1 | #include <freebsd/machine/rtems-bsd-config.h> |
---|
2 | |
---|
3 | /*- |
---|
4 | * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 |
---|
5 | * The Regents of the University of California. |
---|
6 | * (c) UNIX System Laboratories, Inc. |
---|
7 | * Copyright (c) 2000-2001 Robert N. M. Watson. |
---|
8 | * All rights reserved. |
---|
9 | * |
---|
10 | * All or some portions of this file are derived from material licensed |
---|
11 | * to the University of California by American Telephone and Telegraph |
---|
12 | * Co. or Unix System Laboratories, Inc. and are reproduced herein with |
---|
13 | * the permission of UNIX System Laboratories, Inc. |
---|
14 | * |
---|
15 | * Redistribution and use in source and binary forms, with or without |
---|
16 | * modification, are permitted provided that the following conditions |
---|
17 | * are met: |
---|
18 | * 1. Redistributions of source code must retain the above copyright |
---|
19 | * notice, this list of conditions and the following disclaimer. |
---|
20 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
21 | * notice, this list of conditions and the following disclaimer in the |
---|
22 | * documentation and/or other materials provided with the distribution. |
---|
23 | * 4. Neither the name of the University nor the names of its contributors |
---|
24 | * may be used to endorse or promote products derived from this software |
---|
25 | * without specific prior written permission. |
---|
26 | * |
---|
27 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND |
---|
28 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
29 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
30 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
---|
31 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
32 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
33 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
34 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
35 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
36 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
37 | * SUCH DAMAGE. |
---|
38 | * |
---|
39 | * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 |
---|
40 | */ |
---|
41 | |
---|
42 | /* |
---|
43 | * System calls related to processes and protection |
---|
44 | */ |
---|
45 | |
---|
46 | #include <freebsd/sys/cdefs.h> |
---|
47 | __FBSDID("$FreeBSD$"); |
---|
48 | |
---|
49 | #include <freebsd/local/opt_compat.h> |
---|
50 | #include <freebsd/local/opt_inet.h> |
---|
51 | #include <freebsd/local/opt_inet6.h> |
---|
52 | |
---|
53 | #include <freebsd/sys/param.h> |
---|
54 | #include <freebsd/sys/systm.h> |
---|
55 | #ifndef __rtems__ |
---|
56 | #include <freebsd/sys/acct.h> |
---|
57 | #include <freebsd/sys/kdb.h> |
---|
58 | #endif /* __rtems__ */ |
---|
59 | #include <freebsd/sys/kernel.h> |
---|
60 | #include <freebsd/sys/lock.h> |
---|
61 | #include <freebsd/sys/malloc.h> |
---|
62 | #include <freebsd/sys/mutex.h> |
---|
63 | #include <freebsd/sys/refcount.h> |
---|
64 | #include <freebsd/sys/sx.h> |
---|
65 | #include <freebsd/sys/priv.h> |
---|
66 | #include <freebsd/sys/proc.h> |
---|
67 | #include <freebsd/sys/sysproto.h> |
---|
68 | #include <freebsd/sys/jail.h> |
---|
69 | #ifndef __rtems__ |
---|
70 | #include <freebsd/sys/pioctl.h> |
---|
71 | #endif /* __rtems__ */ |
---|
72 | #include <freebsd/sys/resourcevar.h> |
---|
73 | #include <freebsd/sys/socket.h> |
---|
74 | #include <freebsd/sys/socketvar.h> |
---|
75 | #include <freebsd/sys/syscallsubr.h> |
---|
76 | #include <freebsd/sys/sysctl.h> |
---|
77 | |
---|
78 | #if defined(INET) || defined(INET6) |
---|
79 | #include <freebsd/netinet/in.h> |
---|
80 | #include <freebsd/netinet/in_pcb.h> |
---|
81 | #endif |
---|
82 | |
---|
83 | #include <freebsd/security/audit/audit.h> |
---|
84 | #include <freebsd/security/mac/mac_framework.h> |
---|
85 | |
---|
86 | static MALLOC_DEFINE(M_CRED, "cred", "credentials"); |
---|
87 | |
---|
88 | SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); |
---|
89 | |
---|
90 | static void crextend(struct ucred *cr, int n); |
---|
91 | #ifndef __rtems__ |
---|
92 | static void crsetgroups_locked(struct ucred *cr, int ngrp, |
---|
93 | gid_t *groups); |
---|
94 | |
---|
95 | #ifndef _SYS_SYSPROTO_HH_ |
---|
96 | struct getpid_args { |
---|
97 | int dummy; |
---|
98 | }; |
---|
99 | #endif |
---|
100 | /* ARGSUSED */ |
---|
101 | int |
---|
102 | getpid(struct thread *td, struct getpid_args *uap) |
---|
103 | { |
---|
104 | struct proc *p = td->td_proc; |
---|
105 | |
---|
106 | td->td_retval[0] = p->p_pid; |
---|
107 | #if defined(COMPAT_43) |
---|
108 | PROC_LOCK(p); |
---|
109 | td->td_retval[1] = p->p_pptr->p_pid; |
---|
110 | PROC_UNLOCK(p); |
---|
111 | #endif |
---|
112 | return (0); |
---|
113 | } |
---|
114 | |
---|
115 | #ifndef _SYS_SYSPROTO_HH_ |
---|
116 | struct getppid_args { |
---|
117 | int dummy; |
---|
118 | }; |
---|
119 | #endif |
---|
120 | /* ARGSUSED */ |
---|
121 | int |
---|
122 | getppid(struct thread *td, struct getppid_args *uap) |
---|
123 | { |
---|
124 | struct proc *p = td->td_proc; |
---|
125 | |
---|
126 | PROC_LOCK(p); |
---|
127 | td->td_retval[0] = p->p_pptr->p_pid; |
---|
128 | PROC_UNLOCK(p); |
---|
129 | return (0); |
---|
130 | } |
---|
131 | |
---|
132 | /* |
---|
133 | * Get process group ID; note that POSIX getpgrp takes no parameter. |
---|
134 | */ |
---|
135 | #ifndef _SYS_SYSPROTO_HH_ |
---|
136 | struct getpgrp_args { |
---|
137 | int dummy; |
---|
138 | }; |
---|
139 | #endif |
---|
140 | int |
---|
141 | getpgrp(struct thread *td, struct getpgrp_args *uap) |
---|
142 | { |
---|
143 | struct proc *p = td->td_proc; |
---|
144 | |
---|
145 | PROC_LOCK(p); |
---|
146 | td->td_retval[0] = p->p_pgrp->pg_id; |
---|
147 | PROC_UNLOCK(p); |
---|
148 | return (0); |
---|
149 | } |
---|
150 | |
---|
151 | /* Get an arbitary pid's process group id */ |
---|
152 | #ifndef _SYS_SYSPROTO_HH_ |
---|
153 | struct getpgid_args { |
---|
154 | pid_t pid; |
---|
155 | }; |
---|
156 | #endif |
---|
157 | int |
---|
158 | getpgid(struct thread *td, struct getpgid_args *uap) |
---|
159 | { |
---|
160 | struct proc *p; |
---|
161 | int error; |
---|
162 | |
---|
163 | if (uap->pid == 0) { |
---|
164 | p = td->td_proc; |
---|
165 | PROC_LOCK(p); |
---|
166 | } else { |
---|
167 | p = pfind(uap->pid); |
---|
168 | if (p == NULL) |
---|
169 | return (ESRCH); |
---|
170 | error = p_cansee(td, p); |
---|
171 | if (error) { |
---|
172 | PROC_UNLOCK(p); |
---|
173 | return (error); |
---|
174 | } |
---|
175 | } |
---|
176 | td->td_retval[0] = p->p_pgrp->pg_id; |
---|
177 | PROC_UNLOCK(p); |
---|
178 | return (0); |
---|
179 | } |
---|
180 | |
---|
181 | /* |
---|
182 | * Get an arbitary pid's session id. |
---|
183 | */ |
---|
184 | #ifndef _SYS_SYSPROTO_HH_ |
---|
185 | struct getsid_args { |
---|
186 | pid_t pid; |
---|
187 | }; |
---|
188 | #endif |
---|
189 | int |
---|
190 | getsid(struct thread *td, struct getsid_args *uap) |
---|
191 | { |
---|
192 | struct proc *p; |
---|
193 | int error; |
---|
194 | |
---|
195 | if (uap->pid == 0) { |
---|
196 | p = td->td_proc; |
---|
197 | PROC_LOCK(p); |
---|
198 | } else { |
---|
199 | p = pfind(uap->pid); |
---|
200 | if (p == NULL) |
---|
201 | return (ESRCH); |
---|
202 | error = p_cansee(td, p); |
---|
203 | if (error) { |
---|
204 | PROC_UNLOCK(p); |
---|
205 | return (error); |
---|
206 | } |
---|
207 | } |
---|
208 | td->td_retval[0] = p->p_session->s_sid; |
---|
209 | PROC_UNLOCK(p); |
---|
210 | return (0); |
---|
211 | } |
---|
212 | |
---|
213 | #ifndef _SYS_SYSPROTO_HH_ |
---|
214 | struct getuid_args { |
---|
215 | int dummy; |
---|
216 | }; |
---|
217 | #endif |
---|
218 | /* ARGSUSED */ |
---|
219 | int |
---|
220 | getuid(struct thread *td, struct getuid_args *uap) |
---|
221 | { |
---|
222 | |
---|
223 | td->td_retval[0] = td->td_ucred->cr_ruid; |
---|
224 | #if defined(COMPAT_43) |
---|
225 | td->td_retval[1] = td->td_ucred->cr_uid; |
---|
226 | #endif |
---|
227 | return (0); |
---|
228 | } |
---|
229 | |
---|
230 | #ifndef _SYS_SYSPROTO_HH_ |
---|
231 | struct geteuid_args { |
---|
232 | int dummy; |
---|
233 | }; |
---|
234 | #endif |
---|
235 | /* ARGSUSED */ |
---|
236 | int |
---|
237 | geteuid(struct thread *td, struct geteuid_args *uap) |
---|
238 | { |
---|
239 | |
---|
240 | td->td_retval[0] = td->td_ucred->cr_uid; |
---|
241 | return (0); |
---|
242 | } |
---|
243 | |
---|
244 | #ifndef _SYS_SYSPROTO_HH_ |
---|
245 | struct getgid_args { |
---|
246 | int dummy; |
---|
247 | }; |
---|
248 | #endif |
---|
249 | /* ARGSUSED */ |
---|
250 | int |
---|
251 | getgid(struct thread *td, struct getgid_args *uap) |
---|
252 | { |
---|
253 | |
---|
254 | td->td_retval[0] = td->td_ucred->cr_rgid; |
---|
255 | #if defined(COMPAT_43) |
---|
256 | td->td_retval[1] = td->td_ucred->cr_groups[0]; |
---|
257 | #endif |
---|
258 | return (0); |
---|
259 | } |
---|
260 | |
---|
261 | /* |
---|
262 | * Get effective group ID. The "egid" is groups[0], and could be obtained |
---|
263 | * via getgroups. This syscall exists because it is somewhat painful to do |
---|
264 | * correctly in a library function. |
---|
265 | */ |
---|
266 | #ifndef _SYS_SYSPROTO_HH_ |
---|
267 | struct getegid_args { |
---|
268 | int dummy; |
---|
269 | }; |
---|
270 | #endif |
---|
271 | /* ARGSUSED */ |
---|
272 | int |
---|
273 | getegid(struct thread *td, struct getegid_args *uap) |
---|
274 | { |
---|
275 | |
---|
276 | td->td_retval[0] = td->td_ucred->cr_groups[0]; |
---|
277 | return (0); |
---|
278 | } |
---|
279 | |
---|
280 | #ifndef _SYS_SYSPROTO_HH_ |
---|
281 | struct getgroups_args { |
---|
282 | u_int gidsetsize; |
---|
283 | gid_t *gidset; |
---|
284 | }; |
---|
285 | #endif |
---|
286 | int |
---|
287 | getgroups(struct thread *td, register struct getgroups_args *uap) |
---|
288 | { |
---|
289 | gid_t *groups; |
---|
290 | u_int ngrp; |
---|
291 | int error; |
---|
292 | |
---|
293 | if (uap->gidsetsize < td->td_ucred->cr_ngroups) { |
---|
294 | if (uap->gidsetsize == 0) |
---|
295 | ngrp = 0; |
---|
296 | else |
---|
297 | return (EINVAL); |
---|
298 | } else |
---|
299 | ngrp = td->td_ucred->cr_ngroups; |
---|
300 | groups = malloc(ngrp * sizeof(*groups), M_TEMP, M_WAITOK); |
---|
301 | error = kern_getgroups(td, &ngrp, groups); |
---|
302 | if (error) |
---|
303 | goto out; |
---|
304 | if (uap->gidsetsize > 0) |
---|
305 | error = copyout(groups, uap->gidset, ngrp * sizeof(gid_t)); |
---|
306 | if (error == 0) |
---|
307 | td->td_retval[0] = ngrp; |
---|
308 | out: |
---|
309 | free(groups, M_TEMP); |
---|
310 | return (error); |
---|
311 | } |
---|
312 | |
---|
313 | int |
---|
314 | kern_getgroups(struct thread *td, u_int *ngrp, gid_t *groups) |
---|
315 | { |
---|
316 | struct ucred *cred; |
---|
317 | |
---|
318 | cred = td->td_ucred; |
---|
319 | if (*ngrp == 0) { |
---|
320 | *ngrp = cred->cr_ngroups; |
---|
321 | return (0); |
---|
322 | } |
---|
323 | if (*ngrp < cred->cr_ngroups) |
---|
324 | return (EINVAL); |
---|
325 | *ngrp = cred->cr_ngroups; |
---|
326 | bcopy(cred->cr_groups, groups, *ngrp * sizeof(gid_t)); |
---|
327 | return (0); |
---|
328 | } |
---|
329 | |
---|
330 | #ifndef _SYS_SYSPROTO_HH_ |
---|
331 | struct setsid_args { |
---|
332 | int dummy; |
---|
333 | }; |
---|
334 | #endif |
---|
335 | /* ARGSUSED */ |
---|
336 | int |
---|
337 | setsid(register struct thread *td, struct setsid_args *uap) |
---|
338 | { |
---|
339 | struct pgrp *pgrp; |
---|
340 | int error; |
---|
341 | struct proc *p = td->td_proc; |
---|
342 | struct pgrp *newpgrp; |
---|
343 | struct session *newsess; |
---|
344 | |
---|
345 | error = 0; |
---|
346 | pgrp = NULL; |
---|
347 | |
---|
348 | newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); |
---|
349 | newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); |
---|
350 | |
---|
351 | sx_xlock(&proctree_lock); |
---|
352 | |
---|
353 | if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { |
---|
354 | if (pgrp != NULL) |
---|
355 | PGRP_UNLOCK(pgrp); |
---|
356 | error = EPERM; |
---|
357 | } else { |
---|
358 | (void)enterpgrp(p, p->p_pid, newpgrp, newsess); |
---|
359 | td->td_retval[0] = p->p_pid; |
---|
360 | newpgrp = NULL; |
---|
361 | newsess = NULL; |
---|
362 | } |
---|
363 | |
---|
364 | sx_xunlock(&proctree_lock); |
---|
365 | |
---|
366 | if (newpgrp != NULL) |
---|
367 | free(newpgrp, M_PGRP); |
---|
368 | if (newsess != NULL) |
---|
369 | free(newsess, M_SESSION); |
---|
370 | |
---|
371 | return (error); |
---|
372 | } |
---|
373 | |
---|
374 | /* |
---|
375 | * set process group (setpgid/old setpgrp) |
---|
376 | * |
---|
377 | * caller does setpgid(targpid, targpgid) |
---|
378 | * |
---|
379 | * pid must be caller or child of caller (ESRCH) |
---|
380 | * if a child |
---|
381 | * pid must be in same session (EPERM) |
---|
382 | * pid can't have done an exec (EACCES) |
---|
383 | * if pgid != pid |
---|
384 | * there must exist some pid in same session having pgid (EPERM) |
---|
385 | * pid must not be session leader (EPERM) |
---|
386 | */ |
---|
387 | #ifndef _SYS_SYSPROTO_HH_ |
---|
388 | struct setpgid_args { |
---|
389 | int pid; /* target process id */ |
---|
390 | int pgid; /* target pgrp id */ |
---|
391 | }; |
---|
392 | #endif |
---|
393 | /* ARGSUSED */ |
---|
394 | int |
---|
395 | setpgid(struct thread *td, register struct setpgid_args *uap) |
---|
396 | { |
---|
397 | struct proc *curp = td->td_proc; |
---|
398 | register struct proc *targp; /* target process */ |
---|
399 | register struct pgrp *pgrp; /* target pgrp */ |
---|
400 | int error; |
---|
401 | struct pgrp *newpgrp; |
---|
402 | |
---|
403 | if (uap->pgid < 0) |
---|
404 | return (EINVAL); |
---|
405 | |
---|
406 | error = 0; |
---|
407 | |
---|
408 | newpgrp = malloc(sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO); |
---|
409 | |
---|
410 | sx_xlock(&proctree_lock); |
---|
411 | if (uap->pid != 0 && uap->pid != curp->p_pid) { |
---|
412 | if ((targp = pfind(uap->pid)) == NULL) { |
---|
413 | error = ESRCH; |
---|
414 | goto done; |
---|
415 | } |
---|
416 | if (!inferior(targp)) { |
---|
417 | PROC_UNLOCK(targp); |
---|
418 | error = ESRCH; |
---|
419 | goto done; |
---|
420 | } |
---|
421 | if ((error = p_cansee(td, targp))) { |
---|
422 | PROC_UNLOCK(targp); |
---|
423 | goto done; |
---|
424 | } |
---|
425 | if (targp->p_pgrp == NULL || |
---|
426 | targp->p_session != curp->p_session) { |
---|
427 | PROC_UNLOCK(targp); |
---|
428 | error = EPERM; |
---|
429 | goto done; |
---|
430 | } |
---|
431 | if (targp->p_flag & P_EXEC) { |
---|
432 | PROC_UNLOCK(targp); |
---|
433 | error = EACCES; |
---|
434 | goto done; |
---|
435 | } |
---|
436 | PROC_UNLOCK(targp); |
---|
437 | } else |
---|
438 | targp = curp; |
---|
439 | if (SESS_LEADER(targp)) { |
---|
440 | error = EPERM; |
---|
441 | goto done; |
---|
442 | } |
---|
443 | if (uap->pgid == 0) |
---|
444 | uap->pgid = targp->p_pid; |
---|
445 | if ((pgrp = pgfind(uap->pgid)) == NULL) { |
---|
446 | if (uap->pgid == targp->p_pid) { |
---|
447 | error = enterpgrp(targp, uap->pgid, newpgrp, |
---|
448 | NULL); |
---|
449 | if (error == 0) |
---|
450 | newpgrp = NULL; |
---|
451 | } else |
---|
452 | error = EPERM; |
---|
453 | } else { |
---|
454 | if (pgrp == targp->p_pgrp) { |
---|
455 | PGRP_UNLOCK(pgrp); |
---|
456 | goto done; |
---|
457 | } |
---|
458 | if (pgrp->pg_id != targp->p_pid && |
---|
459 | pgrp->pg_session != curp->p_session) { |
---|
460 | PGRP_UNLOCK(pgrp); |
---|
461 | error = EPERM; |
---|
462 | goto done; |
---|
463 | } |
---|
464 | PGRP_UNLOCK(pgrp); |
---|
465 | error = enterthispgrp(targp, pgrp); |
---|
466 | } |
---|
467 | done: |
---|
468 | sx_xunlock(&proctree_lock); |
---|
469 | KASSERT((error == 0) || (newpgrp != NULL), |
---|
470 | ("setpgid failed and newpgrp is NULL")); |
---|
471 | if (newpgrp != NULL) |
---|
472 | free(newpgrp, M_PGRP); |
---|
473 | return (error); |
---|
474 | } |
---|
475 | |
---|
476 | /* |
---|
477 | * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD |
---|
478 | * compatible. It says that setting the uid/gid to euid/egid is a special |
---|
479 | * case of "appropriate privilege". Once the rules are expanded out, this |
---|
480 | * basically means that setuid(nnn) sets all three id's, in all permitted |
---|
481 | * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) |
---|
482 | * does not set the saved id - this is dangerous for traditional BSD |
---|
483 | * programs. For this reason, we *really* do not want to set |
---|
484 | * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. |
---|
485 | */ |
---|
486 | #define POSIX_APPENDIX_B_4_2_2 |
---|
487 | |
---|
488 | #ifndef _SYS_SYSPROTO_HH_ |
---|
489 | struct setuid_args { |
---|
490 | uid_t uid; |
---|
491 | }; |
---|
492 | #endif |
---|
493 | /* ARGSUSED */ |
---|
494 | int |
---|
495 | setuid(struct thread *td, struct setuid_args *uap) |
---|
496 | { |
---|
497 | struct proc *p = td->td_proc; |
---|
498 | struct ucred *newcred, *oldcred; |
---|
499 | uid_t uid; |
---|
500 | struct uidinfo *uip; |
---|
501 | int error; |
---|
502 | |
---|
503 | uid = uap->uid; |
---|
504 | AUDIT_ARG_UID(uid); |
---|
505 | newcred = crget(); |
---|
506 | uip = uifind(uid); |
---|
507 | PROC_LOCK(p); |
---|
508 | /* |
---|
509 | * Copy credentials so other references do not see our changes. |
---|
510 | */ |
---|
511 | oldcred = crcopysafe(p, newcred); |
---|
512 | |
---|
513 | #ifdef MAC |
---|
514 | error = mac_cred_check_setuid(oldcred, uid); |
---|
515 | if (error) |
---|
516 | goto fail; |
---|
517 | #endif |
---|
518 | |
---|
519 | /* |
---|
520 | * See if we have "permission" by POSIX 1003.1 rules. |
---|
521 | * |
---|
522 | * Note that setuid(geteuid()) is a special case of |
---|
523 | * "appropriate privileges" in appendix B.4.2.2. We need |
---|
524 | * to use this clause to be compatible with traditional BSD |
---|
525 | * semantics. Basically, it means that "setuid(xx)" sets all |
---|
526 | * three id's (assuming you have privs). |
---|
527 | * |
---|
528 | * Notes on the logic. We do things in three steps. |
---|
529 | * 1: We determine if the euid is going to change, and do EPERM |
---|
530 | * right away. We unconditionally change the euid later if this |
---|
531 | * test is satisfied, simplifying that part of the logic. |
---|
532 | * 2: We determine if the real and/or saved uids are going to |
---|
533 | * change. Determined by compile options. |
---|
534 | * 3: Change euid last. (after tests in #2 for "appropriate privs") |
---|
535 | */ |
---|
536 | if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ |
---|
537 | #ifdef _POSIX_SAVED_IDS |
---|
538 | uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ |
---|
539 | #endif |
---|
540 | #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ |
---|
541 | uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ |
---|
542 | #endif |
---|
543 | (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)) != 0) |
---|
544 | goto fail; |
---|
545 | |
---|
546 | #ifdef _POSIX_SAVED_IDS |
---|
547 | /* |
---|
548 | * Do we have "appropriate privileges" (are we root or uid == euid) |
---|
549 | * If so, we are changing the real uid and/or saved uid. |
---|
550 | */ |
---|
551 | if ( |
---|
552 | #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ |
---|
553 | uid == oldcred->cr_uid || |
---|
554 | #endif |
---|
555 | /* We are using privs. */ |
---|
556 | priv_check_cred(oldcred, PRIV_CRED_SETUID, 0) == 0) |
---|
557 | #endif |
---|
558 | { |
---|
559 | /* |
---|
560 | * Set the real uid and transfer proc count to new user. |
---|
561 | */ |
---|
562 | if (uid != oldcred->cr_ruid) { |
---|
563 | change_ruid(newcred, uip); |
---|
564 | setsugid(p); |
---|
565 | } |
---|
566 | /* |
---|
567 | * Set saved uid |
---|
568 | * |
---|
569 | * XXX always set saved uid even if not _POSIX_SAVED_IDS, as |
---|
570 | * the security of seteuid() depends on it. B.4.2.2 says it |
---|
571 | * is important that we should do this. |
---|
572 | */ |
---|
573 | if (uid != oldcred->cr_svuid) { |
---|
574 | change_svuid(newcred, uid); |
---|
575 | setsugid(p); |
---|
576 | } |
---|
577 | } |
---|
578 | |
---|
579 | /* |
---|
580 | * In all permitted cases, we are changing the euid. |
---|
581 | */ |
---|
582 | if (uid != oldcred->cr_uid) { |
---|
583 | change_euid(newcred, uip); |
---|
584 | setsugid(p); |
---|
585 | } |
---|
586 | p->p_ucred = newcred; |
---|
587 | PROC_UNLOCK(p); |
---|
588 | uifree(uip); |
---|
589 | crfree(oldcred); |
---|
590 | return (0); |
---|
591 | |
---|
592 | fail: |
---|
593 | PROC_UNLOCK(p); |
---|
594 | uifree(uip); |
---|
595 | crfree(newcred); |
---|
596 | return (error); |
---|
597 | } |
---|
598 | |
---|
599 | #ifndef _SYS_SYSPROTO_HH_ |
---|
600 | struct seteuid_args { |
---|
601 | uid_t euid; |
---|
602 | }; |
---|
603 | #endif |
---|
604 | /* ARGSUSED */ |
---|
605 | int |
---|
606 | seteuid(struct thread *td, struct seteuid_args *uap) |
---|
607 | { |
---|
608 | struct proc *p = td->td_proc; |
---|
609 | struct ucred *newcred, *oldcred; |
---|
610 | uid_t euid; |
---|
611 | struct uidinfo *euip; |
---|
612 | int error; |
---|
613 | |
---|
614 | euid = uap->euid; |
---|
615 | AUDIT_ARG_EUID(euid); |
---|
616 | newcred = crget(); |
---|
617 | euip = uifind(euid); |
---|
618 | PROC_LOCK(p); |
---|
619 | /* |
---|
620 | * Copy credentials so other references do not see our changes. |
---|
621 | */ |
---|
622 | oldcred = crcopysafe(p, newcred); |
---|
623 | |
---|
624 | #ifdef MAC |
---|
625 | error = mac_cred_check_seteuid(oldcred, euid); |
---|
626 | if (error) |
---|
627 | goto fail; |
---|
628 | #endif |
---|
629 | |
---|
630 | if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ |
---|
631 | euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ |
---|
632 | (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, 0)) != 0) |
---|
633 | goto fail; |
---|
634 | |
---|
635 | /* |
---|
636 | * Everything's okay, do it. |
---|
637 | */ |
---|
638 | if (oldcred->cr_uid != euid) { |
---|
639 | change_euid(newcred, euip); |
---|
640 | setsugid(p); |
---|
641 | } |
---|
642 | p->p_ucred = newcred; |
---|
643 | PROC_UNLOCK(p); |
---|
644 | uifree(euip); |
---|
645 | crfree(oldcred); |
---|
646 | return (0); |
---|
647 | |
---|
648 | fail: |
---|
649 | PROC_UNLOCK(p); |
---|
650 | uifree(euip); |
---|
651 | crfree(newcred); |
---|
652 | return (error); |
---|
653 | } |
---|
654 | |
---|
655 | #ifndef _SYS_SYSPROTO_HH_ |
---|
656 | struct setgid_args { |
---|
657 | gid_t gid; |
---|
658 | }; |
---|
659 | #endif |
---|
660 | /* ARGSUSED */ |
---|
661 | int |
---|
662 | setgid(struct thread *td, struct setgid_args *uap) |
---|
663 | { |
---|
664 | struct proc *p = td->td_proc; |
---|
665 | struct ucred *newcred, *oldcred; |
---|
666 | gid_t gid; |
---|
667 | int error; |
---|
668 | |
---|
669 | gid = uap->gid; |
---|
670 | AUDIT_ARG_GID(gid); |
---|
671 | newcred = crget(); |
---|
672 | PROC_LOCK(p); |
---|
673 | oldcred = crcopysafe(p, newcred); |
---|
674 | |
---|
675 | #ifdef MAC |
---|
676 | error = mac_cred_check_setgid(oldcred, gid); |
---|
677 | if (error) |
---|
678 | goto fail; |
---|
679 | #endif |
---|
680 | |
---|
681 | /* |
---|
682 | * See if we have "permission" by POSIX 1003.1 rules. |
---|
683 | * |
---|
684 | * Note that setgid(getegid()) is a special case of |
---|
685 | * "appropriate privileges" in appendix B.4.2.2. We need |
---|
686 | * to use this clause to be compatible with traditional BSD |
---|
687 | * semantics. Basically, it means that "setgid(xx)" sets all |
---|
688 | * three id's (assuming you have privs). |
---|
689 | * |
---|
690 | * For notes on the logic here, see setuid() above. |
---|
691 | */ |
---|
692 | if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ |
---|
693 | #ifdef _POSIX_SAVED_IDS |
---|
694 | gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ |
---|
695 | #endif |
---|
696 | #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ |
---|
697 | gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ |
---|
698 | #endif |
---|
699 | (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, 0)) != 0) |
---|
700 | goto fail; |
---|
701 | |
---|
702 | #ifdef _POSIX_SAVED_IDS |
---|
703 | /* |
---|
704 | * Do we have "appropriate privileges" (are we root or gid == egid) |
---|
705 | * If so, we are changing the real uid and saved gid. |
---|
706 | */ |
---|
707 | if ( |
---|
708 | #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ |
---|
709 | gid == oldcred->cr_groups[0] || |
---|
710 | #endif |
---|
711 | /* We are using privs. */ |
---|
712 | priv_check_cred(oldcred, PRIV_CRED_SETGID, 0) == 0) |
---|
713 | #endif |
---|
714 | { |
---|
715 | /* |
---|
716 | * Set real gid |
---|
717 | */ |
---|
718 | if (oldcred->cr_rgid != gid) { |
---|
719 | change_rgid(newcred, gid); |
---|
720 | setsugid(p); |
---|
721 | } |
---|
722 | /* |
---|
723 | * Set saved gid |
---|
724 | * |
---|
725 | * XXX always set saved gid even if not _POSIX_SAVED_IDS, as |
---|
726 | * the security of setegid() depends on it. B.4.2.2 says it |
---|
727 | * is important that we should do this. |
---|
728 | */ |
---|
729 | if (oldcred->cr_svgid != gid) { |
---|
730 | change_svgid(newcred, gid); |
---|
731 | setsugid(p); |
---|
732 | } |
---|
733 | } |
---|
734 | /* |
---|
735 | * In all cases permitted cases, we are changing the egid. |
---|
736 | * Copy credentials so other references do not see our changes. |
---|
737 | */ |
---|
738 | if (oldcred->cr_groups[0] != gid) { |
---|
739 | change_egid(newcred, gid); |
---|
740 | setsugid(p); |
---|
741 | } |
---|
742 | p->p_ucred = newcred; |
---|
743 | PROC_UNLOCK(p); |
---|
744 | crfree(oldcred); |
---|
745 | return (0); |
---|
746 | |
---|
747 | fail: |
---|
748 | PROC_UNLOCK(p); |
---|
749 | crfree(newcred); |
---|
750 | return (error); |
---|
751 | } |
---|
752 | |
---|
753 | #ifndef _SYS_SYSPROTO_HH_ |
---|
754 | struct setegid_args { |
---|
755 | gid_t egid; |
---|
756 | }; |
---|
757 | #endif |
---|
758 | /* ARGSUSED */ |
---|
759 | int |
---|
760 | setegid(struct thread *td, struct setegid_args *uap) |
---|
761 | { |
---|
762 | struct proc *p = td->td_proc; |
---|
763 | struct ucred *newcred, *oldcred; |
---|
764 | gid_t egid; |
---|
765 | int error; |
---|
766 | |
---|
767 | egid = uap->egid; |
---|
768 | AUDIT_ARG_EGID(egid); |
---|
769 | newcred = crget(); |
---|
770 | PROC_LOCK(p); |
---|
771 | oldcred = crcopysafe(p, newcred); |
---|
772 | |
---|
773 | #ifdef MAC |
---|
774 | error = mac_cred_check_setegid(oldcred, egid); |
---|
775 | if (error) |
---|
776 | goto fail; |
---|
777 | #endif |
---|
778 | |
---|
779 | if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ |
---|
780 | egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ |
---|
781 | (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, 0)) != 0) |
---|
782 | goto fail; |
---|
783 | |
---|
784 | if (oldcred->cr_groups[0] != egid) { |
---|
785 | change_egid(newcred, egid); |
---|
786 | setsugid(p); |
---|
787 | } |
---|
788 | p->p_ucred = newcred; |
---|
789 | PROC_UNLOCK(p); |
---|
790 | crfree(oldcred); |
---|
791 | return (0); |
---|
792 | |
---|
793 | fail: |
---|
794 | PROC_UNLOCK(p); |
---|
795 | crfree(newcred); |
---|
796 | return (error); |
---|
797 | } |
---|
798 | |
---|
799 | #ifndef _SYS_SYSPROTO_HH_ |
---|
800 | struct setgroups_args { |
---|
801 | u_int gidsetsize; |
---|
802 | gid_t *gidset; |
---|
803 | }; |
---|
804 | #endif |
---|
805 | /* ARGSUSED */ |
---|
806 | int |
---|
807 | setgroups(struct thread *td, struct setgroups_args *uap) |
---|
808 | { |
---|
809 | gid_t *groups = NULL; |
---|
810 | int error; |
---|
811 | |
---|
812 | if (uap->gidsetsize > ngroups_max + 1) |
---|
813 | return (EINVAL); |
---|
814 | groups = malloc(uap->gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); |
---|
815 | error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); |
---|
816 | if (error) |
---|
817 | goto out; |
---|
818 | error = kern_setgroups(td, uap->gidsetsize, groups); |
---|
819 | out: |
---|
820 | free(groups, M_TEMP); |
---|
821 | return (error); |
---|
822 | } |
---|
823 | |
---|
824 | int |
---|
825 | kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) |
---|
826 | { |
---|
827 | struct proc *p = td->td_proc; |
---|
828 | struct ucred *newcred, *oldcred; |
---|
829 | int error; |
---|
830 | |
---|
831 | if (ngrp > ngroups_max + 1) |
---|
832 | return (EINVAL); |
---|
833 | AUDIT_ARG_GROUPSET(groups, ngrp); |
---|
834 | newcred = crget(); |
---|
835 | crextend(newcred, ngrp); |
---|
836 | PROC_LOCK(p); |
---|
837 | oldcred = crcopysafe(p, newcred); |
---|
838 | |
---|
839 | #ifdef MAC |
---|
840 | error = mac_cred_check_setgroups(oldcred, ngrp, groups); |
---|
841 | if (error) |
---|
842 | goto fail; |
---|
843 | #endif |
---|
844 | |
---|
845 | error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, 0); |
---|
846 | if (error) |
---|
847 | goto fail; |
---|
848 | |
---|
849 | if (ngrp < 1) { |
---|
850 | /* |
---|
851 | * setgroups(0, NULL) is a legitimate way of clearing the |
---|
852 | * groups vector on non-BSD systems (which generally do not |
---|
853 | * have the egid in the groups[0]). We risk security holes |
---|
854 | * when running non-BSD software if we do not do the same. |
---|
855 | */ |
---|
856 | newcred->cr_ngroups = 1; |
---|
857 | } else { |
---|
858 | crsetgroups_locked(newcred, ngrp, groups); |
---|
859 | } |
---|
860 | setsugid(p); |
---|
861 | p->p_ucred = newcred; |
---|
862 | PROC_UNLOCK(p); |
---|
863 | crfree(oldcred); |
---|
864 | return (0); |
---|
865 | |
---|
866 | fail: |
---|
867 | PROC_UNLOCK(p); |
---|
868 | crfree(newcred); |
---|
869 | return (error); |
---|
870 | } |
---|
871 | |
---|
872 | #ifndef _SYS_SYSPROTO_HH_ |
---|
873 | struct setreuid_args { |
---|
874 | uid_t ruid; |
---|
875 | uid_t euid; |
---|
876 | }; |
---|
877 | #endif |
---|
878 | /* ARGSUSED */ |
---|
879 | int |
---|
880 | setreuid(register struct thread *td, struct setreuid_args *uap) |
---|
881 | { |
---|
882 | struct proc *p = td->td_proc; |
---|
883 | struct ucred *newcred, *oldcred; |
---|
884 | uid_t euid, ruid; |
---|
885 | struct uidinfo *euip, *ruip; |
---|
886 | int error; |
---|
887 | |
---|
888 | euid = uap->euid; |
---|
889 | ruid = uap->ruid; |
---|
890 | AUDIT_ARG_EUID(euid); |
---|
891 | AUDIT_ARG_RUID(ruid); |
---|
892 | newcred = crget(); |
---|
893 | euip = uifind(euid); |
---|
894 | ruip = uifind(ruid); |
---|
895 | PROC_LOCK(p); |
---|
896 | oldcred = crcopysafe(p, newcred); |
---|
897 | |
---|
898 | #ifdef MAC |
---|
899 | error = mac_cred_check_setreuid(oldcred, ruid, euid); |
---|
900 | if (error) |
---|
901 | goto fail; |
---|
902 | #endif |
---|
903 | |
---|
904 | if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && |
---|
905 | ruid != oldcred->cr_svuid) || |
---|
906 | (euid != (uid_t)-1 && euid != oldcred->cr_uid && |
---|
907 | euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && |
---|
908 | (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, 0)) != 0) |
---|
909 | goto fail; |
---|
910 | |
---|
911 | if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { |
---|
912 | change_euid(newcred, euip); |
---|
913 | setsugid(p); |
---|
914 | } |
---|
915 | if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { |
---|
916 | change_ruid(newcred, ruip); |
---|
917 | setsugid(p); |
---|
918 | } |
---|
919 | if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && |
---|
920 | newcred->cr_svuid != newcred->cr_uid) { |
---|
921 | change_svuid(newcred, newcred->cr_uid); |
---|
922 | setsugid(p); |
---|
923 | } |
---|
924 | p->p_ucred = newcred; |
---|
925 | PROC_UNLOCK(p); |
---|
926 | uifree(ruip); |
---|
927 | uifree(euip); |
---|
928 | crfree(oldcred); |
---|
929 | return (0); |
---|
930 | |
---|
931 | fail: |
---|
932 | PROC_UNLOCK(p); |
---|
933 | uifree(ruip); |
---|
934 | uifree(euip); |
---|
935 | crfree(newcred); |
---|
936 | return (error); |
---|
937 | } |
---|
938 | |
---|
939 | #ifndef _SYS_SYSPROTO_HH_ |
---|
940 | struct setregid_args { |
---|
941 | gid_t rgid; |
---|
942 | gid_t egid; |
---|
943 | }; |
---|
944 | #endif |
---|
945 | /* ARGSUSED */ |
---|
946 | int |
---|
947 | setregid(register struct thread *td, struct setregid_args *uap) |
---|
948 | { |
---|
949 | struct proc *p = td->td_proc; |
---|
950 | struct ucred *newcred, *oldcred; |
---|
951 | gid_t egid, rgid; |
---|
952 | int error; |
---|
953 | |
---|
954 | egid = uap->egid; |
---|
955 | rgid = uap->rgid; |
---|
956 | AUDIT_ARG_EGID(egid); |
---|
957 | AUDIT_ARG_RGID(rgid); |
---|
958 | newcred = crget(); |
---|
959 | PROC_LOCK(p); |
---|
960 | oldcred = crcopysafe(p, newcred); |
---|
961 | |
---|
962 | #ifdef MAC |
---|
963 | error = mac_cred_check_setregid(oldcred, rgid, egid); |
---|
964 | if (error) |
---|
965 | goto fail; |
---|
966 | #endif |
---|
967 | |
---|
968 | if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && |
---|
969 | rgid != oldcred->cr_svgid) || |
---|
970 | (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && |
---|
971 | egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && |
---|
972 | (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, 0)) != 0) |
---|
973 | goto fail; |
---|
974 | |
---|
975 | if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { |
---|
976 | change_egid(newcred, egid); |
---|
977 | setsugid(p); |
---|
978 | } |
---|
979 | if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { |
---|
980 | change_rgid(newcred, rgid); |
---|
981 | setsugid(p); |
---|
982 | } |
---|
983 | if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && |
---|
984 | newcred->cr_svgid != newcred->cr_groups[0]) { |
---|
985 | change_svgid(newcred, newcred->cr_groups[0]); |
---|
986 | setsugid(p); |
---|
987 | } |
---|
988 | p->p_ucred = newcred; |
---|
989 | PROC_UNLOCK(p); |
---|
990 | crfree(oldcred); |
---|
991 | return (0); |
---|
992 | |
---|
993 | fail: |
---|
994 | PROC_UNLOCK(p); |
---|
995 | crfree(newcred); |
---|
996 | return (error); |
---|
997 | } |
---|
998 | |
---|
999 | /* |
---|
1000 | * setresuid(ruid, euid, suid) is like setreuid except control over the saved |
---|
1001 | * uid is explicit. |
---|
1002 | */ |
---|
1003 | #ifndef _SYS_SYSPROTO_HH_ |
---|
1004 | struct setresuid_args { |
---|
1005 | uid_t ruid; |
---|
1006 | uid_t euid; |
---|
1007 | uid_t suid; |
---|
1008 | }; |
---|
1009 | #endif |
---|
1010 | /* ARGSUSED */ |
---|
1011 | int |
---|
1012 | setresuid(register struct thread *td, struct setresuid_args *uap) |
---|
1013 | { |
---|
1014 | struct proc *p = td->td_proc; |
---|
1015 | struct ucred *newcred, *oldcred; |
---|
1016 | uid_t euid, ruid, suid; |
---|
1017 | struct uidinfo *euip, *ruip; |
---|
1018 | int error; |
---|
1019 | |
---|
1020 | euid = uap->euid; |
---|
1021 | ruid = uap->ruid; |
---|
1022 | suid = uap->suid; |
---|
1023 | AUDIT_ARG_EUID(euid); |
---|
1024 | AUDIT_ARG_RUID(ruid); |
---|
1025 | AUDIT_ARG_SUID(suid); |
---|
1026 | newcred = crget(); |
---|
1027 | euip = uifind(euid); |
---|
1028 | ruip = uifind(ruid); |
---|
1029 | PROC_LOCK(p); |
---|
1030 | oldcred = crcopysafe(p, newcred); |
---|
1031 | |
---|
1032 | #ifdef MAC |
---|
1033 | error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); |
---|
1034 | if (error) |
---|
1035 | goto fail; |
---|
1036 | #endif |
---|
1037 | |
---|
1038 | if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && |
---|
1039 | ruid != oldcred->cr_svuid && |
---|
1040 | ruid != oldcred->cr_uid) || |
---|
1041 | (euid != (uid_t)-1 && euid != oldcred->cr_ruid && |
---|
1042 | euid != oldcred->cr_svuid && |
---|
1043 | euid != oldcred->cr_uid) || |
---|
1044 | (suid != (uid_t)-1 && suid != oldcred->cr_ruid && |
---|
1045 | suid != oldcred->cr_svuid && |
---|
1046 | suid != oldcred->cr_uid)) && |
---|
1047 | (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, 0)) != 0) |
---|
1048 | goto fail; |
---|
1049 | |
---|
1050 | if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { |
---|
1051 | change_euid(newcred, euip); |
---|
1052 | setsugid(p); |
---|
1053 | } |
---|
1054 | if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { |
---|
1055 | change_ruid(newcred, ruip); |
---|
1056 | setsugid(p); |
---|
1057 | } |
---|
1058 | if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { |
---|
1059 | change_svuid(newcred, suid); |
---|
1060 | setsugid(p); |
---|
1061 | } |
---|
1062 | p->p_ucred = newcred; |
---|
1063 | PROC_UNLOCK(p); |
---|
1064 | uifree(ruip); |
---|
1065 | uifree(euip); |
---|
1066 | crfree(oldcred); |
---|
1067 | return (0); |
---|
1068 | |
---|
1069 | fail: |
---|
1070 | PROC_UNLOCK(p); |
---|
1071 | uifree(ruip); |
---|
1072 | uifree(euip); |
---|
1073 | crfree(newcred); |
---|
1074 | return (error); |
---|
1075 | |
---|
1076 | } |
---|
1077 | |
---|
1078 | /* |
---|
1079 | * setresgid(rgid, egid, sgid) is like setregid except control over the saved |
---|
1080 | * gid is explicit. |
---|
1081 | */ |
---|
1082 | #ifndef _SYS_SYSPROTO_HH_ |
---|
1083 | struct setresgid_args { |
---|
1084 | gid_t rgid; |
---|
1085 | gid_t egid; |
---|
1086 | gid_t sgid; |
---|
1087 | }; |
---|
1088 | #endif |
---|
1089 | /* ARGSUSED */ |
---|
1090 | int |
---|
1091 | setresgid(register struct thread *td, struct setresgid_args *uap) |
---|
1092 | { |
---|
1093 | struct proc *p = td->td_proc; |
---|
1094 | struct ucred *newcred, *oldcred; |
---|
1095 | gid_t egid, rgid, sgid; |
---|
1096 | int error; |
---|
1097 | |
---|
1098 | egid = uap->egid; |
---|
1099 | rgid = uap->rgid; |
---|
1100 | sgid = uap->sgid; |
---|
1101 | AUDIT_ARG_EGID(egid); |
---|
1102 | AUDIT_ARG_RGID(rgid); |
---|
1103 | AUDIT_ARG_SGID(sgid); |
---|
1104 | newcred = crget(); |
---|
1105 | PROC_LOCK(p); |
---|
1106 | oldcred = crcopysafe(p, newcred); |
---|
1107 | |
---|
1108 | #ifdef MAC |
---|
1109 | error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); |
---|
1110 | if (error) |
---|
1111 | goto fail; |
---|
1112 | #endif |
---|
1113 | |
---|
1114 | if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && |
---|
1115 | rgid != oldcred->cr_svgid && |
---|
1116 | rgid != oldcred->cr_groups[0]) || |
---|
1117 | (egid != (gid_t)-1 && egid != oldcred->cr_rgid && |
---|
1118 | egid != oldcred->cr_svgid && |
---|
1119 | egid != oldcred->cr_groups[0]) || |
---|
1120 | (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && |
---|
1121 | sgid != oldcred->cr_svgid && |
---|
1122 | sgid != oldcred->cr_groups[0])) && |
---|
1123 | (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, 0)) != 0) |
---|
1124 | goto fail; |
---|
1125 | |
---|
1126 | if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { |
---|
1127 | change_egid(newcred, egid); |
---|
1128 | setsugid(p); |
---|
1129 | } |
---|
1130 | if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { |
---|
1131 | change_rgid(newcred, rgid); |
---|
1132 | setsugid(p); |
---|
1133 | } |
---|
1134 | if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { |
---|
1135 | change_svgid(newcred, sgid); |
---|
1136 | setsugid(p); |
---|
1137 | } |
---|
1138 | p->p_ucred = newcred; |
---|
1139 | PROC_UNLOCK(p); |
---|
1140 | crfree(oldcred); |
---|
1141 | return (0); |
---|
1142 | |
---|
1143 | fail: |
---|
1144 | PROC_UNLOCK(p); |
---|
1145 | crfree(newcred); |
---|
1146 | return (error); |
---|
1147 | } |
---|
1148 | |
---|
1149 | #ifndef _SYS_SYSPROTO_HH_ |
---|
1150 | struct getresuid_args { |
---|
1151 | uid_t *ruid; |
---|
1152 | uid_t *euid; |
---|
1153 | uid_t *suid; |
---|
1154 | }; |
---|
1155 | #endif |
---|
1156 | /* ARGSUSED */ |
---|
1157 | int |
---|
1158 | getresuid(register struct thread *td, struct getresuid_args *uap) |
---|
1159 | { |
---|
1160 | struct ucred *cred; |
---|
1161 | int error1 = 0, error2 = 0, error3 = 0; |
---|
1162 | |
---|
1163 | cred = td->td_ucred; |
---|
1164 | if (uap->ruid) |
---|
1165 | error1 = copyout(&cred->cr_ruid, |
---|
1166 | uap->ruid, sizeof(cred->cr_ruid)); |
---|
1167 | if (uap->euid) |
---|
1168 | error2 = copyout(&cred->cr_uid, |
---|
1169 | uap->euid, sizeof(cred->cr_uid)); |
---|
1170 | if (uap->suid) |
---|
1171 | error3 = copyout(&cred->cr_svuid, |
---|
1172 | uap->suid, sizeof(cred->cr_svuid)); |
---|
1173 | return (error1 ? error1 : error2 ? error2 : error3); |
---|
1174 | } |
---|
1175 | |
---|
1176 | #ifndef _SYS_SYSPROTO_HH_ |
---|
1177 | struct getresgid_args { |
---|
1178 | gid_t *rgid; |
---|
1179 | gid_t *egid; |
---|
1180 | gid_t *sgid; |
---|
1181 | }; |
---|
1182 | #endif |
---|
1183 | /* ARGSUSED */ |
---|
1184 | int |
---|
1185 | getresgid(register struct thread *td, struct getresgid_args *uap) |
---|
1186 | { |
---|
1187 | struct ucred *cred; |
---|
1188 | int error1 = 0, error2 = 0, error3 = 0; |
---|
1189 | |
---|
1190 | cred = td->td_ucred; |
---|
1191 | if (uap->rgid) |
---|
1192 | error1 = copyout(&cred->cr_rgid, |
---|
1193 | uap->rgid, sizeof(cred->cr_rgid)); |
---|
1194 | if (uap->egid) |
---|
1195 | error2 = copyout(&cred->cr_groups[0], |
---|
1196 | uap->egid, sizeof(cred->cr_groups[0])); |
---|
1197 | if (uap->sgid) |
---|
1198 | error3 = copyout(&cred->cr_svgid, |
---|
1199 | uap->sgid, sizeof(cred->cr_svgid)); |
---|
1200 | return (error1 ? error1 : error2 ? error2 : error3); |
---|
1201 | } |
---|
1202 | |
---|
1203 | #ifndef _SYS_SYSPROTO_HH_ |
---|
1204 | struct issetugid_args { |
---|
1205 | int dummy; |
---|
1206 | }; |
---|
1207 | #endif |
---|
1208 | /* ARGSUSED */ |
---|
1209 | int |
---|
1210 | issetugid(register struct thread *td, struct issetugid_args *uap) |
---|
1211 | { |
---|
1212 | struct proc *p = td->td_proc; |
---|
1213 | |
---|
1214 | /* |
---|
1215 | * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, |
---|
1216 | * we use P_SUGID because we consider changing the owners as |
---|
1217 | * "tainting" as well. |
---|
1218 | * This is significant for procs that start as root and "become" |
---|
1219 | * a user without an exec - programs cannot know *everything* |
---|
1220 | * that libc *might* have put in their data segment. |
---|
1221 | */ |
---|
1222 | PROC_LOCK(p); |
---|
1223 | td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; |
---|
1224 | PROC_UNLOCK(p); |
---|
1225 | return (0); |
---|
1226 | } |
---|
1227 | |
---|
1228 | int |
---|
1229 | __setugid(struct thread *td, struct __setugid_args *uap) |
---|
1230 | { |
---|
1231 | #ifdef REGRESSION |
---|
1232 | struct proc *p; |
---|
1233 | |
---|
1234 | p = td->td_proc; |
---|
1235 | switch (uap->flag) { |
---|
1236 | case 0: |
---|
1237 | PROC_LOCK(p); |
---|
1238 | p->p_flag &= ~P_SUGID; |
---|
1239 | PROC_UNLOCK(p); |
---|
1240 | return (0); |
---|
1241 | case 1: |
---|
1242 | PROC_LOCK(p); |
---|
1243 | p->p_flag |= P_SUGID; |
---|
1244 | PROC_UNLOCK(p); |
---|
1245 | return (0); |
---|
1246 | default: |
---|
1247 | return (EINVAL); |
---|
1248 | } |
---|
1249 | #else /* !REGRESSION */ |
---|
1250 | |
---|
1251 | return (ENOSYS); |
---|
1252 | #endif /* REGRESSION */ |
---|
1253 | } |
---|
1254 | #endif /* __rtems__ */ |
---|
1255 | |
---|
1256 | /* |
---|
1257 | * Check if gid is a member of the group set. |
---|
1258 | */ |
---|
1259 | int |
---|
1260 | groupmember(gid_t gid, struct ucred *cred) |
---|
1261 | { |
---|
1262 | int l; |
---|
1263 | int h; |
---|
1264 | int m; |
---|
1265 | |
---|
1266 | if (cred->cr_groups[0] == gid) |
---|
1267 | return(1); |
---|
1268 | |
---|
1269 | /* |
---|
1270 | * If gid was not our primary group, perform a binary search |
---|
1271 | * of the supplemental groups. This is possible because we |
---|
1272 | * sort the groups in crsetgroups(). |
---|
1273 | */ |
---|
1274 | l = 1; |
---|
1275 | h = cred->cr_ngroups; |
---|
1276 | while (l < h) { |
---|
1277 | m = l + ((h - l) / 2); |
---|
1278 | if (cred->cr_groups[m] < gid) |
---|
1279 | l = m + 1; |
---|
1280 | else |
---|
1281 | h = m; |
---|
1282 | } |
---|
1283 | if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid)) |
---|
1284 | return (1); |
---|
1285 | |
---|
1286 | return (0); |
---|
1287 | } |
---|
1288 | |
---|
1289 | #ifndef __rtems__ |
---|
1290 | /* |
---|
1291 | * Test the active securelevel against a given level. securelevel_gt() |
---|
1292 | * implements (securelevel > level). securelevel_ge() implements |
---|
1293 | * (securelevel >= level). Note that the logic is inverted -- these |
---|
1294 | * functions return EPERM on "success" and 0 on "failure". |
---|
1295 | * |
---|
1296 | * Due to care taken when setting the securelevel, we know that no jail will |
---|
1297 | * be less secure that its parent (or the physical system), so it is sufficient |
---|
1298 | * to test the current jail only. |
---|
1299 | * |
---|
1300 | * XXXRW: Possibly since this has to do with privilege, it should move to |
---|
1301 | * kern_priv.c. |
---|
1302 | */ |
---|
1303 | int |
---|
1304 | securelevel_gt(struct ucred *cr, int level) |
---|
1305 | { |
---|
1306 | |
---|
1307 | return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); |
---|
1308 | } |
---|
1309 | |
---|
1310 | int |
---|
1311 | securelevel_ge(struct ucred *cr, int level) |
---|
1312 | { |
---|
1313 | |
---|
1314 | return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); |
---|
1315 | } |
---|
1316 | |
---|
1317 | #endif /* __rtems__ */ |
---|
1318 | |
---|
1319 | /* |
---|
1320 | * 'see_other_uids' determines whether or not visibility of processes |
---|
1321 | * and sockets with credentials holding different real uids is possible |
---|
1322 | * using a variety of system MIBs. |
---|
1323 | * XXX: data declarations should be together near the beginning of the file. |
---|
1324 | */ |
---|
1325 | static int see_other_uids = 1; |
---|
1326 | SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, |
---|
1327 | &see_other_uids, 0, |
---|
1328 | "Unprivileged processes may see subjects/objects with different real uid"); |
---|
1329 | |
---|
1330 | /*- |
---|
1331 | * Determine if u1 "can see" the subject specified by u2, according to the |
---|
1332 | * 'see_other_uids' policy. |
---|
1333 | * Returns: 0 for permitted, ESRCH otherwise |
---|
1334 | * Locks: none |
---|
1335 | * References: *u1 and *u2 must not change during the call |
---|
1336 | * u1 may equal u2, in which case only one reference is required |
---|
1337 | */ |
---|
1338 | static int |
---|
1339 | cr_seeotheruids(struct ucred *u1, struct ucred *u2) |
---|
1340 | { |
---|
1341 | |
---|
1342 | if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { |
---|
1343 | if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) != 0) |
---|
1344 | return (ESRCH); |
---|
1345 | } |
---|
1346 | return (0); |
---|
1347 | } |
---|
1348 | |
---|
1349 | /* |
---|
1350 | * 'see_other_gids' determines whether or not visibility of processes |
---|
1351 | * and sockets with credentials holding different real gids is possible |
---|
1352 | * using a variety of system MIBs. |
---|
1353 | * XXX: data declarations should be together near the beginning of the file. |
---|
1354 | */ |
---|
1355 | static int see_other_gids = 1; |
---|
1356 | SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, |
---|
1357 | &see_other_gids, 0, |
---|
1358 | "Unprivileged processes may see subjects/objects with different real gid"); |
---|
1359 | |
---|
1360 | /* |
---|
1361 | * Determine if u1 can "see" the subject specified by u2, according to the |
---|
1362 | * 'see_other_gids' policy. |
---|
1363 | * Returns: 0 for permitted, ESRCH otherwise |
---|
1364 | * Locks: none |
---|
1365 | * References: *u1 and *u2 must not change during the call |
---|
1366 | * u1 may equal u2, in which case only one reference is required |
---|
1367 | */ |
---|
1368 | static int |
---|
1369 | cr_seeothergids(struct ucred *u1, struct ucred *u2) |
---|
1370 | { |
---|
1371 | int i, match; |
---|
1372 | |
---|
1373 | if (!see_other_gids) { |
---|
1374 | match = 0; |
---|
1375 | for (i = 0; i < u1->cr_ngroups; i++) { |
---|
1376 | if (groupmember(u1->cr_groups[i], u2)) |
---|
1377 | match = 1; |
---|
1378 | if (match) |
---|
1379 | break; |
---|
1380 | } |
---|
1381 | if (!match) { |
---|
1382 | if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, 0) != 0) |
---|
1383 | return (ESRCH); |
---|
1384 | } |
---|
1385 | } |
---|
1386 | return (0); |
---|
1387 | } |
---|
1388 | |
---|
1389 | /*- |
---|
1390 | * Determine if u1 "can see" the subject specified by u2. |
---|
1391 | * Returns: 0 for permitted, an errno value otherwise |
---|
1392 | * Locks: none |
---|
1393 | * References: *u1 and *u2 must not change during the call |
---|
1394 | * u1 may equal u2, in which case only one reference is required |
---|
1395 | */ |
---|
1396 | int |
---|
1397 | cr_cansee(struct ucred *u1, struct ucred *u2) |
---|
1398 | { |
---|
1399 | int error; |
---|
1400 | |
---|
1401 | if ((error = prison_check(u1, u2))) |
---|
1402 | return (error); |
---|
1403 | #ifdef MAC |
---|
1404 | if ((error = mac_cred_check_visible(u1, u2))) |
---|
1405 | return (error); |
---|
1406 | #endif |
---|
1407 | if ((error = cr_seeotheruids(u1, u2))) |
---|
1408 | return (error); |
---|
1409 | if ((error = cr_seeothergids(u1, u2))) |
---|
1410 | return (error); |
---|
1411 | return (0); |
---|
1412 | } |
---|
1413 | |
---|
1414 | #ifndef __rtems__ |
---|
1415 | |
---|
1416 | /*- |
---|
1417 | * Determine if td "can see" the subject specified by p. |
---|
1418 | * Returns: 0 for permitted, an errno value otherwise |
---|
1419 | * Locks: Sufficient locks to protect p->p_ucred must be held. td really |
---|
1420 | * should be curthread. |
---|
1421 | * References: td and p must be valid for the lifetime of the call |
---|
1422 | */ |
---|
1423 | int |
---|
1424 | p_cansee(struct thread *td, struct proc *p) |
---|
1425 | { |
---|
1426 | |
---|
1427 | /* Wrap cr_cansee() for all functionality. */ |
---|
1428 | KASSERT(td == curthread, ("%s: td not curthread", __func__)); |
---|
1429 | PROC_LOCK_ASSERT(p, MA_OWNED); |
---|
1430 | return (cr_cansee(td->td_ucred, p->p_ucred)); |
---|
1431 | } |
---|
1432 | |
---|
1433 | /* |
---|
1434 | * 'conservative_signals' prevents the delivery of a broad class of |
---|
1435 | * signals by unprivileged processes to processes that have changed their |
---|
1436 | * credentials since the last invocation of execve(). This can prevent |
---|
1437 | * the leakage of cached information or retained privileges as a result |
---|
1438 | * of a common class of signal-related vulnerabilities. However, this |
---|
1439 | * may interfere with some applications that expect to be able to |
---|
1440 | * deliver these signals to peer processes after having given up |
---|
1441 | * privilege. |
---|
1442 | */ |
---|
1443 | static int conservative_signals = 1; |
---|
1444 | SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, |
---|
1445 | &conservative_signals, 0, "Unprivileged processes prevented from " |
---|
1446 | "sending certain signals to processes whose credentials have changed"); |
---|
1447 | /*- |
---|
1448 | * Determine whether cred may deliver the specified signal to proc. |
---|
1449 | * Returns: 0 for permitted, an errno value otherwise. |
---|
1450 | * Locks: A lock must be held for proc. |
---|
1451 | * References: cred and proc must be valid for the lifetime of the call. |
---|
1452 | */ |
---|
1453 | int |
---|
1454 | cr_cansignal(struct ucred *cred, struct proc *proc, int signum) |
---|
1455 | { |
---|
1456 | int error; |
---|
1457 | |
---|
1458 | PROC_LOCK_ASSERT(proc, MA_OWNED); |
---|
1459 | /* |
---|
1460 | * Jail semantics limit the scope of signalling to proc in the |
---|
1461 | * same jail as cred, if cred is in jail. |
---|
1462 | */ |
---|
1463 | error = prison_check(cred, proc->p_ucred); |
---|
1464 | if (error) |
---|
1465 | return (error); |
---|
1466 | #ifdef MAC |
---|
1467 | if ((error = mac_proc_check_signal(cred, proc, signum))) |
---|
1468 | return (error); |
---|
1469 | #endif |
---|
1470 | if ((error = cr_seeotheruids(cred, proc->p_ucred))) |
---|
1471 | return (error); |
---|
1472 | if ((error = cr_seeothergids(cred, proc->p_ucred))) |
---|
1473 | return (error); |
---|
1474 | |
---|
1475 | /* |
---|
1476 | * UNIX signal semantics depend on the status of the P_SUGID |
---|
1477 | * bit on the target process. If the bit is set, then additional |
---|
1478 | * restrictions are placed on the set of available signals. |
---|
1479 | */ |
---|
1480 | if (conservative_signals && (proc->p_flag & P_SUGID)) { |
---|
1481 | switch (signum) { |
---|
1482 | case 0: |
---|
1483 | case SIGKILL: |
---|
1484 | case SIGINT: |
---|
1485 | case SIGTERM: |
---|
1486 | case SIGALRM: |
---|
1487 | case SIGSTOP: |
---|
1488 | case SIGTTIN: |
---|
1489 | case SIGTTOU: |
---|
1490 | case SIGTSTP: |
---|
1491 | case SIGHUP: |
---|
1492 | case SIGUSR1: |
---|
1493 | case SIGUSR2: |
---|
1494 | /* |
---|
1495 | * Generally, permit job and terminal control |
---|
1496 | * signals. |
---|
1497 | */ |
---|
1498 | break; |
---|
1499 | default: |
---|
1500 | /* Not permitted without privilege. */ |
---|
1501 | error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, 0); |
---|
1502 | if (error) |
---|
1503 | return (error); |
---|
1504 | } |
---|
1505 | } |
---|
1506 | |
---|
1507 | /* |
---|
1508 | * Generally, the target credential's ruid or svuid must match the |
---|
1509 | * subject credential's ruid or euid. |
---|
1510 | */ |
---|
1511 | if (cred->cr_ruid != proc->p_ucred->cr_ruid && |
---|
1512 | cred->cr_ruid != proc->p_ucred->cr_svuid && |
---|
1513 | cred->cr_uid != proc->p_ucred->cr_ruid && |
---|
1514 | cred->cr_uid != proc->p_ucred->cr_svuid) { |
---|
1515 | error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, 0); |
---|
1516 | if (error) |
---|
1517 | return (error); |
---|
1518 | } |
---|
1519 | |
---|
1520 | return (0); |
---|
1521 | } |
---|
1522 | |
---|
1523 | /*- |
---|
1524 | * Determine whether td may deliver the specified signal to p. |
---|
1525 | * Returns: 0 for permitted, an errno value otherwise |
---|
1526 | * Locks: Sufficient locks to protect various components of td and p |
---|
1527 | * must be held. td must be curthread, and a lock must be |
---|
1528 | * held for p. |
---|
1529 | * References: td and p must be valid for the lifetime of the call |
---|
1530 | */ |
---|
1531 | int |
---|
1532 | p_cansignal(struct thread *td, struct proc *p, int signum) |
---|
1533 | { |
---|
1534 | |
---|
1535 | KASSERT(td == curthread, ("%s: td not curthread", __func__)); |
---|
1536 | PROC_LOCK_ASSERT(p, MA_OWNED); |
---|
1537 | if (td->td_proc == p) |
---|
1538 | return (0); |
---|
1539 | |
---|
1540 | /* |
---|
1541 | * UNIX signalling semantics require that processes in the same |
---|
1542 | * session always be able to deliver SIGCONT to one another, |
---|
1543 | * overriding the remaining protections. |
---|
1544 | */ |
---|
1545 | /* XXX: This will require an additional lock of some sort. */ |
---|
1546 | if (signum == SIGCONT && td->td_proc->p_session == p->p_session) |
---|
1547 | return (0); |
---|
1548 | /* |
---|
1549 | * Some compat layers use SIGTHR and higher signals for |
---|
1550 | * communication between different kernel threads of the same |
---|
1551 | * process, so that they expect that it's always possible to |
---|
1552 | * deliver them, even for suid applications where cr_cansignal() can |
---|
1553 | * deny such ability for security consideration. It should be |
---|
1554 | * pretty safe to do since the only way to create two processes |
---|
1555 | * with the same p_leader is via rfork(2). |
---|
1556 | */ |
---|
1557 | if (td->td_proc->p_leader != NULL && signum >= SIGTHR && |
---|
1558 | signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) |
---|
1559 | return (0); |
---|
1560 | |
---|
1561 | return (cr_cansignal(td->td_ucred, p, signum)); |
---|
1562 | } |
---|
1563 | |
---|
1564 | /*- |
---|
1565 | * Determine whether td may reschedule p. |
---|
1566 | * Returns: 0 for permitted, an errno value otherwise |
---|
1567 | * Locks: Sufficient locks to protect various components of td and p |
---|
1568 | * must be held. td must be curthread, and a lock must |
---|
1569 | * be held for p. |
---|
1570 | * References: td and p must be valid for the lifetime of the call |
---|
1571 | */ |
---|
1572 | int |
---|
1573 | p_cansched(struct thread *td, struct proc *p) |
---|
1574 | { |
---|
1575 | int error; |
---|
1576 | |
---|
1577 | KASSERT(td == curthread, ("%s: td not curthread", __func__)); |
---|
1578 | PROC_LOCK_ASSERT(p, MA_OWNED); |
---|
1579 | if (td->td_proc == p) |
---|
1580 | return (0); |
---|
1581 | if ((error = prison_check(td->td_ucred, p->p_ucred))) |
---|
1582 | return (error); |
---|
1583 | #ifdef MAC |
---|
1584 | if ((error = mac_proc_check_sched(td->td_ucred, p))) |
---|
1585 | return (error); |
---|
1586 | #endif |
---|
1587 | if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) |
---|
1588 | return (error); |
---|
1589 | if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) |
---|
1590 | return (error); |
---|
1591 | if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && |
---|
1592 | td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { |
---|
1593 | error = priv_check(td, PRIV_SCHED_DIFFCRED); |
---|
1594 | if (error) |
---|
1595 | return (error); |
---|
1596 | } |
---|
1597 | return (0); |
---|
1598 | } |
---|
1599 | |
---|
1600 | /* |
---|
1601 | * The 'unprivileged_proc_debug' flag may be used to disable a variety of |
---|
1602 | * unprivileged inter-process debugging services, including some procfs |
---|
1603 | * functionality, ptrace(), and ktrace(). In the past, inter-process |
---|
1604 | * debugging has been involved in a variety of security problems, and sites |
---|
1605 | * not requiring the service might choose to disable it when hardening |
---|
1606 | * systems. |
---|
1607 | * |
---|
1608 | * XXX: Should modifying and reading this variable require locking? |
---|
1609 | * XXX: data declarations should be together near the beginning of the file. |
---|
1610 | */ |
---|
1611 | static int unprivileged_proc_debug = 1; |
---|
1612 | SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW, |
---|
1613 | &unprivileged_proc_debug, 0, |
---|
1614 | "Unprivileged processes may use process debugging facilities"); |
---|
1615 | |
---|
1616 | /*- |
---|
1617 | * Determine whether td may debug p. |
---|
1618 | * Returns: 0 for permitted, an errno value otherwise |
---|
1619 | * Locks: Sufficient locks to protect various components of td and p |
---|
1620 | * must be held. td must be curthread, and a lock must |
---|
1621 | * be held for p. |
---|
1622 | * References: td and p must be valid for the lifetime of the call |
---|
1623 | */ |
---|
1624 | int |
---|
1625 | p_candebug(struct thread *td, struct proc *p) |
---|
1626 | { |
---|
1627 | int credentialchanged, error, grpsubset, i, uidsubset; |
---|
1628 | |
---|
1629 | KASSERT(td == curthread, ("%s: td not curthread", __func__)); |
---|
1630 | PROC_LOCK_ASSERT(p, MA_OWNED); |
---|
1631 | if (!unprivileged_proc_debug) { |
---|
1632 | error = priv_check(td, PRIV_DEBUG_UNPRIV); |
---|
1633 | if (error) |
---|
1634 | return (error); |
---|
1635 | } |
---|
1636 | if (td->td_proc == p) |
---|
1637 | return (0); |
---|
1638 | if ((error = prison_check(td->td_ucred, p->p_ucred))) |
---|
1639 | return (error); |
---|
1640 | #ifdef MAC |
---|
1641 | if ((error = mac_proc_check_debug(td->td_ucred, p))) |
---|
1642 | return (error); |
---|
1643 | #endif |
---|
1644 | if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) |
---|
1645 | return (error); |
---|
1646 | if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) |
---|
1647 | return (error); |
---|
1648 | |
---|
1649 | /* |
---|
1650 | * Is p's group set a subset of td's effective group set? This |
---|
1651 | * includes p's egid, group access list, rgid, and svgid. |
---|
1652 | */ |
---|
1653 | grpsubset = 1; |
---|
1654 | for (i = 0; i < p->p_ucred->cr_ngroups; i++) { |
---|
1655 | if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { |
---|
1656 | grpsubset = 0; |
---|
1657 | break; |
---|
1658 | } |
---|
1659 | } |
---|
1660 | grpsubset = grpsubset && |
---|
1661 | groupmember(p->p_ucred->cr_rgid, td->td_ucred) && |
---|
1662 | groupmember(p->p_ucred->cr_svgid, td->td_ucred); |
---|
1663 | |
---|
1664 | /* |
---|
1665 | * Are the uids present in p's credential equal to td's |
---|
1666 | * effective uid? This includes p's euid, svuid, and ruid. |
---|
1667 | */ |
---|
1668 | uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && |
---|
1669 | td->td_ucred->cr_uid == p->p_ucred->cr_svuid && |
---|
1670 | td->td_ucred->cr_uid == p->p_ucred->cr_ruid); |
---|
1671 | |
---|
1672 | /* |
---|
1673 | * Has the credential of the process changed since the last exec()? |
---|
1674 | */ |
---|
1675 | credentialchanged = (p->p_flag & P_SUGID); |
---|
1676 | |
---|
1677 | /* |
---|
1678 | * If p's gids aren't a subset, or the uids aren't a subset, |
---|
1679 | * or the credential has changed, require appropriate privilege |
---|
1680 | * for td to debug p. |
---|
1681 | */ |
---|
1682 | if (!grpsubset || !uidsubset) { |
---|
1683 | error = priv_check(td, PRIV_DEBUG_DIFFCRED); |
---|
1684 | if (error) |
---|
1685 | return (error); |
---|
1686 | } |
---|
1687 | |
---|
1688 | if (credentialchanged) { |
---|
1689 | error = priv_check(td, PRIV_DEBUG_SUGID); |
---|
1690 | if (error) |
---|
1691 | return (error); |
---|
1692 | } |
---|
1693 | |
---|
1694 | /* Can't trace init when securelevel > 0. */ |
---|
1695 | if (p == initproc) { |
---|
1696 | error = securelevel_gt(td->td_ucred, 0); |
---|
1697 | if (error) |
---|
1698 | return (error); |
---|
1699 | } |
---|
1700 | |
---|
1701 | /* |
---|
1702 | * Can't trace a process that's currently exec'ing. |
---|
1703 | * |
---|
1704 | * XXX: Note, this is not a security policy decision, it's a |
---|
1705 | * basic correctness/functionality decision. Therefore, this check |
---|
1706 | * should be moved to the caller's of p_candebug(). |
---|
1707 | */ |
---|
1708 | if ((p->p_flag & P_INEXEC) != 0) |
---|
1709 | return (EBUSY); |
---|
1710 | |
---|
1711 | return (0); |
---|
1712 | } |
---|
1713 | #endif /* __rtems__ */ |
---|
1714 | |
---|
1715 | /*- |
---|
1716 | * Determine whether the subject represented by cred can "see" a socket. |
---|
1717 | * Returns: 0 for permitted, ENOENT otherwise. |
---|
1718 | */ |
---|
1719 | int |
---|
1720 | cr_canseesocket(struct ucred *cred, struct socket *so) |
---|
1721 | { |
---|
1722 | int error; |
---|
1723 | |
---|
1724 | error = prison_check(cred, so->so_cred); |
---|
1725 | if (error) |
---|
1726 | return (ENOENT); |
---|
1727 | #ifdef MAC |
---|
1728 | error = mac_socket_check_visible(cred, so); |
---|
1729 | if (error) |
---|
1730 | return (error); |
---|
1731 | #endif |
---|
1732 | if (cr_seeotheruids(cred, so->so_cred)) |
---|
1733 | return (ENOENT); |
---|
1734 | if (cr_seeothergids(cred, so->so_cred)) |
---|
1735 | return (ENOENT); |
---|
1736 | |
---|
1737 | return (0); |
---|
1738 | } |
---|
1739 | |
---|
1740 | #if defined(INET) || defined(INET6) |
---|
1741 | /*- |
---|
1742 | * Determine whether the subject represented by cred can "see" a socket. |
---|
1743 | * Returns: 0 for permitted, ENOENT otherwise. |
---|
1744 | */ |
---|
1745 | int |
---|
1746 | cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) |
---|
1747 | { |
---|
1748 | int error; |
---|
1749 | |
---|
1750 | error = prison_check(cred, inp->inp_cred); |
---|
1751 | if (error) |
---|
1752 | return (ENOENT); |
---|
1753 | #ifdef MAC |
---|
1754 | INP_LOCK_ASSERT(inp); |
---|
1755 | error = mac_inpcb_check_visible(cred, inp); |
---|
1756 | if (error) |
---|
1757 | return (error); |
---|
1758 | #endif |
---|
1759 | if (cr_seeotheruids(cred, inp->inp_cred)) |
---|
1760 | return (ENOENT); |
---|
1761 | if (cr_seeothergids(cred, inp->inp_cred)) |
---|
1762 | return (ENOENT); |
---|
1763 | |
---|
1764 | return (0); |
---|
1765 | } |
---|
1766 | #endif |
---|
1767 | |
---|
1768 | #ifndef __rtems__ |
---|
1769 | /*- |
---|
1770 | * Determine whether td can wait for the exit of p. |
---|
1771 | * Returns: 0 for permitted, an errno value otherwise |
---|
1772 | * Locks: Sufficient locks to protect various components of td and p |
---|
1773 | * must be held. td must be curthread, and a lock must |
---|
1774 | * be held for p. |
---|
1775 | * References: td and p must be valid for the lifetime of the call |
---|
1776 | |
---|
1777 | */ |
---|
1778 | int |
---|
1779 | p_canwait(struct thread *td, struct proc *p) |
---|
1780 | { |
---|
1781 | int error; |
---|
1782 | |
---|
1783 | KASSERT(td == curthread, ("%s: td not curthread", __func__)); |
---|
1784 | PROC_LOCK_ASSERT(p, MA_OWNED); |
---|
1785 | if ((error = prison_check(td->td_ucred, p->p_ucred))) |
---|
1786 | return (error); |
---|
1787 | #ifdef MAC |
---|
1788 | if ((error = mac_proc_check_wait(td->td_ucred, p))) |
---|
1789 | return (error); |
---|
1790 | #endif |
---|
1791 | #if 0 |
---|
1792 | /* XXXMAC: This could have odd effects on some shells. */ |
---|
1793 | if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) |
---|
1794 | return (error); |
---|
1795 | #endif |
---|
1796 | |
---|
1797 | return (0); |
---|
1798 | } |
---|
1799 | #endif /* __rtems__ */ |
---|
1800 | |
---|
1801 | /* |
---|
1802 | * Allocate a zeroed cred structure. |
---|
1803 | */ |
---|
1804 | struct ucred * |
---|
1805 | crget(void) |
---|
1806 | { |
---|
1807 | register struct ucred *cr; |
---|
1808 | |
---|
1809 | cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); |
---|
1810 | refcount_init(&cr->cr_ref, 1); |
---|
1811 | #ifdef AUDIT |
---|
1812 | audit_cred_init(cr); |
---|
1813 | #endif |
---|
1814 | #ifdef MAC |
---|
1815 | mac_cred_init(cr); |
---|
1816 | #endif |
---|
1817 | crextend(cr, XU_NGROUPS); |
---|
1818 | return (cr); |
---|
1819 | } |
---|
1820 | |
---|
1821 | /* |
---|
1822 | * Claim another reference to a ucred structure. |
---|
1823 | */ |
---|
1824 | struct ucred * |
---|
1825 | crhold(struct ucred *cr) |
---|
1826 | { |
---|
1827 | |
---|
1828 | refcount_acquire(&cr->cr_ref); |
---|
1829 | return (cr); |
---|
1830 | } |
---|
1831 | |
---|
1832 | /* |
---|
1833 | * Free a cred structure. Throws away space when ref count gets to 0. |
---|
1834 | */ |
---|
1835 | void |
---|
1836 | crfree(struct ucred *cr) |
---|
1837 | { |
---|
1838 | |
---|
1839 | KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref)); |
---|
1840 | KASSERT(cr->cr_ref != 0xdeadc0de, ("dangling reference to ucred")); |
---|
1841 | if (refcount_release(&cr->cr_ref)) { |
---|
1842 | /* |
---|
1843 | * Some callers of crget(), such as nfs_statfs(), |
---|
1844 | * allocate a temporary credential, but don't |
---|
1845 | * allocate a uidinfo structure. |
---|
1846 | */ |
---|
1847 | if (cr->cr_uidinfo != NULL) |
---|
1848 | uifree(cr->cr_uidinfo); |
---|
1849 | if (cr->cr_ruidinfo != NULL) |
---|
1850 | uifree(cr->cr_ruidinfo); |
---|
1851 | /* |
---|
1852 | * Free a prison, if any. |
---|
1853 | */ |
---|
1854 | if (cr->cr_prison != NULL) |
---|
1855 | prison_free(cr->cr_prison); |
---|
1856 | #ifdef AUDIT |
---|
1857 | audit_cred_destroy(cr); |
---|
1858 | #endif |
---|
1859 | #ifdef MAC |
---|
1860 | mac_cred_destroy(cr); |
---|
1861 | #endif |
---|
1862 | free(cr->cr_groups, M_CRED); |
---|
1863 | free(cr, M_CRED); |
---|
1864 | } |
---|
1865 | } |
---|
1866 | |
---|
1867 | #ifndef __rtems__ |
---|
1868 | /* |
---|
1869 | * Check to see if this ucred is shared. |
---|
1870 | */ |
---|
1871 | int |
---|
1872 | crshared(struct ucred *cr) |
---|
1873 | { |
---|
1874 | |
---|
1875 | return (cr->cr_ref > 1); |
---|
1876 | } |
---|
1877 | |
---|
1878 | /* |
---|
1879 | * Copy a ucred's contents from a template. Does not block. |
---|
1880 | */ |
---|
1881 | void |
---|
1882 | crcopy(struct ucred *dest, struct ucred *src) |
---|
1883 | { |
---|
1884 | |
---|
1885 | KASSERT(crshared(dest) == 0, ("crcopy of shared ucred")); |
---|
1886 | bcopy(&src->cr_startcopy, &dest->cr_startcopy, |
---|
1887 | (unsigned)((caddr_t)&src->cr_endcopy - |
---|
1888 | (caddr_t)&src->cr_startcopy)); |
---|
1889 | crsetgroups(dest, src->cr_ngroups, src->cr_groups); |
---|
1890 | uihold(dest->cr_uidinfo); |
---|
1891 | uihold(dest->cr_ruidinfo); |
---|
1892 | prison_hold(dest->cr_prison); |
---|
1893 | #ifdef AUDIT |
---|
1894 | audit_cred_copy(src, dest); |
---|
1895 | #endif |
---|
1896 | #ifdef MAC |
---|
1897 | mac_cred_copy(src, dest); |
---|
1898 | #endif |
---|
1899 | } |
---|
1900 | |
---|
1901 | /* |
---|
1902 | * Dup cred struct to a new held one. |
---|
1903 | */ |
---|
1904 | struct ucred * |
---|
1905 | crdup(struct ucred *cr) |
---|
1906 | { |
---|
1907 | struct ucred *newcr; |
---|
1908 | |
---|
1909 | newcr = crget(); |
---|
1910 | crcopy(newcr, cr); |
---|
1911 | return (newcr); |
---|
1912 | } |
---|
1913 | #endif /* __rtems__ */ |
---|
1914 | |
---|
1915 | /* |
---|
1916 | * Fill in a struct xucred based on a struct ucred. |
---|
1917 | */ |
---|
1918 | void |
---|
1919 | cru2x(struct ucred *cr, struct xucred *xcr) |
---|
1920 | { |
---|
1921 | int ngroups; |
---|
1922 | |
---|
1923 | bzero(xcr, sizeof(*xcr)); |
---|
1924 | xcr->cr_version = XUCRED_VERSION; |
---|
1925 | xcr->cr_uid = cr->cr_uid; |
---|
1926 | |
---|
1927 | ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); |
---|
1928 | xcr->cr_ngroups = ngroups; |
---|
1929 | bcopy(cr->cr_groups, xcr->cr_groups, |
---|
1930 | ngroups * sizeof(*cr->cr_groups)); |
---|
1931 | } |
---|
1932 | |
---|
1933 | #ifndef __rtems__ |
---|
1934 | /* |
---|
1935 | * small routine to swap a thread's current ucred for the correct one taken |
---|
1936 | * from the process. |
---|
1937 | */ |
---|
1938 | void |
---|
1939 | cred_update_thread(struct thread *td) |
---|
1940 | { |
---|
1941 | struct proc *p; |
---|
1942 | struct ucred *cred; |
---|
1943 | |
---|
1944 | p = td->td_proc; |
---|
1945 | cred = td->td_ucred; |
---|
1946 | PROC_LOCK(p); |
---|
1947 | td->td_ucred = crhold(p->p_ucred); |
---|
1948 | PROC_UNLOCK(p); |
---|
1949 | if (cred != NULL) |
---|
1950 | crfree(cred); |
---|
1951 | } |
---|
1952 | |
---|
1953 | struct ucred * |
---|
1954 | crcopysafe(struct proc *p, struct ucred *cr) |
---|
1955 | { |
---|
1956 | struct ucred *oldcred; |
---|
1957 | int groups; |
---|
1958 | |
---|
1959 | PROC_LOCK_ASSERT(p, MA_OWNED); |
---|
1960 | |
---|
1961 | oldcred = p->p_ucred; |
---|
1962 | while (cr->cr_agroups < oldcred->cr_agroups) { |
---|
1963 | groups = oldcred->cr_agroups; |
---|
1964 | PROC_UNLOCK(p); |
---|
1965 | crextend(cr, groups); |
---|
1966 | PROC_LOCK(p); |
---|
1967 | oldcred = p->p_ucred; |
---|
1968 | } |
---|
1969 | crcopy(cr, oldcred); |
---|
1970 | |
---|
1971 | return (oldcred); |
---|
1972 | } |
---|
1973 | #endif /* __rtems__ */ |
---|
1974 | |
---|
1975 | /* |
---|
1976 | * Extend the passed in credential to hold n items. |
---|
1977 | */ |
---|
1978 | static void |
---|
1979 | crextend(struct ucred *cr, int n) |
---|
1980 | { |
---|
1981 | int cnt; |
---|
1982 | |
---|
1983 | /* Truncate? */ |
---|
1984 | if (n <= cr->cr_agroups) |
---|
1985 | return; |
---|
1986 | |
---|
1987 | /* |
---|
1988 | * We extend by 2 each time since we're using a power of two |
---|
1989 | * allocator until we need enough groups to fill a page. |
---|
1990 | * Once we're allocating multiple pages, only allocate as many |
---|
1991 | * as we actually need. The case of processes needing a |
---|
1992 | * non-power of two number of pages seems more likely than |
---|
1993 | * a real world process that adds thousands of groups one at a |
---|
1994 | * time. |
---|
1995 | */ |
---|
1996 | if ( n < PAGE_SIZE / sizeof(gid_t) ) { |
---|
1997 | if (cr->cr_agroups == 0) |
---|
1998 | cnt = MINALLOCSIZE / sizeof(gid_t); |
---|
1999 | else |
---|
2000 | cnt = cr->cr_agroups * 2; |
---|
2001 | |
---|
2002 | while (cnt < n) |
---|
2003 | cnt *= 2; |
---|
2004 | } else |
---|
2005 | cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t)); |
---|
2006 | |
---|
2007 | /* Free the old array. */ |
---|
2008 | if (cr->cr_groups) |
---|
2009 | free(cr->cr_groups, M_CRED); |
---|
2010 | |
---|
2011 | cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO); |
---|
2012 | cr->cr_agroups = cnt; |
---|
2013 | } |
---|
2014 | |
---|
2015 | #ifndef __rtems__ |
---|
2016 | /* |
---|
2017 | * Copy groups in to a credential, preserving any necessary invariants. |
---|
2018 | * Currently this includes the sorting of all supplemental gids. |
---|
2019 | * crextend() must have been called before hand to ensure sufficient |
---|
2020 | * space is available. |
---|
2021 | */ |
---|
2022 | static void |
---|
2023 | crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups) |
---|
2024 | { |
---|
2025 | int i; |
---|
2026 | int j; |
---|
2027 | gid_t g; |
---|
2028 | |
---|
2029 | KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small")); |
---|
2030 | |
---|
2031 | bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); |
---|
2032 | cr->cr_ngroups = ngrp; |
---|
2033 | |
---|
2034 | /* |
---|
2035 | * Sort all groups except cr_groups[0] to allow groupmember to |
---|
2036 | * perform a binary search. |
---|
2037 | * |
---|
2038 | * XXX: If large numbers of groups become common this should |
---|
2039 | * be replaced with shell sort like linux uses or possibly |
---|
2040 | * heap sort. |
---|
2041 | */ |
---|
2042 | for (i = 2; i < ngrp; i++) { |
---|
2043 | g = cr->cr_groups[i]; |
---|
2044 | for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--) |
---|
2045 | cr->cr_groups[j + 1] = cr->cr_groups[j]; |
---|
2046 | cr->cr_groups[j + 1] = g; |
---|
2047 | } |
---|
2048 | } |
---|
2049 | |
---|
2050 | /* |
---|
2051 | * Copy groups in to a credential after expanding it if required. |
---|
2052 | * Truncate the list to (ngroups_max + 1) if it is too large. |
---|
2053 | */ |
---|
2054 | void |
---|
2055 | crsetgroups(struct ucred *cr, int ngrp, gid_t *groups) |
---|
2056 | { |
---|
2057 | |
---|
2058 | if (ngrp > ngroups_max + 1) |
---|
2059 | ngrp = ngroups_max + 1; |
---|
2060 | |
---|
2061 | crextend(cr, ngrp); |
---|
2062 | crsetgroups_locked(cr, ngrp, groups); |
---|
2063 | } |
---|
2064 | |
---|
2065 | /* |
---|
2066 | * Get login name, if available. |
---|
2067 | */ |
---|
2068 | #ifndef _SYS_SYSPROTO_HH_ |
---|
2069 | struct getlogin_args { |
---|
2070 | char *namebuf; |
---|
2071 | u_int namelen; |
---|
2072 | }; |
---|
2073 | #endif |
---|
2074 | /* ARGSUSED */ |
---|
2075 | int |
---|
2076 | getlogin(struct thread *td, struct getlogin_args *uap) |
---|
2077 | { |
---|
2078 | int error; |
---|
2079 | char login[MAXLOGNAME]; |
---|
2080 | struct proc *p = td->td_proc; |
---|
2081 | |
---|
2082 | if (uap->namelen > MAXLOGNAME) |
---|
2083 | uap->namelen = MAXLOGNAME; |
---|
2084 | PROC_LOCK(p); |
---|
2085 | SESS_LOCK(p->p_session); |
---|
2086 | bcopy(p->p_session->s_login, login, uap->namelen); |
---|
2087 | SESS_UNLOCK(p->p_session); |
---|
2088 | PROC_UNLOCK(p); |
---|
2089 | error = copyout(login, uap->namebuf, uap->namelen); |
---|
2090 | return(error); |
---|
2091 | } |
---|
2092 | |
---|
2093 | /* |
---|
2094 | * Set login name. |
---|
2095 | */ |
---|
2096 | #ifndef _SYS_SYSPROTO_HH_ |
---|
2097 | struct setlogin_args { |
---|
2098 | char *namebuf; |
---|
2099 | }; |
---|
2100 | #endif |
---|
2101 | /* ARGSUSED */ |
---|
2102 | int |
---|
2103 | setlogin(struct thread *td, struct setlogin_args *uap) |
---|
2104 | { |
---|
2105 | struct proc *p = td->td_proc; |
---|
2106 | int error; |
---|
2107 | char logintmp[MAXLOGNAME]; |
---|
2108 | |
---|
2109 | error = priv_check(td, PRIV_PROC_SETLOGIN); |
---|
2110 | if (error) |
---|
2111 | return (error); |
---|
2112 | error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); |
---|
2113 | if (error == ENAMETOOLONG) |
---|
2114 | error = EINVAL; |
---|
2115 | else if (!error) { |
---|
2116 | PROC_LOCK(p); |
---|
2117 | SESS_LOCK(p->p_session); |
---|
2118 | (void) memcpy(p->p_session->s_login, logintmp, |
---|
2119 | sizeof(logintmp)); |
---|
2120 | SESS_UNLOCK(p->p_session); |
---|
2121 | PROC_UNLOCK(p); |
---|
2122 | } |
---|
2123 | return (error); |
---|
2124 | } |
---|
2125 | |
---|
2126 | void |
---|
2127 | setsugid(struct proc *p) |
---|
2128 | { |
---|
2129 | |
---|
2130 | PROC_LOCK_ASSERT(p, MA_OWNED); |
---|
2131 | p->p_flag |= P_SUGID; |
---|
2132 | if (!(p->p_pfsflags & PF_ISUGID)) |
---|
2133 | p->p_stops = 0; |
---|
2134 | } |
---|
2135 | |
---|
2136 | /*- |
---|
2137 | * Change a process's effective uid. |
---|
2138 | * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. |
---|
2139 | * References: newcred must be an exclusive credential reference for the |
---|
2140 | * duration of the call. |
---|
2141 | */ |
---|
2142 | void |
---|
2143 | change_euid(struct ucred *newcred, struct uidinfo *euip) |
---|
2144 | { |
---|
2145 | |
---|
2146 | newcred->cr_uid = euip->ui_uid; |
---|
2147 | uihold(euip); |
---|
2148 | uifree(newcred->cr_uidinfo); |
---|
2149 | newcred->cr_uidinfo = euip; |
---|
2150 | } |
---|
2151 | |
---|
2152 | /*- |
---|
2153 | * Change a process's effective gid. |
---|
2154 | * Side effects: newcred->cr_gid will be modified. |
---|
2155 | * References: newcred must be an exclusive credential reference for the |
---|
2156 | * duration of the call. |
---|
2157 | */ |
---|
2158 | void |
---|
2159 | change_egid(struct ucred *newcred, gid_t egid) |
---|
2160 | { |
---|
2161 | |
---|
2162 | newcred->cr_groups[0] = egid; |
---|
2163 | } |
---|
2164 | |
---|
2165 | /*- |
---|
2166 | * Change a process's real uid. |
---|
2167 | * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo |
---|
2168 | * will be updated, and the old and new cr_ruidinfo proc |
---|
2169 | * counts will be updated. |
---|
2170 | * References: newcred must be an exclusive credential reference for the |
---|
2171 | * duration of the call. |
---|
2172 | */ |
---|
2173 | void |
---|
2174 | change_ruid(struct ucred *newcred, struct uidinfo *ruip) |
---|
2175 | { |
---|
2176 | |
---|
2177 | (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); |
---|
2178 | newcred->cr_ruid = ruip->ui_uid; |
---|
2179 | uihold(ruip); |
---|
2180 | uifree(newcred->cr_ruidinfo); |
---|
2181 | newcred->cr_ruidinfo = ruip; |
---|
2182 | (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); |
---|
2183 | } |
---|
2184 | |
---|
2185 | /*- |
---|
2186 | * Change a process's real gid. |
---|
2187 | * Side effects: newcred->cr_rgid will be updated. |
---|
2188 | * References: newcred must be an exclusive credential reference for the |
---|
2189 | * duration of the call. |
---|
2190 | */ |
---|
2191 | void |
---|
2192 | change_rgid(struct ucred *newcred, gid_t rgid) |
---|
2193 | { |
---|
2194 | |
---|
2195 | newcred->cr_rgid = rgid; |
---|
2196 | } |
---|
2197 | |
---|
2198 | /*- |
---|
2199 | * Change a process's saved uid. |
---|
2200 | * Side effects: newcred->cr_svuid will be updated. |
---|
2201 | * References: newcred must be an exclusive credential reference for the |
---|
2202 | * duration of the call. |
---|
2203 | */ |
---|
2204 | void |
---|
2205 | change_svuid(struct ucred *newcred, uid_t svuid) |
---|
2206 | { |
---|
2207 | |
---|
2208 | newcred->cr_svuid = svuid; |
---|
2209 | } |
---|
2210 | |
---|
2211 | /*- |
---|
2212 | * Change a process's saved gid. |
---|
2213 | * Side effects: newcred->cr_svgid will be updated. |
---|
2214 | * References: newcred must be an exclusive credential reference for the |
---|
2215 | * duration of the call. |
---|
2216 | */ |
---|
2217 | void |
---|
2218 | change_svgid(struct ucred *newcred, gid_t svgid) |
---|
2219 | { |
---|
2220 | |
---|
2221 | newcred->cr_svgid = svgid; |
---|
2222 | } |
---|
2223 | #endif /* __rtems__ */ |
---|