1 /* 2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 35 * $FreeBSD: src/sys/kern/kern_prot.c,v 1.53.2.9 2002/03/09 05:20:26 dd Exp $ 36 */ 37 38 /* 39 * System calls related to processes and protection 40 */ 41 42 #include <sys/param.h> 43 #include <sys/acct.h> 44 #include <sys/systm.h> 45 #include <sys/sysproto.h> 46 #include <sys/kernel.h> 47 #include <sys/lock.h> 48 #include <sys/proc.h> 49 #include <sys/priv.h> 50 #include <sys/malloc.h> 51 #include <sys/pioctl.h> 52 #include <sys/resourcevar.h> 53 #include <sys/jail.h> 54 #include <sys/lockf.h> 55 #include <sys/spinlock.h> 56 57 #include <sys/spinlock2.h> 58 59 static MALLOC_DEFINE(M_CRED, "cred", "credentials"); 60 61 int 62 sys_getpid(struct getpid_args *uap) 63 { 64 struct proc *p = curproc; 65 66 uap->sysmsg_fds[0] = p->p_pid; 67 return (0); 68 } 69 70 int 71 sys_getppid(struct getppid_args *uap) 72 { 73 struct proc *p = curproc; 74 75 uap->sysmsg_result = p->p_ppid; 76 77 return (0); 78 } 79 80 int 81 sys_lwp_gettid(struct lwp_gettid_args *uap) 82 { 83 struct lwp *lp = curthread->td_lwp; 84 uap->sysmsg_result = lp->lwp_tid; 85 return (0); 86 } 87 88 /* 89 * Get process group ID; note that POSIX getpgrp takes no parameter 90 */ 91 int 92 sys_getpgrp(struct getpgrp_args *uap) 93 { 94 struct proc *p = curproc; 95 96 lwkt_gettoken_shared(&p->p_token); 97 uap->sysmsg_result = p->p_pgrp->pg_id; 98 lwkt_reltoken(&p->p_token); 99 100 return (0); 101 } 102 103 /* 104 * Get an arbitrary pid's process group id 105 */ 106 int 107 sys_getpgid(struct getpgid_args *uap) 108 { 109 struct proc *p = curproc; 110 struct proc *pt; 111 int error; 112 113 error = 0; 114 115 if (uap->pid == 0) { 116 pt = p; 117 PHOLD(pt); 118 } else { 119 pt = pfind(uap->pid); 120 if (pt == NULL) 121 error = ESRCH; 122 } 123 if (error == 0) { 124 lwkt_gettoken_shared(&pt->p_token); 125 uap->sysmsg_result = pt->p_pgrp->pg_id; 126 lwkt_reltoken(&pt->p_token); 127 } 128 if (pt) 129 PRELE(pt); 130 return (error); 131 } 132 133 /* 134 * Get an arbitrary pid's session id. 135 */ 136 int 137 sys_getsid(struct getsid_args *uap) 138 { 139 struct proc *p = curproc; 140 struct proc *pt; 141 int error; 142 143 error = 0; 144 145 if (uap->pid == 0) { 146 pt = p; 147 PHOLD(pt); 148 } else { 149 pt = pfind(uap->pid); 150 if (pt == NULL) 151 error = ESRCH; 152 } 153 if (error == 0) 154 uap->sysmsg_result = pt->p_session->s_sid; 155 if (pt) 156 PRELE(pt); 157 return (error); 158 } 159 160 161 /* 162 * getuid() 163 */ 164 int 165 sys_getuid(struct getuid_args *uap) 166 { 167 struct ucred *cred = curthread->td_ucred; 168 169 uap->sysmsg_fds[0] = cred->cr_ruid; 170 return (0); 171 } 172 173 /* 174 * geteuid() 175 */ 176 int 177 sys_geteuid(struct geteuid_args *uap) 178 { 179 struct ucred *cred = curthread->td_ucred; 180 181 uap->sysmsg_result = cred->cr_uid; 182 return (0); 183 } 184 185 /* 186 * getgid() 187 */ 188 int 189 sys_getgid(struct getgid_args *uap) 190 { 191 struct ucred *cred = curthread->td_ucred; 192 193 uap->sysmsg_fds[0] = cred->cr_rgid; 194 return (0); 195 } 196 197 /* 198 * Get effective group ID. The "egid" is groups[0], and could be obtained 199 * via getgroups. This syscall exists because it is somewhat painful to do 200 * correctly in a library function. 201 */ 202 int 203 sys_getegid(struct getegid_args *uap) 204 { 205 struct ucred *cred = curthread->td_ucred; 206 207 uap->sysmsg_result = cred->cr_groups[0]; 208 return (0); 209 } 210 211 int 212 sys_getgroups(struct getgroups_args *uap) 213 { 214 struct ucred *cr; 215 u_int ngrp; 216 int error; 217 218 cr = curthread->td_ucred; 219 if ((ngrp = uap->gidsetsize) == 0) { 220 uap->sysmsg_result = cr->cr_ngroups; 221 return (0); 222 } 223 if (ngrp < cr->cr_ngroups) 224 return (EINVAL); 225 ngrp = cr->cr_ngroups; 226 error = copyout((caddr_t)cr->cr_groups, 227 (caddr_t)uap->gidset, ngrp * sizeof(gid_t)); 228 if (error == 0) 229 uap->sysmsg_result = ngrp; 230 return (error); 231 } 232 233 /* 234 * Set the per-thread title for ps 235 */ 236 int 237 sys_lwp_setname(struct lwp_setname_args *uap) 238 { 239 struct proc *p = curproc; 240 struct lwp *lp; 241 char buf[LPMAP_MAXTHREADTITLE]; 242 int error; 243 size_t len; 244 245 if (uap->name != NULL) { 246 error = copyinstr(uap->name, buf, sizeof(buf), &len); 247 if (error) { 248 if (error != ENAMETOOLONG) 249 return error; 250 buf[sizeof(buf)-1] = 0; 251 len = sizeof(buf) - 1; 252 } 253 } else { 254 buf[0] = 0; 255 len = 1; 256 } 257 258 lwkt_gettoken(&p->p_token); 259 260 lp = lwpfind(p, uap->tid); 261 if (lp) { 262 lwkt_gettoken(&lp->lwp_token); 263 if (lp->lwp_lpmap == NULL) 264 lwp_usermap(lp, -1); 265 if (lp->lwp_lpmap) 266 bcopy(buf, lp->lwp_lpmap->thread_title, len); 267 lwkt_reltoken(&lp->lwp_token); 268 LWPRELE(lp); 269 error = 0; 270 } else { 271 error = ESRCH; 272 } 273 274 lwkt_reltoken(&p->p_token); 275 276 return error; 277 } 278 279 /* 280 * Retrieve the per-thread title for ps 281 */ 282 int 283 sys_lwp_getname(struct lwp_getname_args *uap) 284 { 285 struct proc *p = curproc; 286 struct lwp *lp; 287 char buf[LPMAP_MAXTHREADTITLE]; 288 int error; 289 size_t len; 290 char c; 291 292 len = 0; 293 lwkt_gettoken(&p->p_token); 294 295 lp = lwpfind(p, uap->tid); 296 if (lp) { 297 lwkt_gettoken(&lp->lwp_token); 298 if (lp->lwp_lpmap == NULL) 299 lwp_usermap(lp, -1); 300 if (lp->lwp_lpmap) { 301 for (len = 0; len < LPMAP_MAXTHREADTITLE - 1 && 302 len < uap->len - 1; ++len) { 303 c = lp->lwp_lpmap->thread_title[len]; 304 if (c == 0) 305 break; 306 buf[len] = c; 307 } 308 } 309 lwkt_reltoken(&lp->lwp_token); 310 LWPRELE(lp); 311 error = 0; 312 } else { 313 error = ESRCH; 314 } 315 316 buf[len++] = 0; 317 lwkt_reltoken(&p->p_token); 318 319 if (uap->len) 320 error = copyout(buf, uap->name, len); 321 322 return error; 323 } 324 325 int 326 sys_setsid(struct setsid_args *uap) 327 { 328 struct proc *p = curproc; 329 struct pgrp *pg = NULL; 330 int error; 331 332 lwkt_gettoken(&p->p_token); 333 if (p->p_pgid == p->p_pid || (pg = pgfind(p->p_pid)) != NULL) { 334 error = EPERM; 335 if (pg) 336 pgrel(pg); 337 } else { 338 enterpgrp(p, p->p_pid, 1); 339 uap->sysmsg_result = p->p_pid; 340 error = 0; 341 } 342 lwkt_reltoken(&p->p_token); 343 return (error); 344 } 345 346 /* 347 * set process group (setpgid/old setpgrp) 348 * 349 * caller does setpgid(targpid, targpgid) 350 * 351 * pid must be caller or child of caller (ESRCH) 352 * if a child 353 * pid must be in same session (EPERM) 354 * pid can't have done an exec (EACCES) 355 * if pgid != pid 356 * there must exist some pid in same session having pgid (EPERM) 357 * pid must not be session leader (EPERM) 358 */ 359 int 360 sys_setpgid(struct setpgid_args *uap) 361 { 362 struct proc *curp = curproc; 363 struct proc *targp; /* target process */ 364 struct pgrp *pgrp = NULL; /* target pgrp */ 365 int error; 366 367 if (uap->pgid < 0) 368 return (EINVAL); 369 370 if (uap->pid != 0 && uap->pid != curp->p_pid) { 371 if ((targp = pfind(uap->pid)) == NULL || !inferior(targp)) { 372 if (targp) 373 PRELE(targp); 374 error = ESRCH; 375 targp = NULL; 376 goto done; 377 } 378 lwkt_gettoken(&targp->p_token); 379 /* targp now referenced and its token is held */ 380 381 if (targp->p_pgrp == NULL || 382 targp->p_session != curp->p_session) { 383 error = EPERM; 384 goto done; 385 } 386 if (targp->p_flags & P_EXEC) { 387 error = EACCES; 388 goto done; 389 } 390 } else { 391 targp = curp; 392 PHOLD(targp); 393 lwkt_gettoken(&targp->p_token); 394 } 395 if (SESS_LEADER(targp)) { 396 error = EPERM; 397 goto done; 398 } 399 if (uap->pgid == 0) { 400 uap->pgid = targp->p_pid; 401 } else if (uap->pgid != targp->p_pid) { 402 if ((pgrp = pgfind(uap->pgid)) == NULL || 403 pgrp->pg_session != curp->p_session) { 404 error = EPERM; 405 goto done; 406 } 407 } 408 error = enterpgrp(targp, uap->pgid, 0); 409 done: 410 if (pgrp) 411 pgrel(pgrp); 412 if (targp) { 413 lwkt_reltoken(&targp->p_token); 414 PRELE(targp); 415 } 416 return (error); 417 } 418 419 /* 420 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD 421 * compatible. It says that setting the uid/gid to euid/egid is a special 422 * case of "appropriate privilege". Once the rules are expanded out, this 423 * basically means that setuid(nnn) sets all three id's, in all permitted 424 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) 425 * does not set the saved id - this is dangerous for traditional BSD 426 * programs. For this reason, we *really* do not want to set 427 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. 428 */ 429 #define POSIX_APPENDIX_B_4_2_2 430 431 int 432 sys_setuid(struct setuid_args *uap) 433 { 434 struct proc *p = curproc; 435 struct ucred *cr; 436 uid_t uid; 437 int error; 438 439 lwkt_gettoken(&p->p_token); 440 cr = p->p_ucred; 441 442 /* 443 * See if we have "permission" by POSIX 1003.1 rules. 444 * 445 * Note that setuid(geteuid()) is a special case of 446 * "appropriate privileges" in appendix B.4.2.2. We need 447 * to use this clause to be compatible with traditional BSD 448 * semantics. Basically, it means that "setuid(xx)" sets all 449 * three id's (assuming you have privs). 450 * 451 * Notes on the logic. We do things in three steps. 452 * 1: We determine if the euid is going to change, and do EPERM 453 * right away. We unconditionally change the euid later if this 454 * test is satisfied, simplifying that part of the logic. 455 * 2: We determine if the real and/or saved uid's are going to 456 * change. Determined by compile options. 457 * 3: Change euid last. (after tests in #2 for "appropriate privs") 458 */ 459 uid = uap->uid; 460 if (uid != cr->cr_ruid && /* allow setuid(getuid()) */ 461 #ifdef _POSIX_SAVED_IDS 462 uid != crc->cr_svuid && /* allow setuid(saved gid) */ 463 #endif 464 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 465 uid != cr->cr_uid && /* allow setuid(geteuid()) */ 466 #endif 467 (error = priv_check_cred(cr, PRIV_CRED_SETUID, 0))) 468 goto done; 469 470 #ifdef _POSIX_SAVED_IDS 471 /* 472 * Do we have "appropriate privileges" (are we root or uid == euid) 473 * If so, we are changing the real uid and/or saved uid. 474 */ 475 if ( 476 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ 477 uid == cr->cr_uid || 478 #endif 479 priv_check_cred(cr, PRIV_CRED_SETUID, 0) == 0) /* we are using privs */ 480 #endif 481 { 482 /* 483 * Set the real uid and transfer proc count to new user. 484 */ 485 if (uid != cr->cr_ruid) { 486 cr = change_ruid(uid); 487 setsugid(); 488 } 489 /* 490 * Set saved uid 491 * 492 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as 493 * the security of seteuid() depends on it. B.4.2.2 says it 494 * is important that we should do this. 495 */ 496 if (cr->cr_svuid != uid) { 497 cr = cratom_proc(p); 498 cr->cr_svuid = uid; 499 setsugid(); 500 } 501 } 502 503 /* 504 * In all permitted cases, we are changing the euid. 505 * Copy credentials so other references do not see our changes. 506 */ 507 if (cr->cr_uid != uid) { 508 change_euid(uid); 509 setsugid(); 510 } 511 error = 0; 512 done: 513 lwkt_reltoken(&p->p_token); 514 return (error); 515 } 516 517 int 518 sys_seteuid(struct seteuid_args *uap) 519 { 520 struct proc *p = curproc; 521 struct ucred *cr; 522 uid_t euid; 523 int error; 524 525 lwkt_gettoken(&p->p_token); 526 cr = p->p_ucred; 527 euid = uap->euid; 528 if (euid != cr->cr_ruid && /* allow seteuid(getuid()) */ 529 euid != cr->cr_svuid && /* allow seteuid(saved uid) */ 530 (error = priv_check_cred(cr, PRIV_CRED_SETEUID, 0))) { 531 lwkt_reltoken(&p->p_token); 532 return (error); 533 } 534 535 /* 536 * Everything's okay, do it. Copy credentials so other references do 537 * not see our changes. 538 */ 539 if (cr->cr_uid != euid) { 540 change_euid(euid); 541 setsugid(); 542 } 543 lwkt_reltoken(&p->p_token); 544 return (0); 545 } 546 547 int 548 sys_setgid(struct setgid_args *uap) 549 { 550 struct proc *p = curproc; 551 struct ucred *cr; 552 gid_t gid; 553 int error; 554 555 lwkt_gettoken(&p->p_token); 556 cr = p->p_ucred; 557 558 /* 559 * See if we have "permission" by POSIX 1003.1 rules. 560 * 561 * Note that setgid(getegid()) is a special case of 562 * "appropriate privileges" in appendix B.4.2.2. We need 563 * to use this clause to be compatible with traditional BSD 564 * semantics. Basically, it means that "setgid(xx)" sets all 565 * three id's (assuming you have privs). 566 * 567 * For notes on the logic here, see setuid() above. 568 */ 569 gid = uap->gid; 570 if (gid != cr->cr_rgid && /* allow setgid(getgid()) */ 571 #ifdef _POSIX_SAVED_IDS 572 gid != cr->cr_svgid && /* allow setgid(saved gid) */ 573 #endif 574 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ 575 gid != cr->cr_groups[0] && /* allow setgid(getegid()) */ 576 #endif 577 (error = priv_check_cred(cr, PRIV_CRED_SETGID, 0))) { 578 goto done; 579 } 580 581 #ifdef _POSIX_SAVED_IDS 582 /* 583 * Do we have "appropriate privileges" (are we root or gid == egid) 584 * If so, we are changing the real uid and saved gid. 585 */ 586 if ( 587 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ 588 gid == cr->cr_groups[0] || 589 #endif 590 priv_check_cred(cr, PRIV_CRED_SETGID, 0) == 0) /* we are using privs */ 591 #endif 592 { 593 /* 594 * Set real gid 595 */ 596 if (cr->cr_rgid != gid) { 597 cr = cratom_proc(p); 598 cr->cr_rgid = gid; 599 setsugid(); 600 } 601 /* 602 * Set saved gid 603 * 604 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as 605 * the security of setegid() depends on it. B.4.2.2 says it 606 * is important that we should do this. 607 */ 608 if (cr->cr_svgid != gid) { 609 cr = cratom_proc(p); 610 cr->cr_svgid = gid; 611 setsugid(); 612 } 613 } 614 /* 615 * In all cases permitted cases, we are changing the egid. 616 * Copy credentials so other references do not see our changes. 617 */ 618 if (cr->cr_groups[0] != gid) { 619 cr = cratom_proc(p); 620 cr->cr_groups[0] = gid; 621 setsugid(); 622 } 623 error = 0; 624 done: 625 lwkt_reltoken(&p->p_token); 626 return (error); 627 } 628 629 int 630 sys_setegid(struct setegid_args *uap) 631 { 632 struct proc *p = curproc; 633 struct ucred *cr; 634 gid_t egid; 635 int error; 636 637 lwkt_gettoken(&p->p_token); 638 cr = p->p_ucred; 639 egid = uap->egid; 640 if (egid != cr->cr_rgid && /* allow setegid(getgid()) */ 641 egid != cr->cr_svgid && /* allow setegid(saved gid) */ 642 (error = priv_check_cred(cr, PRIV_CRED_SETEGID, 0))) { 643 goto done; 644 } 645 if (cr->cr_groups[0] != egid) { 646 cr = cratom_proc(p); 647 cr->cr_groups[0] = egid; 648 setsugid(); 649 } 650 error = 0; 651 done: 652 lwkt_reltoken(&p->p_token); 653 return (error); 654 } 655 656 int 657 sys_setgroups(struct setgroups_args *uap) 658 { 659 struct proc *p = curproc; 660 struct ucred *cr; 661 u_int ngrp; 662 int error; 663 664 lwkt_gettoken(&p->p_token); 665 cr = p->p_ucred; 666 667 if ((error = priv_check_cred(cr, PRIV_CRED_SETGROUPS, 0))) 668 goto done; 669 ngrp = uap->gidsetsize; 670 if (ngrp > NGROUPS) { 671 error = EINVAL; 672 goto done; 673 } 674 /* 675 * XXX A little bit lazy here. We could test if anything has 676 * changed before cratom() and setting P_SUGID. 677 */ 678 cr = cratom_proc(p); 679 if (ngrp < 1) { 680 /* 681 * setgroups(0, NULL) is a legitimate way of clearing the 682 * groups vector on non-BSD systems (which generally do not 683 * have the egid in the groups[0]). We risk security holes 684 * when running non-BSD software if we do not do the same. 685 */ 686 cr->cr_ngroups = 1; 687 } else { 688 error = copyin(uap->gidset, cr->cr_groups, 689 ngrp * sizeof(gid_t)); 690 if (error) 691 goto done; 692 cr->cr_ngroups = ngrp; 693 } 694 setsugid(); 695 error = 0; 696 done: 697 lwkt_reltoken(&p->p_token); 698 return (error); 699 } 700 701 int 702 sys_setreuid(struct setreuid_args *uap) 703 { 704 struct proc *p = curproc; 705 struct ucred *cr; 706 uid_t ruid, euid; 707 int error; 708 709 lwkt_gettoken(&p->p_token); 710 cr = p->p_ucred; 711 712 ruid = uap->ruid; 713 euid = uap->euid; 714 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && 715 ruid != cr->cr_svuid) || 716 (euid != (uid_t)-1 && euid != cr->cr_uid && 717 euid != cr->cr_ruid && euid != cr->cr_svuid)) && 718 (error = priv_check_cred(cr, PRIV_CRED_SETREUID, 0)) != 0) { 719 goto done; 720 } 721 722 if (euid != (uid_t)-1 && cr->cr_uid != euid) { 723 cr = change_euid(euid); 724 setsugid(); 725 } 726 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) { 727 cr = change_ruid(ruid); 728 setsugid(); 729 } 730 if ((ruid != (uid_t)-1 || cr->cr_uid != cr->cr_ruid) && 731 cr->cr_svuid != cr->cr_uid) { 732 cr = cratom_proc(p); 733 cr->cr_svuid = cr->cr_uid; 734 setsugid(); 735 } 736 error = 0; 737 done: 738 lwkt_reltoken(&p->p_token); 739 return (error); 740 } 741 742 int 743 sys_setregid(struct setregid_args *uap) 744 { 745 struct proc *p = curproc; 746 struct ucred *cr; 747 gid_t rgid, egid; 748 int error; 749 750 lwkt_gettoken(&p->p_token); 751 cr = p->p_ucred; 752 753 rgid = uap->rgid; 754 egid = uap->egid; 755 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && 756 rgid != cr->cr_svgid) || 757 (egid != (gid_t)-1 && egid != cr->cr_groups[0] && 758 egid != cr->cr_rgid && egid != cr->cr_svgid)) && 759 (error = priv_check_cred(cr, PRIV_CRED_SETREGID, 0)) != 0) { 760 goto done; 761 } 762 763 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) { 764 cr = cratom_proc(p); 765 cr->cr_groups[0] = egid; 766 setsugid(); 767 } 768 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) { 769 cr = cratom_proc(p); 770 cr->cr_rgid = rgid; 771 setsugid(); 772 } 773 if ((rgid != (gid_t)-1 || cr->cr_groups[0] != cr->cr_rgid) && 774 cr->cr_svgid != cr->cr_groups[0]) { 775 cr = cratom_proc(p); 776 cr->cr_svgid = cr->cr_groups[0]; 777 setsugid(); 778 } 779 error = 0; 780 done: 781 lwkt_reltoken(&p->p_token); 782 return (error); 783 } 784 785 /* 786 * setresuid(ruid, euid, suid) is like setreuid except control over the 787 * saved uid is explicit. 788 */ 789 int 790 sys_setresuid(struct setresuid_args *uap) 791 { 792 struct proc *p = curproc; 793 struct ucred *cr; 794 uid_t ruid, euid, suid; 795 int error; 796 797 lwkt_gettoken(&p->p_token); 798 cr = p->p_ucred; 799 800 ruid = uap->ruid; 801 euid = uap->euid; 802 suid = uap->suid; 803 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && 804 ruid != cr->cr_svuid && ruid != cr->cr_uid) || 805 (euid != (uid_t)-1 && euid != cr->cr_ruid && 806 euid != cr->cr_svuid && euid != cr->cr_uid) || 807 (suid != (uid_t)-1 && suid != cr->cr_ruid && 808 suid != cr->cr_svuid && suid != cr->cr_uid)) && 809 (error = priv_check_cred(cr, PRIV_CRED_SETRESUID, 0)) != 0) { 810 goto done; 811 } 812 if (euid != (uid_t)-1 && cr->cr_uid != euid) { 813 cr = change_euid(euid); 814 setsugid(); 815 } 816 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) { 817 cr = change_ruid(ruid); 818 setsugid(); 819 } 820 if (suid != (uid_t)-1 && cr->cr_svuid != suid) { 821 cr = cratom_proc(p); 822 cr->cr_svuid = suid; 823 setsugid(); 824 } 825 error = 0; 826 done: 827 lwkt_reltoken(&p->p_token); 828 return (error); 829 } 830 831 /* 832 * setresgid(rgid, egid, sgid) is like setregid except control over the 833 * saved gid is explicit. 834 */ 835 int 836 sys_setresgid(struct setresgid_args *uap) 837 { 838 struct proc *p = curproc; 839 struct ucred *cr; 840 gid_t rgid, egid, sgid; 841 int error; 842 843 lwkt_gettoken(&p->p_token); 844 cr = p->p_ucred; 845 rgid = uap->rgid; 846 egid = uap->egid; 847 sgid = uap->sgid; 848 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && 849 rgid != cr->cr_svgid && rgid != cr->cr_groups[0]) || 850 (egid != (gid_t)-1 && egid != cr->cr_rgid && 851 egid != cr->cr_svgid && egid != cr->cr_groups[0]) || 852 (sgid != (gid_t)-1 && sgid != cr->cr_rgid && 853 sgid != cr->cr_svgid && sgid != cr->cr_groups[0])) && 854 (error = priv_check_cred(cr, PRIV_CRED_SETRESGID, 0)) != 0) { 855 goto done; 856 } 857 858 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) { 859 cr = cratom_proc(p); 860 cr->cr_groups[0] = egid; 861 setsugid(); 862 } 863 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) { 864 cr = cratom_proc(p); 865 cr->cr_rgid = rgid; 866 setsugid(); 867 } 868 if (sgid != (gid_t)-1 && cr->cr_svgid != sgid) { 869 cr = cratom_proc(p); 870 cr->cr_svgid = sgid; 871 setsugid(); 872 } 873 error = 0; 874 done: 875 lwkt_reltoken(&p->p_token); 876 return (error); 877 } 878 879 int 880 sys_getresuid(struct getresuid_args *uap) 881 { 882 struct ucred *cr; 883 int error1 = 0, error2 = 0, error3 = 0; 884 885 /* 886 * copyout's can fault synchronously so we cannot use a shared 887 * token here. 888 */ 889 cr = curthread->td_ucred; 890 if (uap->ruid) 891 error1 = copyout((caddr_t)&cr->cr_ruid, 892 (caddr_t)uap->ruid, sizeof(cr->cr_ruid)); 893 if (uap->euid) 894 error2 = copyout((caddr_t)&cr->cr_uid, 895 (caddr_t)uap->euid, sizeof(cr->cr_uid)); 896 if (uap->suid) 897 error3 = copyout((caddr_t)&cr->cr_svuid, 898 (caddr_t)uap->suid, sizeof(cr->cr_svuid)); 899 return error1 ? error1 : (error2 ? error2 : error3); 900 } 901 902 int 903 sys_getresgid(struct getresgid_args *uap) 904 { 905 struct ucred *cr; 906 int error1 = 0, error2 = 0, error3 = 0; 907 908 cr = curthread->td_ucred; 909 if (uap->rgid) 910 error1 = copyout(&cr->cr_rgid, uap->rgid, 911 sizeof(cr->cr_rgid)); 912 if (uap->egid) 913 error2 = copyout(&cr->cr_groups[0], uap->egid, 914 sizeof(cr->cr_groups[0])); 915 if (uap->sgid) 916 error3 = copyout(&cr->cr_svgid, uap->sgid, 917 sizeof(cr->cr_svgid)); 918 return error1 ? error1 : (error2 ? error2 : error3); 919 } 920 921 922 /* 923 * NOTE: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, 924 * we use P_SUGID because we consider changing the owners as 925 * "tainting" as well. 926 * This is significant for procs that start as root and "become" 927 * a user without an exec - programs cannot know *everything* 928 * that libc *might* have put in their data segment. 929 */ 930 int 931 sys_issetugid(struct issetugid_args *uap) 932 { 933 uap->sysmsg_result = (curproc->p_flags & P_SUGID) ? 1 : 0; 934 return (0); 935 } 936 937 /* 938 * Check if gid is a member of the group set. 939 */ 940 int 941 groupmember(gid_t gid, struct ucred *cred) 942 { 943 gid_t *gp; 944 gid_t *egp; 945 946 egp = &(cred->cr_groups[cred->cr_ngroups]); 947 for (gp = cred->cr_groups; gp < egp; gp++) { 948 if (*gp == gid) 949 return (1); 950 } 951 return (0); 952 } 953 954 /* 955 * Test whether the specified credentials have the privilege 956 * in question. 957 * 958 * A kernel thread without a process context is assumed to have 959 * the privilege in question. In situations where the caller always 960 * expect a cred to exist, the cred should be passed separately and 961 * priv_check_cred() should be used instead of priv_check(). 962 * 963 * Returns 0 or error. 964 */ 965 int 966 priv_check(struct thread *td, int priv) 967 { 968 if (td->td_lwp != NULL) 969 return priv_check_cred(td->td_ucred, priv, 0); 970 return (0); 971 } 972 973 /* 974 * Check a credential for privilege. 975 * 976 * A non-null credential is expected unless NULL_CRED_OKAY is set. 977 */ 978 int 979 priv_check_cred(struct ucred *cred, int priv, int flags) 980 { 981 int error; 982 983 KASSERT(PRIV_VALID(priv), ("priv_check_cred: invalid privilege")); 984 985 KASSERT(cred != NULL || (flags & NULL_CRED_OKAY), 986 ("priv_check_cred: NULL cred!")); 987 988 if (cred == NULL) { 989 if (flags & NULL_CRED_OKAY) 990 return (0); 991 else 992 return (EPERM); 993 } 994 if (cred->cr_uid != 0) 995 return (EPERM); 996 997 error = prison_priv_check(cred, priv); 998 if (error) 999 return (error); 1000 1001 /* NOTE: accounting for suser access (p_acflag/ASU) removed */ 1002 return (0); 1003 } 1004 1005 /* 1006 * Return zero if p1 can fondle p2, return errno (EPERM/ESRCH) otherwise. 1007 */ 1008 int 1009 p_trespass(struct ucred *cr1, struct ucred *cr2) 1010 { 1011 if (cr1 == cr2) 1012 return (0); 1013 if (!PRISON_CHECK(cr1, cr2)) 1014 return (ESRCH); 1015 if (cr1->cr_ruid == cr2->cr_ruid) 1016 return (0); 1017 if (cr1->cr_uid == cr2->cr_ruid) 1018 return (0); 1019 if (cr1->cr_ruid == cr2->cr_uid) 1020 return (0); 1021 if (cr1->cr_uid == cr2->cr_uid) 1022 return (0); 1023 if (priv_check_cred(cr1, PRIV_PROC_TRESPASS, 0) == 0) 1024 return (0); 1025 return (EPERM); 1026 } 1027 1028 /* 1029 * Allocate a zeroed cred structure. 1030 */ 1031 struct ucred * 1032 crget(void) 1033 { 1034 struct ucred *cr; 1035 1036 cr = kmalloc(sizeof(*cr), M_CRED, M_WAITOK|M_ZERO); 1037 cr->cr_ref = 1; 1038 1039 return (cr); 1040 } 1041 1042 /* 1043 * Claim another reference to a ucred structure. Can be used with special 1044 * creds. 1045 * 1046 * It must be possible to call this routine with spinlocks held, meaning 1047 * that this routine itself cannot obtain a spinlock. 1048 */ 1049 struct ucred * 1050 crhold(struct ucred *cr) 1051 { 1052 if (cr != NOCRED && cr != FSCRED) 1053 atomic_add_long(&cr->cr_ref, 1); 1054 return(cr); 1055 } 1056 1057 /* 1058 * Drop a reference from the cred structure, free it if the reference count 1059 * reaches 0. 1060 * 1061 * NOTE: because we used atomic_add_int() above, without a spinlock, we 1062 * must also use atomic_subtract_int() below. A spinlock is required 1063 * in crfree() to handle multiple callers racing the refcount to 0. 1064 */ 1065 void 1066 crfree(struct ucred *cr) 1067 { 1068 if (cr->cr_ref <= 0) 1069 panic("Freeing already free credential! %p", cr); 1070 if (atomic_fetchadd_long(&cr->cr_ref, -1) == 1) { 1071 /* 1072 * Some callers of crget(), such as nfs_statfs(), 1073 * allocate a temporary credential, but don't 1074 * allocate a uidinfo structure. 1075 */ 1076 if (cr->cr_uidinfo != NULL) { 1077 uidrop(cr->cr_uidinfo); 1078 cr->cr_uidinfo = NULL; 1079 } 1080 if (cr->cr_ruidinfo != NULL) { 1081 uidrop(cr->cr_ruidinfo); 1082 cr->cr_ruidinfo = NULL; 1083 } 1084 1085 /* 1086 * Destroy empty prisons 1087 */ 1088 if (jailed(cr)) 1089 prison_free(cr->cr_prison); 1090 cr->cr_prison = NULL; /* safety */ 1091 1092 kfree((caddr_t)cr, M_CRED); 1093 } 1094 } 1095 1096 /* 1097 * Atomize a cred structure so it can be modified without polluting 1098 * other references to it. 1099 * 1100 * MPSAFE (however, *pcr must be stable) 1101 */ 1102 struct ucred * 1103 cratom(struct ucred **pcr) 1104 { 1105 struct ucred *oldcr; 1106 struct ucred *newcr; 1107 1108 oldcr = *pcr; 1109 if (oldcr->cr_ref == 1) 1110 return (oldcr); 1111 newcr = crget(); /* this might block */ 1112 oldcr = *pcr; /* re-cache after potentially blocking */ 1113 *newcr = *oldcr; 1114 uihold(newcr->cr_uidinfo); 1115 uihold(newcr->cr_ruidinfo); 1116 if (jailed(newcr)) 1117 prison_hold(newcr->cr_prison); 1118 newcr->cr_ref = 1; 1119 crfree(oldcr); 1120 *pcr = newcr; 1121 1122 return (newcr); 1123 } 1124 1125 /* 1126 * Called with a modifying token held, but must still obtain p_spin to 1127 * actually replace p_ucred to handle races against syscall entry from 1128 * other threads which cache p_ucred->td_ucred. 1129 * 1130 * (the threads will only get the spin-lock, and they only need to in 1131 * the case where td_ucred != p_ucred so this is optimal). 1132 */ 1133 struct ucred * 1134 cratom_proc(struct proc *p) 1135 { 1136 struct ucred *oldcr; 1137 struct ucred *newcr; 1138 1139 oldcr = p->p_ucred; 1140 if (oldcr->cr_ref == 1) 1141 return(oldcr); 1142 1143 newcr = crget(); /* this might block */ 1144 oldcr = p->p_ucred; /* so re-cache oldcr (do not re-test) */ 1145 *newcr = *oldcr; 1146 uihold(newcr->cr_uidinfo); 1147 uihold(newcr->cr_ruidinfo); 1148 if (jailed(newcr)) 1149 prison_hold(newcr->cr_prison); 1150 newcr->cr_ref = 1; 1151 1152 spin_lock(&p->p_spin); 1153 p->p_ucred = newcr; 1154 spin_unlock(&p->p_spin); 1155 crfree(oldcr); 1156 1157 return newcr; 1158 } 1159 1160 /* 1161 * Dup cred struct to a new held one. 1162 */ 1163 struct ucred * 1164 crdup(struct ucred *cr) 1165 { 1166 struct ucred *newcr; 1167 1168 newcr = crget(); 1169 *newcr = *cr; 1170 uihold(newcr->cr_uidinfo); 1171 uihold(newcr->cr_ruidinfo); 1172 if (jailed(newcr)) 1173 prison_hold(newcr->cr_prison); 1174 newcr->cr_ref = 1; 1175 return (newcr); 1176 } 1177 1178 /* 1179 * Fill in a struct xucred based on a struct ucred. 1180 */ 1181 void 1182 cru2x(struct ucred *cr, struct xucred *xcr) 1183 { 1184 1185 bzero(xcr, sizeof(*xcr)); 1186 xcr->cr_version = XUCRED_VERSION; 1187 xcr->cr_uid = cr->cr_uid; 1188 xcr->cr_ngroups = cr->cr_ngroups; 1189 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups)); 1190 } 1191 1192 /* 1193 * Get login name, if available. 1194 */ 1195 int 1196 sys_getlogin(struct getlogin_args *uap) 1197 { 1198 struct proc *p = curproc; 1199 char buf[MAXLOGNAME]; 1200 int error; 1201 1202 if (uap->namelen > MAXLOGNAME) /* namelen is unsigned */ 1203 uap->namelen = MAXLOGNAME; 1204 bzero(buf, sizeof(buf)); 1205 lwkt_gettoken_shared(&p->p_token); 1206 bcopy(p->p_pgrp->pg_session->s_login, buf, uap->namelen); 1207 lwkt_reltoken(&p->p_token); 1208 1209 error = copyout(buf, uap->namebuf, uap->namelen); 1210 return (error); 1211 } 1212 1213 /* 1214 * Set login name. 1215 */ 1216 int 1217 sys_setlogin(struct setlogin_args *uap) 1218 { 1219 struct thread *td = curthread; 1220 struct proc *p; 1221 struct ucred *cred; 1222 char buf[MAXLOGNAME]; 1223 int error; 1224 1225 cred = td->td_ucred; 1226 p = td->td_proc; 1227 1228 if ((error = priv_check_cred(cred, PRIV_PROC_SETLOGIN, 0))) 1229 return (error); 1230 bzero(buf, sizeof(buf)); 1231 error = copyinstr(uap->namebuf, buf, sizeof(buf), NULL); 1232 if (error == ENAMETOOLONG) 1233 error = EINVAL; 1234 if (error == 0) { 1235 lwkt_gettoken_shared(&p->p_token); 1236 memcpy(p->p_pgrp->pg_session->s_login, buf, sizeof(buf)); 1237 lwkt_reltoken(&p->p_token); 1238 } 1239 return (error); 1240 } 1241 1242 void 1243 setsugid(void) 1244 { 1245 struct proc *p = curproc; 1246 1247 KKASSERT(p != NULL); 1248 lwkt_gettoken(&p->p_token); 1249 p->p_flags |= P_SUGID; 1250 if (!(p->p_pfsflags & PF_ISUGID)) 1251 p->p_stops = 0; 1252 lwkt_reltoken(&p->p_token); 1253 } 1254 1255 /* 1256 * Helper function to change the effective uid of a process 1257 */ 1258 struct ucred * 1259 change_euid(uid_t euid) 1260 { 1261 struct proc *p = curproc; 1262 struct ucred *cr; 1263 1264 KKASSERT(p != NULL); 1265 lf_count_adjust(p, 0); 1266 cr = cratom_proc(p); 1267 cr->cr_uid = euid; 1268 uireplace(&cr->cr_uidinfo, uifind(euid)); 1269 lf_count_adjust(p, 1); 1270 return (cr); 1271 } 1272 1273 /* 1274 * Helper function to change the real uid of a process 1275 * 1276 * The per-uid process count for this process is transfered from 1277 * the old uid to the new uid. 1278 */ 1279 struct ucred * 1280 change_ruid(uid_t ruid) 1281 { 1282 struct proc *p = curproc; 1283 struct ucred *cr; 1284 1285 KKASSERT(p != NULL); 1286 1287 cr = cratom_proc(p); 1288 chgproccnt(cr->cr_ruidinfo, -1, 0); 1289 cr->cr_ruid = ruid; 1290 uireplace(&cr->cr_ruidinfo, uifind(ruid)); 1291 chgproccnt(cr->cr_ruidinfo, 1, 0); 1292 return (cr); 1293 } 1294