search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add strnvis, which is orthogonal to strvisx by bounding dst, not src.
[dragonfly/netmp.git] / sys / kern / kern_prot.c
blob58d000f7c4f2567139e894cdb47d92321173234e
1 /*
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. All advertising materials mentioning features or use of this software
19 * must display the following acknowledgement:
20 * This product includes software developed by the University of
21 * California, Berkeley and its contributors.
22 * 4. Neither the name of the University nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * SUCH DAMAGE.
37 *
38 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
39 * $FreeBSD: src/sys/kern/kern_prot.c,v 1.53.2.9 2002/03/09 05:20:26 dd Exp $
40 * $DragonFly: src/sys/kern/kern_prot.c,v 1.21 2005/04/20 16:37:09 cpressey Exp $
41 */
42
43 /*
44 * System calls related to processes and protection
45 */
46
47 #include "opt_compat.h"
48
49 #include <sys/param.h>
50 #include <sys/acct.h>
51 #include <sys/systm.h>
52 #include <sys/sysproto.h>
53 #include <sys/kernel.h>
54 #include <sys/proc.h>
55 #include <sys/malloc.h>
56 #include <sys/pioctl.h>
57 #include <sys/resourcevar.h>
58 #include <sys/thread2.h>
59 #include <sys/jail.h>
60 #include <sys/lockf.h>
61
62 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
63
64 /*
65 * NOT MP SAFE due to p_pptr access
66 */
67 /* ARGSUSED */
68 int
69 getpid(struct getpid_args *uap)
70 {
71 struct proc *p = curproc;
72
73 uap->sysmsg_fds[0] = p->p_pid;
74 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
75 uap->sysmsg_fds[1] = p->p_pptr->p_pid;
76 #endif
77 return (0);
78 }
79
80 /* ARGSUSED */
81 int
82 getppid(struct getppid_args *uap)
83 {
84 struct proc *p = curproc;
85
86 uap->sysmsg_result = p->p_pptr->p_pid;
87 return (0);
88 }
89
90 /*
91 * Get process group ID; note that POSIX getpgrp takes no parameter
92 *
93 * MP SAFE
94 */
95 int
96 getpgrp(struct getpgrp_args *uap)
97 {
98 struct proc *p = curproc;
99
100 uap->sysmsg_result = p->p_pgrp->pg_id;
101 return (0);
102 }
103
104 /*
105 * Get an arbitary pid's process group id
106 */
107 int
108 getpgid(struct getpgid_args *uap)
109 {
110 struct proc *p = curproc;
111 struct proc *pt;
112
113 pt = p;
114 if (uap->pid == 0)
115 goto found;
116
117 if ((pt = pfind(uap->pid)) == 0)
118 return ESRCH;
119 found:
120 uap->sysmsg_result = pt->p_pgrp->pg_id;
121 return 0;
122 }
123
124 /*
125 * Get an arbitary pid's session id.
126 */
127 int
128 getsid(struct getsid_args *uap)
129 {
130 struct proc *p = curproc;
131 struct proc *pt;
132
133 pt = p;
134 if (uap->pid == 0)
135 goto found;
136
137 if ((pt = pfind(uap->pid)) == 0)
138 return ESRCH;
139 found:
140 uap->sysmsg_result = pt->p_session->s_sid;
141 return 0;
142 }
143
144
145 /*
146 * getuid() - MP SAFE
147 */
148 /* ARGSUSED */
149 int
150 getuid(struct getuid_args *uap)
151 {
152 struct proc *p = curproc;
153
154 uap->sysmsg_fds[0] = p->p_ucred->cr_ruid;
155 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
156 uap->sysmsg_fds[1] = p->p_ucred->cr_uid;
157 #endif
158 return (0);
159 }
160
161 /*
162 * geteuid() - MP SAFE
163 */
164 /* ARGSUSED */
165 int
166 geteuid(struct geteuid_args *uap)
167 {
168 struct proc *p = curproc;
169
170 uap->sysmsg_result = p->p_ucred->cr_uid;
171 return (0);
172 }
173
174 /*
175 * getgid() - MP SAFE
176 */
177 /* ARGSUSED */
178 int
179 getgid(struct getgid_args *uap)
180 {
181 struct proc *p = curproc;
182
183 uap->sysmsg_fds[0] = p->p_ucred->cr_rgid;
184 #if defined(COMPAT_43) || defined(COMPAT_SUNOS)
185 uap->sysmsg_fds[1] = p->p_ucred->cr_groups[0];
186 #endif
187 return (0);
188 }
189
190 /*
191 * Get effective group ID. The "egid" is groups[0], and could be obtained
192 * via getgroups. This syscall exists because it is somewhat painful to do
193 * correctly in a library function.
194 */
195 /* ARGSUSED */
196 int
197 getegid(struct getegid_args *uap)
198 {
199 struct proc *p = curproc;
200
201 uap->sysmsg_result = p->p_ucred->cr_groups[0];
202 return (0);
203 }
204
205 int
206 getgroups(struct getgroups_args *uap)
207 {
208 struct proc *p = curproc;
209 struct ucred *cr;
210 u_int ngrp;
211 int error;
212
213 if (p == NULL) /* API enforcement */
214 return(EPERM);
215 cr = p->p_ucred;
216
217 if ((ngrp = uap->gidsetsize) == 0) {
218 uap->sysmsg_result = cr->cr_ngroups;
219 return (0);
220 }
221 if (ngrp < cr->cr_ngroups)
222 return (EINVAL);
223 ngrp = cr->cr_ngroups;
224 if ((error = copyout((caddr_t)cr->cr_groups,
225 (caddr_t)uap->gidset, ngrp * sizeof(gid_t))))
226 return (error);
227 uap->sysmsg_result = ngrp;
228 return (0);
229 }
230
231 /* ARGSUSED */
232 int
233 setsid(struct setsid_args *uap)
234 {
235 struct proc *p = curproc;
236
237 if (p->p_pgid == p->p_pid || pgfind(p->p_pid)) {
238 return (EPERM);
239 } else {
240 (void)enterpgrp(p, p->p_pid, 1);
241 uap->sysmsg_result = p->p_pid;
242 return (0);
243 }
244 }
245
246 /*
247 * set process group (setpgid/old setpgrp)
248 *
249 * caller does setpgid(targpid, targpgid)
250 *
251 * pid must be caller or child of caller (ESRCH)
252 * if a child
253 * pid must be in same session (EPERM)
254 * pid can't have done an exec (EACCES)
255 * if pgid != pid
256 * there must exist some pid in same session having pgid (EPERM)
257 * pid must not be session leader (EPERM)
258 */
259 /* ARGSUSED */
260 int
261 setpgid(struct setpgid_args *uap)
262 {
263 struct proc *curp = curproc;
264 struct proc *targp; /* target process */
265 struct pgrp *pgrp; /* target pgrp */
266
267 if (uap->pgid < 0)
268 return (EINVAL);
269 if (uap->pid != 0 && uap->pid != curp->p_pid) {
270 if ((targp = pfind(uap->pid)) == 0 || !inferior(targp))
271 return (ESRCH);
272 if (targp->p_pgrp == NULL || targp->p_session != curp->p_session)
273 return (EPERM);
274 if (targp->p_flag & P_EXEC)
275 return (EACCES);
276 } else
277 targp = curp;
278 if (SESS_LEADER(targp))
279 return (EPERM);
280 if (uap->pgid == 0)
281 uap->pgid = targp->p_pid;
282 else if (uap->pgid != targp->p_pid)
283 if ((pgrp = pgfind(uap->pgid)) == 0 ||
284 pgrp->pg_session != curp->p_session)
285 return (EPERM);
286 return (enterpgrp(targp, uap->pgid, 0));
287 }
288
289 /*
290 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
291 * compatible. It says that setting the uid/gid to euid/egid is a special
292 * case of "appropriate privilege". Once the rules are expanded out, this
293 * basically means that setuid(nnn) sets all three id's, in all permitted
294 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
295 * does not set the saved id - this is dangerous for traditional BSD
296 * programs. For this reason, we *really* do not want to set
297 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
298 */
299 #define POSIX_APPENDIX_B_4_2_2
300
301 /* ARGSUSED */
302 int
303 setuid(struct setuid_args *uap)
304 {
305 struct proc *p = curproc;
306 struct ucred *cr;
307 uid_t uid;
308 int error;
309
310 if (p == NULL) /* API enforcement */
311 return(EPERM);
312 cr = p->p_ucred;
313
314 /*
315 * See if we have "permission" by POSIX 1003.1 rules.
316 *
317 * Note that setuid(geteuid()) is a special case of
318 * "appropriate privileges" in appendix B.4.2.2. We need
319 * to use this clause to be compatible with traditional BSD
320 * semantics. Basically, it means that "setuid(xx)" sets all
321 * three id's (assuming you have privs).
322 *
323 * Notes on the logic. We do things in three steps.
324 * 1: We determine if the euid is going to change, and do EPERM
325 * right away. We unconditionally change the euid later if this
326 * test is satisfied, simplifying that part of the logic.
327 * 2: We determine if the real and/or saved uid's are going to
328 * change. Determined by compile options.
329 * 3: Change euid last. (after tests in #2 for "appropriate privs")
330 */
331 uid = uap->uid;
332 if (uid != cr->cr_ruid && /* allow setuid(getuid()) */
333 #ifdef _POSIX_SAVED_IDS
334 uid != crc->cr_svuid && /* allow setuid(saved gid) */
335 #endif
336 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
337 uid != cr->cr_uid && /* allow setuid(geteuid()) */
338 #endif
339 (error = suser_cred(cr, PRISON_ROOT)))
340 return (error);
341
342 #ifdef _POSIX_SAVED_IDS
343 /*
344 * Do we have "appropriate privileges" (are we root or uid == euid)
345 * If so, we are changing the real uid and/or saved uid.
346 */
347 if (
348 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
349 uid == cr->cr_uid ||
350 #endif
351 suser_cred(cr, PRISON_ROOT) == 0) /* we are using privs */
352 #endif
353 {
354 /*
355 * Set the real uid and transfer proc count to new user.
356 */
357 if (uid != cr->cr_ruid) {
358 change_ruid(uid);
359 setsugid();
360 }
361 /*
362 * Set saved uid
363 *
364 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
365 * the security of seteuid() depends on it. B.4.2.2 says it
366 * is important that we should do this.
367 */
368 if (cr->cr_svuid != uid) {
369 cr = cratom(&p->p_ucred);
370 cr->cr_svuid = uid;
371 setsugid();
372 }
373 }
374
375 /*
376 * In all permitted cases, we are changing the euid.
377 * Copy credentials so other references do not see our changes.
378 */
379 if (cr->cr_uid != uid) {
380 change_euid(uid);
381 setsugid();
382 }
383 return (0);
384 }
385
386 /* ARGSUSED */
387 int
388 seteuid(struct seteuid_args *uap)
389 {
390 struct proc *p = curproc;
391 struct ucred *cr;
392 uid_t euid;
393 int error;
394
395 if (p == NULL) /* API enforcement */
396 return(EPERM);
397
398 cr = p->p_ucred;
399 euid = uap->euid;
400 if (euid != cr->cr_ruid && /* allow seteuid(getuid()) */
401 euid != cr->cr_svuid && /* allow seteuid(saved uid) */
402 (error = suser_cred(cr, PRISON_ROOT)))
403 return (error);
404 /*
405 * Everything's okay, do it. Copy credentials so other references do
406 * not see our changes.
407 */
408 if (cr->cr_uid != euid) {
409 change_euid(euid);
410 setsugid();
411 }
412 return (0);
413 }
414
415 /* ARGSUSED */
416 int
417 setgid(struct setgid_args *uap)
418 {
419 struct proc *p = curproc;
420 struct ucred *cr;
421 gid_t gid;
422 int error;
423
424 if (p == NULL) /* API enforcement */
425 return(EPERM);
426 cr = p->p_ucred;
427
428 /*
429 * See if we have "permission" by POSIX 1003.1 rules.
430 *
431 * Note that setgid(getegid()) is a special case of
432 * "appropriate privileges" in appendix B.4.2.2. We need
433 * to use this clause to be compatible with traditional BSD
434 * semantics. Basically, it means that "setgid(xx)" sets all
435 * three id's (assuming you have privs).
436 *
437 * For notes on the logic here, see setuid() above.
438 */
439 gid = uap->gid;
440 if (gid != cr->cr_rgid && /* allow setgid(getgid()) */
441 #ifdef _POSIX_SAVED_IDS
442 gid != cr->cr_svgid && /* allow setgid(saved gid) */
443 #endif
444 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
445 gid != cr->cr_groups[0] && /* allow setgid(getegid()) */
446 #endif
447 (error = suser_cred(cr, PRISON_ROOT)))
448 return (error);
449
450 #ifdef _POSIX_SAVED_IDS
451 /*
452 * Do we have "appropriate privileges" (are we root or gid == egid)
453 * If so, we are changing the real uid and saved gid.
454 */
455 if (
456 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
457 gid == cr->cr_groups[0] ||
458 #endif
459 suser_cred(cr, PRISON_ROOT) == 0) /* we are using privs */
460 #endif
461 {
462 /*
463 * Set real gid
464 */
465 if (cr->cr_rgid != gid) {
466 cr = cratom(&p->p_ucred);
467 cr->cr_rgid = gid;
468 setsugid();
469 }
470 /*
471 * Set saved gid
472 *
473 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
474 * the security of setegid() depends on it. B.4.2.2 says it
475 * is important that we should do this.
476 */
477 if (cr->cr_svgid != gid) {
478 cr = cratom(&p->p_ucred);
479 cr->cr_svgid = gid;
480 setsugid();
481 }
482 }
483 /*
484 * In all cases permitted cases, we are changing the egid.
485 * Copy credentials so other references do not see our changes.
486 */
487 if (cr->cr_groups[0] != gid) {
488 cr = cratom(&p->p_ucred);
489 cr->cr_groups[0] = gid;
490 setsugid();
491 }
492 return (0);
493 }
494
495 /* ARGSUSED */
496 int
497 setegid(struct setegid_args *uap)
498 {
499 struct proc *p = curproc;
500 struct ucred *cr;
501 gid_t egid;
502 int error;
503
504 if (p == NULL) /* API enforcement */
505 return(EPERM);
506 cr = p->p_ucred;
507
508 egid = uap->egid;
509 if (egid != cr->cr_rgid && /* allow setegid(getgid()) */
510 egid != cr->cr_svgid && /* allow setegid(saved gid) */
511 (error = suser_cred(cr, PRISON_ROOT)))
512 return (error);
513 if (cr->cr_groups[0] != egid) {
514 cr = cratom(&p->p_ucred);
515 cr->cr_groups[0] = egid;
516 setsugid();
517 }
518 return (0);
519 }
520
521 /* ARGSUSED */
522 int
523 setgroups(struct setgroups_args *uap)
524 {
525 struct proc *p = curproc;
526 struct ucred *cr;
527 u_int ngrp;
528 int error;
529
530 if (p == NULL) /* API enforcement */
531 return(EPERM);
532 cr = p->p_ucred;
533
534 if ((error = suser_cred(cr, PRISON_ROOT)))
535 return (error);
536 ngrp = uap->gidsetsize;
537 if (ngrp > NGROUPS)
538 return (EINVAL);
539 /*
540 * XXX A little bit lazy here. We could test if anything has
541 * changed before cratom() and setting P_SUGID.
542 */
543 cr = cratom(&p->p_ucred);
544 if (ngrp < 1) {
545 /*
546 * setgroups(0, NULL) is a legitimate way of clearing the
547 * groups vector on non-BSD systems (which generally do not
548 * have the egid in the groups[0]). We risk security holes
549 * when running non-BSD software if we do not do the same.
550 */
551 cr->cr_ngroups = 1;
552 } else {
553 if ((error = copyin((caddr_t)uap->gidset,
554 (caddr_t)cr->cr_groups, ngrp * sizeof(gid_t))))
555 return (error);
556 cr->cr_ngroups = ngrp;
557 }
558 setsugid();
559 return (0);
560 }
561
562 /* ARGSUSED */
563 int
564 setreuid(struct setreuid_args *uap)
565 {
566 struct proc *p = curproc;
567 struct ucred *cr;
568 uid_t ruid, euid;
569 int error;
570
571 if (p == NULL) /* API enforcement */
572 return(EPERM);
573 cr = p->p_ucred;
574
575 ruid = uap->ruid;
576 euid = uap->euid;
577 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && ruid != cr->cr_svuid) ||
578 (euid != (uid_t)-1 && euid != cr->cr_uid &&
579 euid != cr->cr_ruid && euid != cr->cr_svuid)) &&
580 (error = suser_cred(cr, PRISON_ROOT)) != 0)
581 return (error);
582
583 if (euid != (uid_t)-1 && cr->cr_uid != euid) {
584 change_euid(euid);
585 setsugid();
586 }
587 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) {
588 change_ruid(ruid);
589 setsugid();
590 }
591 if ((ruid != (uid_t)-1 || cr->cr_uid != cr->cr_ruid) &&
592 cr->cr_svuid != cr->cr_uid) {
593 cr = cratom(&p->p_ucred);
594 cr->cr_svuid = cr->cr_uid;
595 setsugid();
596 }
597 return (0);
598 }
599
600 /* ARGSUSED */
601 int
602 setregid(struct setregid_args *uap)
603 {
604 struct proc *p = curproc;
605 struct ucred *cr;
606 gid_t rgid, egid;
607 int error;
608
609 if (p == NULL) /* API enforcement */
610 return(EPERM);
611 cr = p->p_ucred;
612
613 rgid = uap->rgid;
614 egid = uap->egid;
615 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && rgid != cr->cr_svgid) ||
616 (egid != (gid_t)-1 && egid != cr->cr_groups[0] &&
617 egid != cr->cr_rgid && egid != cr->cr_svgid)) &&
618 (error = suser_cred(cr, PRISON_ROOT)) != 0)
619 return (error);
620
621 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) {
622 cr = cratom(&p->p_ucred);
623 cr->cr_groups[0] = egid;
624 setsugid();
625 }
626 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) {
627 cr = cratom(&p->p_ucred);
628 cr->cr_rgid = rgid;
629 setsugid();
630 }
631 if ((rgid != (gid_t)-1 || cr->cr_groups[0] != cr->cr_rgid) &&
632 cr->cr_svgid != cr->cr_groups[0]) {
633 cr = cratom(&p->p_ucred);
634 cr->cr_svgid = cr->cr_groups[0];
635 setsugid();
636 }
637 return (0);
638 }
639
640 /*
641 * setresuid(ruid, euid, suid) is like setreuid except control over the
642 * saved uid is explicit.
643 */
644
645 /* ARGSUSED */
646 int
647 setresuid(struct setresuid_args *uap)
648 {
649 struct proc *p = curproc;
650 struct ucred *cr;
651 uid_t ruid, euid, suid;
652 int error;
653
654 cr = p->p_ucred;
655 ruid = uap->ruid;
656 euid = uap->euid;
657 suid = uap->suid;
658 if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && ruid != cr->cr_svuid &&
659 ruid != cr->cr_uid) ||
660 (euid != (uid_t)-1 && euid != cr->cr_ruid && euid != cr->cr_svuid &&
661 euid != cr->cr_uid) ||
662 (suid != (uid_t)-1 && suid != cr->cr_ruid && suid != cr->cr_svuid &&
663 suid != cr->cr_uid)) &&
664 (error = suser_cred(cr, PRISON_ROOT)) != 0)
665 return (error);
666 if (euid != (uid_t)-1 && cr->cr_uid != euid) {
667 change_euid(euid);
668 setsugid();
669 }
670 if (ruid != (uid_t)-1 && cr->cr_ruid != ruid) {
671 change_ruid(ruid);
672 setsugid();
673 }
674 if (suid != (uid_t)-1 && cr->cr_svuid != suid) {
675 cr = cratom(&p->p_ucred);
676 cr->cr_svuid = suid;
677 setsugid();
678 }
679 return (0);
680 }
681
682 /*
683 * setresgid(rgid, egid, sgid) is like setregid except control over the
684 * saved gid is explicit.
685 */
686
687 /* ARGSUSED */
688 int
689 setresgid(struct setresgid_args *uap)
690 {
691 struct proc *p = curproc;
692 struct ucred *cr;
693 gid_t rgid, egid, sgid;
694 int error;
695
696 cr = p->p_ucred;
697 rgid = uap->rgid;
698 egid = uap->egid;
699 sgid = uap->sgid;
700 if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && rgid != cr->cr_svgid &&
701 rgid != cr->cr_groups[0]) ||
702 (egid != (gid_t)-1 && egid != cr->cr_rgid && egid != cr->cr_svgid &&
703 egid != cr->cr_groups[0]) ||
704 (sgid != (gid_t)-1 && sgid != cr->cr_rgid && sgid != cr->cr_svgid &&
705 sgid != cr->cr_groups[0])) &&
706 (error = suser_cred(cr, PRISON_ROOT)) != 0)
707 return (error);
708
709 if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) {
710 cr = cratom(&p->p_ucred);
711 cr->cr_groups[0] = egid;
712 setsugid();
713 }
714 if (rgid != (gid_t)-1 && cr->cr_rgid != rgid) {
715 cr = cratom(&p->p_ucred);
716 cr->cr_rgid = rgid;
717 setsugid();
718 }
719 if (sgid != (gid_t)-1 && cr->cr_svgid != sgid) {
720 cr = cratom(&p->p_ucred);
721 cr->cr_svgid = sgid;
722 setsugid();
723 }
724 return (0);
725 }
726
727 /* ARGSUSED */
728 int
729 getresuid(struct getresuid_args *uap)
730 {
731 struct proc *p = curproc;
732 struct ucred *cr = p->p_ucred;
733 int error1 = 0, error2 = 0, error3 = 0;
734
735 if (uap->ruid)
736 error1 = copyout((caddr_t)&cr->cr_ruid,
737 (caddr_t)uap->ruid, sizeof(cr->cr_ruid));
738 if (uap->euid)
739 error2 = copyout((caddr_t)&cr->cr_uid,
740 (caddr_t)uap->euid, sizeof(cr->cr_uid));
741 if (uap->suid)
742 error3 = copyout((caddr_t)&cr->cr_svuid,
743 (caddr_t)uap->suid, sizeof(cr->cr_svuid));
744 return error1 ? error1 : (error2 ? error2 : error3);
745 }
746
747 /* ARGSUSED */
748 int
749 getresgid(struct getresgid_args *uap)
750 {
751 struct proc *p = curproc;
752 struct ucred *cr = p->p_ucred;
753 int error1 = 0, error2 = 0, error3 = 0;
754
755 if (uap->rgid)
756 error1 = copyout((caddr_t)&cr->cr_rgid,
757 (caddr_t)uap->rgid, sizeof(cr->cr_rgid));
758 if (uap->egid)
759 error2 = copyout((caddr_t)&cr->cr_groups[0],
760 (caddr_t)uap->egid, sizeof(cr->cr_groups[0]));
761 if (uap->sgid)
762 error3 = copyout((caddr_t)&cr->cr_svgid,
763 (caddr_t)uap->sgid, sizeof(cr->cr_svgid));
764 return error1 ? error1 : (error2 ? error2 : error3);
765 }
766
767
768 /* ARGSUSED */
769 int
770 issetugid(struct issetugid_args *uap)
771 {
772 struct proc *p = curproc;
773 /*
774 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
775 * we use P_SUGID because we consider changing the owners as
776 * "tainting" as well.
777 * This is significant for procs that start as root and "become"
778 * a user without an exec - programs cannot know *everything*
779 * that libc *might* have put in their data segment.
780 */
781 uap->sysmsg_result = (p->p_flag & P_SUGID) ? 1 : 0;
782 return (0);
783 }
784
785 /*
786 * Check if gid is a member of the group set.
787 */
788 int
789 groupmember(gid_t gid, struct ucred *cred)
790 {
791 gid_t *gp;
792 gid_t *egp;
793
794 egp = &(cred->cr_groups[cred->cr_ngroups]);
795 for (gp = cred->cr_groups; gp < egp; gp++) {
796 if (*gp == gid)
797 return (1);
798 }
799 return (0);
800 }
801
802 /*
803 * Test whether the specified credentials imply "super-user"
804 * privilege; if so, and we have accounting info, set the flag
805 * indicating use of super-powers. A kernel thread without a process
806 * context is assumed to have super user capabilities. In situations
807 * where the caller always expect a cred to exist, the cred should be
808 * passed separately and suser_cred()should be used instead of suser().
809 *
810 * Returns 0 or error.
811 */
812 int
813 suser(struct thread *td)
814 {
815 struct proc *p = td->td_proc;
816
817 if (p != NULL) {
818 return suser_cred(p->p_ucred, 0);
819 } else {
820 return (0);
821 }
822 }
823
824 /*
825 * A non-null credential is expected unless NULL_CRED_OKAY is set.
826 */
827 int
828 suser_cred(struct ucred *cred, int flag)
829 {
830 KASSERT(cred != NULL || flag & NULL_CRED_OKAY,
831 ("suser_cred: NULL cred!"));
832
833 if (cred == NULL) {
834 if (flag & NULL_CRED_OKAY)
835 return (0);
836 else
837 return (EPERM);
838 }
839 if (cred->cr_uid != 0)
840 return (EPERM);
841 if (cred->cr_prison && !(flag & PRISON_ROOT))
842 return (EPERM);
843 /* NOTE: accounting for suser access (p_acflag/ASU) removed */
844 return (0);
845 }
846
847 /*
848 * Return zero if p1 can fondle p2, return errno (EPERM/ESRCH) otherwise.
849 */
850 int
851 p_trespass(struct ucred *cr1, struct ucred *cr2)
852 {
853 if (cr1 == cr2)
854 return (0);
855 if (!PRISON_CHECK(cr1, cr2))
856 return (ESRCH);
857 if (cr1->cr_ruid == cr2->cr_ruid)
858 return (0);
859 if (cr1->cr_uid == cr2->cr_ruid)
860 return (0);
861 if (cr1->cr_ruid == cr2->cr_uid)
862 return (0);
863 if (cr1->cr_uid == cr2->cr_uid)
864 return (0);
865 if (suser_cred(cr1, PRISON_ROOT) == 0)
866 return (0);
867 return (EPERM);
868 }
869
870 /*
871 * Allocate a zeroed cred structure.
872 */
873 struct ucred *
874 crget(void)
875 {
876 struct ucred *cr;
877
878 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK);
879 bzero((caddr_t)cr, sizeof(*cr));
880 cr->cr_ref = 1;
881 return (cr);
882 }
883
884 /*
885 * Claim another reference to a ucred structure. Can be used with special
886 * creds.
887 */
888 struct ucred *
889 crhold(struct ucred *cr)
890 {
891 if (cr != NOCRED && cr != FSCRED)
892 cr->cr_ref++;
893 return(cr);
894 }
895
896 /*
897 * Free a cred structure.
898 * Throws away space when ref count gets to 0.
899 * MPSAFE
900 */
901 void
902 crfree(struct ucred *cr)
903 {
904 /* Protect crfree() as a critical section as there
905 * appears to be a crfree race which can occur on
906 * SMP systems.
907 */
908 crit_enter();
909 if (cr->cr_ref == 0)
910 panic("Freeing already free credential! %p", cr);
911
912 if (--cr->cr_ref == 0) {
913 /*
914 * Some callers of crget(), such as nfs_statfs(),
915 * allocate a temporary credential, but don't
916 * allocate a uidinfo structure.
917 */
918 if (cr->cr_uidinfo != NULL) {
919 uidrop(cr->cr_uidinfo);
920 cr->cr_uidinfo = NULL;
921 }
922 if (cr->cr_ruidinfo != NULL) {
923 uidrop(cr->cr_ruidinfo);
924 cr->cr_ruidinfo = NULL;
925 }
926
927 /*
928 * Destroy empty prisons
929 */
930 if (jailed(cr))
931 prison_free(cr->cr_prison);
932 cr->cr_prison = NULL; /* safety */
933
934 FREE((caddr_t)cr, M_CRED);
935 }
936 crit_exit();
937 }
938
939 /*
940 * Atomize a cred structure so it can be modified without polluting
941 * other references to it.
942 */
943 struct ucred *
944 cratom(struct ucred **pcr)
945 {
946 struct ucred *oldcr;
947 struct ucred *newcr;
948
949 oldcr = *pcr;
950 if (oldcr->cr_ref == 1)
951 return (oldcr);
952 newcr = crget();
953 *newcr = *oldcr;
954 if (newcr->cr_uidinfo)
955 uihold(newcr->cr_uidinfo);
956 if (newcr->cr_ruidinfo)
957 uihold(newcr->cr_ruidinfo);
958 if (jailed(newcr))
959 prison_hold(newcr->cr_prison);
960 newcr->cr_ref = 1;
961 crfree(oldcr);
962 *pcr = newcr;
963 return (newcr);
964 }
965
966 #if 0 /* no longer used but keep around for a little while */
967 /*
968 * Copy cred structure to a new one and free the old one.
969 */
970 struct ucred *
971 crcopy(struct ucred *cr)
972 {
973 struct ucred *newcr;
974
975 if (cr->cr_ref == 1)
976 return (cr);
977 newcr = crget();
978 *newcr = *cr;
979 if (newcr->cr_uidinfo)
980 uihold(newcr->cr_uidinfo);
981 if (newcr->cr_ruidinfo)
982 uihold(newcr->cr_ruidinfo);
983 if (jailed(newcr))
984 prison_hold(newcr->cr_prison);
985 newcr->cr_ref = 1;
986 crfree(cr);
987 return (newcr);
988 }
989 #endif
990
991 /*
992 * Dup cred struct to a new held one.
993 */
994 struct ucred *
995 crdup(struct ucred *cr)
996 {
997 struct ucred *newcr;
998
999 newcr = crget();
1000 *newcr = *cr;
1001 if (newcr->cr_uidinfo)
1002 uihold(newcr->cr_uidinfo);
1003 if (newcr->cr_ruidinfo)
1004 uihold(newcr->cr_ruidinfo);
1005 if (jailed(newcr))
1006 prison_hold(newcr->cr_prison);
1007 newcr->cr_ref = 1;
1008 return (newcr);
1009 }
1010
1011 /*
1012 * Fill in a struct xucred based on a struct ucred.
1013 */
1014 void
1015 cru2x(struct ucred *cr, struct xucred *xcr)
1016 {
1017
1018 bzero(xcr, sizeof(*xcr));
1019 xcr->cr_version = XUCRED_VERSION;
1020 xcr->cr_uid = cr->cr_uid;
1021 xcr->cr_ngroups = cr->cr_ngroups;
1022 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1023 }
1024
1025 /*
1026 * Get login name, if available.
1027 */
1028 /* ARGSUSED */
1029 int
1030 getlogin(struct getlogin_args *uap)
1031 {
1032 struct proc *p = curproc;
1033
1034 if (uap->namelen > MAXLOGNAME)
1035 uap->namelen = MAXLOGNAME;
1036 return (copyout((caddr_t) p->p_pgrp->pg_session->s_login,
1037 (caddr_t) uap->namebuf, uap->namelen));
1038 }
1039
1040 /*
1041 * Set login name.
1042 */
1043 /* ARGSUSED */
1044 int
1045 setlogin(struct setlogin_args *uap)
1046 {
1047 struct proc *p = curproc;
1048 int error;
1049 char logintmp[MAXLOGNAME];
1050
1051 KKASSERT(p != NULL);
1052 if ((error = suser_cred(p->p_ucred, PRISON_ROOT)))
1053 return (error);
1054 error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp,
1055 sizeof(logintmp), (size_t *)0);
1056 if (error == ENAMETOOLONG)
1057 error = EINVAL;
1058 else if (!error)
1059 (void) memcpy(p->p_pgrp->pg_session->s_login, logintmp,
1060 sizeof(logintmp));
1061 return (error);
1062 }
1063
1064 void
1065 setsugid(void)
1066 {
1067 struct proc *p = curproc;
1068
1069 KKASSERT(p != NULL);
1070 p->p_flag |= P_SUGID;
1071 if (!(p->p_pfsflags & PF_ISUGID))
1072 p->p_stops = 0;
1073 }
1074
1075 /*
1076 * Helper function to change the effective uid of a process
1077 */
1078 void
1079 change_euid(uid_t euid)
1080 {
1081 struct proc *p = curproc;
1082 struct ucred *cr;
1083
1084 KKASSERT(p != NULL);
1085 lf_count_adjust(p, 0);
1086 cr = cratom(&p->p_ucred);
1087 cr->cr_uid = euid;
1088 uireplace(&cr->cr_uidinfo, uifind(euid));
1089 lf_count_adjust(p, 1);
1090 }
1091
1092 /*
1093 * Helper function to change the real uid of a process
1094 *
1095 * The per-uid process count for this process is transfered from
1096 * the old uid to the new uid.
1097 */
1098 void
1099 change_ruid(uid_t ruid)
1100 {
1101 struct proc *p = curproc;
1102 struct ucred *cr;
1103
1104 KKASSERT(p != NULL);
1105
1106 cr = cratom(&p->p_ucred);
1107 (void)chgproccnt(cr->cr_ruidinfo, -1, 0);
1108 /* It is assumed that pcred is not shared between processes */
1109 cr->cr_ruid = ruid;
1110 uireplace(&cr->cr_ruidinfo, uifind(ruid));
1111 (void)chgproccnt(cr->cr_ruidinfo, 1, 0);
1112 }
MP support for (parts of) the network stack