| blob | 58d000f7c4f2567139e894cdb47d92321173234e |
1 /*
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. All advertising materials mentioning features or use of this software
19 * must display the following acknowledgement:
20 * This product includes software developed by the University of
21 * California, Berkeley and its contributors.
22 * 4. Neither the name of the University nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * SUCH DAMAGE.
37 *
38 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
39 * $FreeBSD: src/sys/kern/kern_prot.c,v 1.53.2.9 2002/03/09 05:20:26 dd Exp $
40 * $DragonFly: src/sys/kern/kern_prot.c,v 1.21 2005/04/20 16:37:09 cpressey Exp $
41 */
43 /*
44 * System calls related to processes and protection
45 */
49 #include <sys/param.h>
50 #include <sys/acct.h>
51 #include <sys/systm.h>
52 #include <sys/sysproto.h>
53 #include <sys/kernel.h>
54 #include <sys/proc.h>
55 #include <sys/malloc.h>
56 #include <sys/pioctl.h>
57 #include <sys/resourcevar.h>
58 #include <sys/thread2.h>
59 #include <sys/jail.h>
60 #include <sys/lockf.h>
64 /*
65 * NOT MP SAFE due to p_pptr access
66 */
67 /* ARGSUSED */
68 int
70 {
74 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
76 #endif
78 }
80 /* ARGSUSED */
81 int
83 {
88 }
90 /*
91 * Get process group ID; note that POSIX getpgrp takes no parameter
92 *
93 * MP SAFE
94 */
95 int
97 {
102 }
104 /*
105 * Get an arbitary pid's process group id
106 */
107 int
109 {
119 found:
122 }
124 /*
125 * Get an arbitary pid's session id.
126 */
127 int
129 {
139 found:
142 }
145 /*
146 * getuid() - MP SAFE
147 */
148 /* ARGSUSED */
149 int
151 {
155 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
157 #endif
159 }
161 /*
162 * geteuid() - MP SAFE
163 */
164 /* ARGSUSED */
165 int
167 {
172 }
174 /*
175 * getgid() - MP SAFE
176 */
177 /* ARGSUSED */
178 int
180 {
184 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
186 #endif
188 }
190 /*
191 * Get effective group ID. The "egid" is groups[0], and could be obtained
192 * via getgroups. This syscall exists because it is somewhat painful to do
193 * correctly in a library function.
194 */
195 /* ARGSUSED */
196 int
198 {
203 }
205 int
207 {
210 u_int ngrp;
220 }
229 }
231 /* ARGSUSED */
232 int
234 {
243 }
244 }
246 /*
247 * set process group (setpgid/old setpgrp)
248 *
249 * caller does setpgid(targpid, targpgid)
250 *
251 * pid must be caller or child of caller (ESRCH)
252 * if a child
253 * pid must be in same session (EPERM)
254 * pid can't have done an exec (EACCES)
255 * if pgid != pid
256 * there must exist some pid in same session having pgid (EPERM)
257 * pid must not be session leader (EPERM)
258 */
259 /* ARGSUSED */
260 int
262 {
287 }
289 /*
290 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
291 * compatible. It says that setting the uid/gid to euid/egid is a special
292 * case of "appropriate privilege". Once the rules are expanded out, this
293 * basically means that setuid(nnn) sets all three id's, in all permitted
294 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
295 * does not set the saved id - this is dangerous for traditional BSD
296 * programs. For this reason, we *really* do not want to set
297 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
298 */
299 #define POSIX_APPENDIX_B_4_2_2
301 /* ARGSUSED */
302 int
304 {
307 uid_t uid;
314 /*
315 * See if we have "permission" by POSIX 1003.1 rules.
316 *
317 * Note that setuid(geteuid()) is a special case of
318 * "appropriate privileges" in appendix B.4.2.2. We need
319 * to use this clause to be compatible with traditional BSD
320 * semantics. Basically, it means that "setuid(xx)" sets all
321 * three id's (assuming you have privs).
322 *
323 * Notes on the logic. We do things in three steps.
324 * 1: We determine if the euid is going to change, and do EPERM
325 * right away. We unconditionally change the euid later if this
326 * test is satisfied, simplifying that part of the logic.
327 * 2: We determine if the real and/or saved uid's are going to
328 * change. Determined by compile options.
329 * 3: Change euid last. (after tests in #2 for "appropriate privs")
330 */
333 #ifdef _POSIX_SAVED_IDS
335 #endif
338 #endif
342 #ifdef _POSIX_SAVED_IDS
343 /*
344 * Do we have "appropriate privileges" (are we root or uid == euid)
345 * If so, we are changing the real uid and/or saved uid.
346 */
350 #endif
352 #endif
353 {
354 /*
355 * Set the real uid and transfer proc count to new user.
356 */
360 }
361 /*
362 * Set saved uid
363 *
364 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
365 * the security of seteuid() depends on it. B.4.2.2 says it
366 * is important that we should do this.
367 */
372 }
373 }
375 /*
376 * In all permitted cases, we are changing the euid.
377 * Copy credentials so other references do not see our changes.
378 */
382 }
384 }
386 /* ARGSUSED */
387 int
389 {
392 uid_t euid;
404 /*
405 * Everything's okay, do it. Copy credentials so other references do
406 * not see our changes.
407 */
411 }
413 }
415 /* ARGSUSED */
416 int
418 {
421 gid_t gid;
428 /*
429 * See if we have "permission" by POSIX 1003.1 rules.
430 *
431 * Note that setgid(getegid()) is a special case of
432 * "appropriate privileges" in appendix B.4.2.2. We need
433 * to use this clause to be compatible with traditional BSD
434 * semantics. Basically, it means that "setgid(xx)" sets all
435 * three id's (assuming you have privs).
436 *
437 * For notes on the logic here, see setuid() above.
438 */
441 #ifdef _POSIX_SAVED_IDS
443 #endif
446 #endif
450 #ifdef _POSIX_SAVED_IDS
451 /*
452 * Do we have "appropriate privileges" (are we root or gid == egid)
453 * If so, we are changing the real uid and saved gid.
454 */
458 #endif
460 #endif
461 {
462 /*
463 * Set real gid
464 */
469 }
470 /*
471 * Set saved gid
472 *
473 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
474 * the security of setegid() depends on it. B.4.2.2 says it
475 * is important that we should do this.
476 */
481 }
482 }
483 /*
484 * In all cases permitted cases, we are changing the egid.
485 * Copy credentials so other references do not see our changes.
486 */
491 }
493 }
495 /* ARGSUSED */
496 int
498 {
501 gid_t egid;
517 }
519 }
521 /* ARGSUSED */
522 int
524 {
527 u_int ngrp;
539 /*
540 * XXX A little bit lazy here. We could test if anything has
541 * changed before cratom() and setting P_SUGID.
542 */
545 /*
546 * setgroups(0, NULL) is a legitimate way of clearing the
547 * groups vector on non-BSD systems (which generally do not
548 * have the egid in the groups[0]). We risk security holes
549 * when running non-BSD software if we do not do the same.
550 */
557 }
560 }
562 /* ARGSUSED */
563 int
565 {
586 }
590 }
596 }
598 }
600 /* ARGSUSED */
601 int
603 {
625 }
630 }
636 }
638 }
640 /*
641 * setresuid(ruid, euid, suid) is like setreuid except control over the
642 * saved uid is explicit.
643 */
645 /* ARGSUSED */
646 int
648 {
669 }
673 }
678 }
680 }
682 /*
683 * setresgid(rgid, egid, sgid) is like setregid except control over the
684 * saved gid is explicit.
685 */
687 /* ARGSUSED */
688 int
690 {
713 }
718 }
723 }
725 }
727 /* ARGSUSED */
728 int
730 {
745 }
747 /* ARGSUSED */
748 int
750 {
765 }
768 /* ARGSUSED */
769 int
771 {
773 /*
774 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
775 * we use P_SUGID because we consider changing the owners as
776 * "tainting" as well.
777 * This is significant for procs that start as root and "become"
778 * a user without an exec - programs cannot know *everything*
779 * that libc *might* have put in their data segment.
780 */
783 }
785 /*
786 * Check if gid is a member of the group set.
787 */
788 int
790 {
798 }
800 }
802 /*
803 * Test whether the specified credentials imply "super-user"
804 * privilege; if so, and we have accounting info, set the flag
805 * indicating use of super-powers. A kernel thread without a process
806 * context is assumed to have super user capabilities. In situations
807 * where the caller always expect a cred to exist, the cred should be
808 * passed separately and suser_cred()should be used instead of suser().
809 *
810 * Returns 0 or error.
811 */
812 int
814 {
821 }
822 }
824 /*
825 * A non-null credential is expected unless NULL_CRED_OKAY is set.
826 */
827 int
829 {
836 else
838 }
843 /* NOTE: accounting for suser access (p_acflag/ASU) removed */
845 }
847 /*
848 * Return zero if p1 can fondle p2, return errno (EPERM/ESRCH) otherwise.
849 */
850 int
852 {
868 }
870 /*
871 * Allocate a zeroed cred structure.
872 */
875 {
882 }
884 /*
885 * Claim another reference to a ucred structure. Can be used with special
886 * creds.
887 */
890 {
894 }
896 /*
897 * Free a cred structure.
898 * Throws away space when ref count gets to 0.
899 * MPSAFE
900 */
901 void
903 {
904 /* Protect crfree() as a critical section as there
905 * appears to be a crfree race which can occur on
906 * SMP systems.
907 */
913 /*
914 * Some callers of crget(), such as nfs_statfs(),
915 * allocate a temporary credential, but don't
916 * allocate a uidinfo structure.
917 */
921 }
925 }
927 /*
928 * Destroy empty prisons
929 */
935 }
937 }
939 /*
940 * Atomize a cred structure so it can be modified without polluting
941 * other references to it.
942 */
945 {
964 }
967 /*
968 * Copy cred structure to a new one and free the old one.
969 */
972 {
988 }
989 #endif
991 /*
992 * Dup cred struct to a new held one.
993 */
996 {
1009 }
1011 /*
1012 * Fill in a struct xucred based on a struct ucred.
1013 */
1014 void
1016 {
1023 }
1025 /*
1026 * Get login name, if available.
1027 */
1028 /* ARGSUSED */
1029 int
1031 {
1038 }
1040 /*
1041 * Set login name.
1042 */
1043 /* ARGSUSED */
1044 int
1046 {
1062 }
1064 void
1066 {
1073 }
1075 /*
1076 * Helper function to change the effective uid of a process
1077 */
1078 void
1080 {
1090 }
1092 /*
1093 * Helper function to change the real uid of a process
1094 *
1095 * The per-uid process count for this process is transfered from
1096 * the old uid to the new uid.
1097 */
1098 void
1100 {
1108 /* It is assumed that pcred is not shared between processes */
1112 }