcred->cr_rgid = rgid;
2221 }
2222 
2223 /*-
2224  * Change a process's saved uid.
2225  * Side effects: newcred->cr_svuid will be updated.
2226  * References: newcred must be an exclusive credential reference for the
2227  *             duration of the call.
2228  */
2229 void
change_svuid(struct ucred * newcred,uid_t svuid)2230 change_svuid(struct ucred *newcred, uid_t svuid)
2231 {
2232 
2233 	newcred->cr_svuid = svuid;
2234 }
2235 
2236 /*-
2237  * Change a process's saved gid.
2238  * Side effects: newcred->cr_svgid will be updated.
2239  * References: newcred must be an exclusive credential reference for the
2240  *             duration of the call.
2241  */
2242 void
change_svgid(struct ucred * newcred,gid_t svgid)2243 change_svgid(struct ucred *newcred, gid_t svgid)
2244 {
2245 
2246 	newcred->cr_svgid = svgid;
2247 }
2248