1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
5 * The Regents of the University of California.
6 * (c) UNIX System Laboratories, Inc.
7 * Copyright (c) 2000-2001 Robert N. M. Watson.
8 * All rights reserved.
9 *
10 * All or some portions of this file are derived from material licensed
11 * to the University of California by American Telephone and Telegraph
12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
13 * the permission of UNIX System Laboratories, Inc.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. Neither the name of the University nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 *
39 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
40 */
41
42 /*
43 * System calls related to processes and protection
44 */
45
46 #include <sys/cdefs.h>
47 #include "opt_inet.h"
48 #include "opt_inet6.h"
49
50 #include <sys/param.h>
51 #include <sys/systm.h>
52 #include <sys/acct.h>
53 #include <sys/kdb.h>
54 #include <sys/kernel.h>
55 #include <sys/libkern.h>
56 #include <sys/lock.h>
57 #include <sys/loginclass.h>
58 #include <sys/malloc.h>
59 #include <sys/mutex.h>
60 #include <sys/ptrace.h>
61 #include <sys/refcount.h>
62 #include <sys/sx.h>
63 #include <sys/priv.h>
64 #include <sys/proc.h>
65 #ifdef COMPAT_43
66 #include <sys/sysent.h>
67 #endif
68 #include <sys/sysproto.h>
69 #include <sys/jail.h>
70 #include <sys/racct.h>
71 #include <sys/rctl.h>
72 #include <sys/resourcevar.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/syscallsubr.h>
76 #include <sys/sysctl.h>
77
78 #ifdef REGRESSION
79 FEATURE(regression,
80 "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)");
81 #endif
82
83 #include <security/audit/audit.h>
84 #include <security/mac/mac_framework.h>
85
86 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
87
88 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
89 "BSD security policy");
90
91 static void crfree_final(struct ucred *cr);
92
93 static inline void
groups_check_positive_len(int ngrp)94 groups_check_positive_len(int ngrp)
95 {
96 MPASS2(ngrp >= 0, "negative number of groups");
97 MPASS2(ngrp != 0, "at least one group expected (effective GID)");
98 }
99 static inline void
groups_check_max_len(int ngrp)100 groups_check_max_len(int ngrp)
101 {
102 MPASS2(ngrp <= ngroups_max + 1, "too many groups");
103 }
104
105 static void groups_normalize(int *ngrp, gid_t *groups);
106 static void crsetgroups_internal(struct ucred *cr, int ngrp,
107 const gid_t *groups);
108
109 #ifndef _SYS_SYSPROTO_H_
110 struct getpid_args {
111 int dummy;
112 };
113 #endif
114 /* ARGSUSED */
115 int
sys_getpid(struct thread * td,struct getpid_args * uap)116 sys_getpid(struct thread *td, struct getpid_args *uap)
117 {
118 struct proc *p = td->td_proc;
119
120 td->td_retval[0] = p->p_pid;
121 #if defined(COMPAT_43)
122 if (SV_PROC_FLAG(p, SV_AOUT))
123 td->td_retval[1] = kern_getppid(td);
124 #endif
125 return (0);
126 }
127
128 #ifndef _SYS_SYSPROTO_H_
129 struct getppid_args {
130 int dummy;
131 };
132 #endif
133 /* ARGSUSED */
134 int
sys_getppid(struct thread * td,struct getppid_args * uap)135 sys_getppid(struct thread *td, struct getppid_args *uap)
136 {
137
138 td->td_retval[0] = kern_getppid(td);
139 return (0);
140 }
141
142 int
kern_getppid(struct thread * td)143 kern_getppid(struct thread *td)
144 {
145 struct proc *p = td->td_proc;
146
147 return (p->p_oppid);
148 }
149
150 /*
151 * Get process group ID; note that POSIX getpgrp takes no parameter.
152 */
153 #ifndef _SYS_SYSPROTO_H_
154 struct getpgrp_args {
155 int dummy;
156 };
157 #endif
158 int
sys_getpgrp(struct thread * td,struct getpgrp_args * uap)159 sys_getpgrp(struct thread *td, struct getpgrp_args *uap)
160 {
161 struct proc *p = td->td_proc;
162
163 PROC_LOCK(p);
164 td->td_retval[0] = p->p_pgrp->pg_id;
165 PROC_UNLOCK(p);
166 return (0);
167 }
168
169 /* Get an arbitrary pid's process group id */
170 #ifndef _SYS_SYSPROTO_H_
171 struct getpgid_args {
172 pid_t pid;
173 };
174 #endif
175 int
sys_getpgid(struct thread * td,struct getpgid_args * uap)176 sys_getpgid(struct thread *td, struct getpgid_args *uap)
177 {
178 struct proc *p;
179 int error;
180
181 if (uap->pid == 0) {
182 p = td->td_proc;
183 PROC_LOCK(p);
184 } else {
185 p = pfind(uap->pid);
186 if (p == NULL)
187 return (ESRCH);
188 error = p_cansee(td, p);
189 if (error) {
190 PROC_UNLOCK(p);
191 return (error);
192 }
193 }
194 td->td_retval[0] = p->p_pgrp->pg_id;
195 PROC_UNLOCK(p);
196 return (0);
197 }
198
199 /*
200 * Get an arbitrary pid's session id.
201 */
202 #ifndef _SYS_SYSPROTO_H_
203 struct getsid_args {
204 pid_t pid;
205 };
206 #endif
207 int
sys_getsid(struct thread * td,struct getsid_args * uap)208 sys_getsid(struct thread *td, struct getsid_args *uap)
209 {
210
211 return (kern_getsid(td, uap->pid));
212 }
213
214 int
kern_getsid(struct thread * td,pid_t pid)215 kern_getsid(struct thread *td, pid_t pid)
216 {
217 struct proc *p;
218 int error;
219
220 if (pid == 0) {
221 p = td->td_proc;
222 PROC_LOCK(p);
223 } else {
224 p = pfind(pid);
225 if (p == NULL)
226 return (ESRCH);
227 error = p_cansee(td, p);
228 if (error) {
229 PROC_UNLOCK(p);
230 return (error);
231 }
232 }
233 td->td_retval[0] = p->p_session->s_sid;
234 PROC_UNLOCK(p);
235 return (0);
236 }
237
238 #ifndef _SYS_SYSPROTO_H_
239 struct getuid_args {
240 int dummy;
241 };
242 #endif
243 /* ARGSUSED */
244 int
sys_getuid(struct thread * td,struct getuid_args * uap)245 sys_getuid(struct thread *td, struct getuid_args *uap)
246 {
247
248 td->td_retval[0] = td->td_ucred->cr_ruid;
249 #if defined(COMPAT_43)
250 td->td_retval[1] = td->td_ucred->cr_uid;
251 #endif
252 return (0);
253 }
254
255 #ifndef _SYS_SYSPROTO_H_
256 struct geteuid_args {
257 int dummy;
258 };
259 #endif
260 /* ARGSUSED */
261 int
sys_geteuid(struct thread * td,struct geteuid_args * uap)262 sys_geteuid(struct thread *td, struct geteuid_args *uap)
263 {
264
265 td->td_retval[0] = td->td_ucred->cr_uid;
266 return (0);
267 }
268
269 #ifndef _SYS_SYSPROTO_H_
270 struct getgid_args {
271 int dummy;
272 };
273 #endif
274 /* ARGSUSED */
275 int
sys_getgid(struct thread * td,struct getgid_args * uap)276 sys_getgid(struct thread *td, struct getgid_args *uap)
277 {
278
279 td->td_retval[0] = td->td_ucred->cr_rgid;
280 #if defined(COMPAT_43)
281 td->td_retval[1] = td->td_ucred->cr_groups[0];
282 #endif
283 return (0);
284 }
285
286 /*
287 * Get effective group ID. The "egid" is groups[0], and could be obtained
288 * via getgroups. This syscall exists because it is somewhat painful to do
289 * correctly in a library function.
290 */
291 #ifndef _SYS_SYSPROTO_H_
292 struct getegid_args {
293 int dummy;
294 };
295 #endif
296 /* ARGSUSED */
297 int
sys_getegid(struct thread * td,struct getegid_args * uap)298 sys_getegid(struct thread *td, struct getegid_args *uap)
299 {
300
301 td->td_retval[0] = td->td_ucred->cr_groups[0];
302 return (0);
303 }
304
305 #ifndef _SYS_SYSPROTO_H_
306 struct getgroups_args {
307 int gidsetsize;
308 gid_t *gidset;
309 };
310 #endif
311 int
sys_getgroups(struct thread * td,struct getgroups_args * uap)312 sys_getgroups(struct thread *td, struct getgroups_args *uap)
313 {
314 struct ucred *cred;
315 int ngrp, error;
316
317 cred = td->td_ucred;
318 ngrp = cred->cr_ngroups;
319
320 if (uap->gidsetsize == 0) {
321 error = 0;
322 goto out;
323 }
324 if (uap->gidsetsize < ngrp)
325 return (EINVAL);
326
327 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
328 out:
329 td->td_retval[0] = ngrp;
330 return (error);
331 }
332
333 #ifndef _SYS_SYSPROTO_H_
334 struct setsid_args {
335 int dummy;
336 };
337 #endif
338 /* ARGSUSED */
339 int
sys_setsid(struct thread * td,struct setsid_args * uap)340 sys_setsid(struct thread *td, struct setsid_args *uap)
341 {
342 struct pgrp *pgrp;
343 int error;
344 struct proc *p = td->td_proc;
345 struct pgrp *newpgrp;
346 struct session *newsess;
347
348 pgrp = NULL;
349
350 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
351 newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
352
353 again:
354 error = 0;
355 sx_xlock(&proctree_lock);
356
357 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
358 if (pgrp != NULL)
359 PGRP_UNLOCK(pgrp);
360 error = EPERM;
361 } else {
362 error = enterpgrp(p, p->p_pid, newpgrp, newsess);
363 if (error == ERESTART)
364 goto again;
365 MPASS(error == 0);
366 td->td_retval[0] = p->p_pid;
367 newpgrp = NULL;
368 newsess = NULL;
369 }
370
371 sx_xunlock(&proctree_lock);
372
373 uma_zfree(pgrp_zone, newpgrp);
374 free(newsess, M_SESSION);
375
376 return (error);
377 }
378
379 /*
380 * set process group (setpgid/old setpgrp)
381 *
382 * caller does setpgid(targpid, targpgid)
383 *
384 * pid must be caller or child of caller (ESRCH)
385 * if a child
386 * pid must be in same session (EPERM)
387 * pid can't have done an exec (EACCES)
388 * if pgid != pid
389 * there must exist some pid in same session having pgid (EPERM)
390 * pid must not be session leader (EPERM)
391 */
392 #ifndef _SYS_SYSPROTO_H_
393 struct setpgid_args {
394 int pid; /* target process id */
395 int pgid; /* target pgrp id */
396 };
397 #endif
398 /* ARGSUSED */
399 int
sys_setpgid(struct thread * td,struct setpgid_args * uap)400 sys_setpgid(struct thread *td, struct setpgid_args *uap)
401 {
402 struct proc *curp = td->td_proc;
403 struct proc *targp; /* target process */
404 struct pgrp *pgrp; /* target pgrp */
405 int error;
406 struct pgrp *newpgrp;
407
408 if (uap->pgid < 0)
409 return (EINVAL);
410
411 newpgrp = uma_zalloc(pgrp_zone, M_WAITOK);
412
413 again:
414 error = 0;
415
416 sx_xlock(&proctree_lock);
417 if (uap->pid != 0 && uap->pid != curp->p_pid) {
418 if ((targp = pfind(uap->pid)) == NULL) {
419 error = ESRCH;
420 goto done;
421 }
422 if (!inferior(targp)) {
423 PROC_UNLOCK(targp);
424 error = ESRCH;
425 goto done;
426 }
427 if ((error = p_cansee(td, targp))) {
428 PROC_UNLOCK(targp);
429 goto done;
430 }
431 if (targp->p_pgrp == NULL ||
432 targp->p_session != curp->p_session) {
433 PROC_UNLOCK(targp);
434 error = EPERM;
435 goto done;
436 }
437 if (targp->p_flag & P_EXEC) {
438 PROC_UNLOCK(targp);
439 error = EACCES;
440 goto done;
441 }
442 PROC_UNLOCK(targp);
443 } else
444 targp = curp;
445 if (SESS_LEADER(targp)) {
446 error = EPERM;
447 goto done;
448 }
449 if (uap->pgid == 0)
450 uap->pgid = targp->p_pid;
451 if ((pgrp = pgfind(uap->pgid)) == NULL) {
452 if (uap->pgid == targp->p_pid) {
453 error = enterpgrp(targp, uap->pgid, newpgrp,
454 NULL);
455 if (error == 0)
456 newpgrp = NULL;
457 } else
458 error = EPERM;
459 } else {
460 if (pgrp == targp->p_pgrp) {
461 PGRP_UNLOCK(pgrp);
462 goto done;
463 }
464 if (pgrp->pg_id != targp->p_pid &&
465 pgrp->pg_session != curp->p_session) {
466 PGRP_UNLOCK(pgrp);
467 error = EPERM;
468 goto done;
469 }
470 PGRP_UNLOCK(pgrp);
471 error = enterthispgrp(targp, pgrp);
472 }
473 done:
474 KASSERT(error == 0 || newpgrp != NULL,
475 ("setpgid failed and newpgrp is NULL"));
476 if (error == ERESTART)
477 goto again;
478 sx_xunlock(&proctree_lock);
479 uma_zfree(pgrp_zone, newpgrp);
480 return (error);
481 }
482
483 /*
484 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
485 * compatible. It says that setting the uid/gid to euid/egid is a special
486 * case of "appropriate privilege". Once the rules are expanded out, this
487 * basically means that setuid(nnn) sets all three id's, in all permitted
488 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
489 * does not set the saved id - this is dangerous for traditional BSD
490 * programs. For this reason, we *really* do not want to set
491 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
492 */
493 #define POSIX_APPENDIX_B_4_2_2
494
495 #ifndef _SYS_SYSPROTO_H_
496 struct setuid_args {
497 uid_t uid;
498 };
499 #endif
500 /* ARGSUSED */
501 int
sys_setuid(struct thread * td,struct setuid_args * uap)502 sys_setuid(struct thread *td, struct setuid_args *uap)
503 {
504 struct proc *p = td->td_proc;
505 struct ucred *newcred, *oldcred;
506 uid_t uid;
507 struct uidinfo *uip;
508 int error;
509
510 uid = uap->uid;
511 AUDIT_ARG_UID(uid);
512 newcred = crget();
513 uip = uifind(uid);
514 PROC_LOCK(p);
515 /*
516 * Copy credentials so other references do not see our changes.
517 */
518 oldcred = crcopysafe(p, newcred);
519
520 #ifdef MAC
521 error = mac_cred_check_setuid(oldcred, uid);
522 if (error)
523 goto fail;
524 #endif
525
526 /*
527 * See if we have "permission" by POSIX 1003.1 rules.
528 *
529 * Note that setuid(geteuid()) is a special case of
530 * "appropriate privileges" in appendix B.4.2.2. We need
531 * to use this clause to be compatible with traditional BSD
532 * semantics. Basically, it means that "setuid(xx)" sets all
533 * three id's (assuming you have privs).
534 *
535 * Notes on the logic. We do things in three steps.
536 * 1: We determine if the euid is going to change, and do EPERM
537 * right away. We unconditionally change the euid later if this
538 * test is satisfied, simplifying that part of the logic.
539 * 2: We determine if the real and/or saved uids are going to
540 * change. Determined by compile options.
541 * 3: Change euid last. (after tests in #2 for "appropriate privs")
542 */
543 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
544 #ifdef _POSIX_SAVED_IDS
545 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
546 #endif
547 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
548 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
549 #endif
550 (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0)
551 goto fail;
552
553 #ifdef _POSIX_SAVED_IDS
554 /*
555 * Do we have "appropriate privileges" (are we root or uid == euid)
556 * If so, we are changing the real uid and/or saved uid.
557 */
558 if (
559 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
560 uid == oldcred->cr_uid ||
561 #endif
562 /* We are using privs. */
563 priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0)
564 #endif
565 {
566 /*
567 * Set the real uid.
568 */
569 if (uid != oldcred->cr_ruid) {
570 change_ruid(newcred, uip);
571 setsugid(p);
572 }
573 /*
574 * Set saved uid
575 *
576 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
577 * the security of seteuid() depends on it. B.4.2.2 says it
578 * is important that we should do this.
579 */
580 if (uid != oldcred->cr_svuid) {
581 change_svuid(newcred, uid);
582 setsugid(p);
583 }
584 }
585
586 /*
587 * In all permitted cases, we are changing the euid.
588 */
589 if (uid != oldcred->cr_uid) {
590 change_euid(newcred, uip);
591 setsugid(p);
592 }
593 /*
594 * This also transfers the proc count to the new user.
595 */
596 proc_set_cred(p, newcred);
597 #ifdef RACCT
598 racct_proc_ucred_changed(p, oldcred, newcred);
599 crhold(newcred);
600 #endif
601 PROC_UNLOCK(p);
602 #ifdef RCTL
603 rctl_proc_ucred_changed(p, newcred);
604 crfree(newcred);
605 #endif
606 uifree(uip);
607 crfree(oldcred);
608 return (0);
609
610 fail:
611 PROC_UNLOCK(p);
612 uifree(uip);
613 crfree(newcred);
614 return (error);
615 }
616
617 #ifndef _SYS_SYSPROTO_H_
618 struct seteuid_args {
619 uid_t euid;
620 };
621 #endif
622 /* ARGSUSED */
623 int
sys_seteuid(struct thread * td,struct seteuid_args * uap)624 sys_seteuid(struct thread *td, struct seteuid_args *uap)
625 {
626 struct proc *p = td->td_proc;
627 struct ucred *newcred, *oldcred;
628 uid_t euid;
629 struct uidinfo *euip;
630 int error;
631
632 euid = uap->euid;
633 AUDIT_ARG_EUID(euid);
634 newcred = crget();
635 euip = uifind(euid);
636 PROC_LOCK(p);
637 /*
638 * Copy credentials so other references do not see our changes.
639 */
640 oldcred = crcopysafe(p, newcred);
641
642 #ifdef MAC
643 error = mac_cred_check_seteuid(oldcred, euid);
644 if (error)
645 goto fail;
646 #endif
647
648 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
649 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
650 (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0)
651 goto fail;
652
653 /*
654 * Everything's okay, do it.
655 */
656 if (oldcred->cr_uid != euid) {
657 change_euid(newcred, euip);
658 setsugid(p);
659 }
660 proc_set_cred(p, newcred);
661 PROC_UNLOCK(p);
662 uifree(euip);
663 crfree(oldcred);
664 return (0);
665
666 fail:
667 PROC_UNLOCK(p);
668 uifree(euip);
669 crfree(newcred);
670 return (error);
671 }
672
673 #ifndef _SYS_SYSPROTO_H_
674 struct setgid_args {
675 gid_t gid;
676 };
677 #endif
678 /* ARGSUSED */
679 int
sys_setgid(struct thread * td,struct setgid_args * uap)680 sys_setgid(struct thread *td, struct setgid_args *uap)
681 {
682 struct proc *p = td->td_proc;
683 struct ucred *newcred, *oldcred;
684 gid_t gid;
685 int error;
686
687 gid = uap->gid;
688 AUDIT_ARG_GID(gid);
689 newcred = crget();
690 PROC_LOCK(p);
691 oldcred = crcopysafe(p, newcred);
692
693 #ifdef MAC
694 error = mac_cred_check_setgid(oldcred, gid);
695 if (error)
696 goto fail;
697 #endif
698
699 /*
700 * See if we have "permission" by POSIX 1003.1 rules.
701 *
702 * Note that setgid(getegid()) is a special case of
703 * "appropriate privileges" in appendix B.4.2.2. We need
704 * to use this clause to be compatible with traditional BSD
705 * semantics. Basically, it means that "setgid(xx)" sets all
706 * three id's (assuming you have privs).
707 *
708 * For notes on the logic here, see setuid() above.
709 */
710 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
711 #ifdef _POSIX_SAVED_IDS
712 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
713 #endif
714 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
715 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
716 #endif
717 (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0)
718 goto fail;
719
720 #ifdef _POSIX_SAVED_IDS
721 /*
722 * Do we have "appropriate privileges" (are we root or gid == egid)
723 * If so, we are changing the real uid and saved gid.
724 */
725 if (
726 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
727 gid == oldcred->cr_groups[0] ||
728 #endif
729 /* We are using privs. */
730 priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0)
731 #endif
732 {
733 /*
734 * Set real gid
735 */
736 if (oldcred->cr_rgid != gid) {
737 change_rgid(newcred, gid);
738 setsugid(p);
739 }
740 /*
741 * Set saved gid
742 *
743 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
744 * the security of setegid() depends on it. B.4.2.2 says it
745 * is important that we should do this.
746 */
747 if (oldcred->cr_svgid != gid) {
748 change_svgid(newcred, gid);
749 setsugid(p);
750 }
751 }
752 /*
753 * In all cases permitted cases, we are changing the egid.
754 * Copy credentials so other references do not see our changes.
755 */
756 if (oldcred->cr_groups[0] != gid) {
757 change_egid(newcred, gid);
758 setsugid(p);
759 }
760 proc_set_cred(p, newcred);
761 PROC_UNLOCK(p);
762 crfree(oldcred);
763 return (0);
764
765 fail:
766 PROC_UNLOCK(p);
767 crfree(newcred);
768 return (error);
769 }
770
771 #ifndef _SYS_SYSPROTO_H_
772 struct setegid_args {
773 gid_t egid;
774 };
775 #endif
776 /* ARGSUSED */
777 int
sys_setegid(struct thread * td,struct setegid_args * uap)778 sys_setegid(struct thread *td, struct setegid_args *uap)
779 {
780 struct proc *p = td->td_proc;
781 struct ucred *newcred, *oldcred;
782 gid_t egid;
783 int error;
784
785 egid = uap->egid;
786 AUDIT_ARG_EGID(egid);
787 newcred = crget();
788 PROC_LOCK(p);
789 oldcred = crcopysafe(p, newcred);
790
791 #ifdef MAC
792 error = mac_cred_check_setegid(oldcred, egid);
793 if (error)
794 goto fail;
795 #endif
796
797 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
798 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
799 (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0)
800 goto fail;
801
802 if (oldcred->cr_groups[0] != egid) {
803 change_egid(newcred, egid);
804 setsugid(p);
805 }
806 proc_set_cred(p, newcred);
807 PROC_UNLOCK(p);
808 crfree(oldcred);
809 return (0);
810
811 fail:
812 PROC_UNLOCK(p);
813 crfree(newcred);
814 return (error);
815 }
816
817 #ifndef _SYS_SYSPROTO_H_
818 struct setgroups_args {
819 int gidsetsize;
820 gid_t *gidset;
821 };
822 #endif
823 /* ARGSUSED */
824 int
sys_setgroups(struct thread * td,struct setgroups_args * uap)825 sys_setgroups(struct thread *td, struct setgroups_args *uap)
826 {
827 gid_t smallgroups[CRED_SMALLGROUPS_NB];
828 gid_t *groups;
829 int gidsetsize, error;
830
831 /*
832 * Sanity check size now to avoid passing too big a value to copyin(),
833 * even if kern_setgroups() will do it again.
834 *
835 * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it
836 * was, in this implementation, for a long time), but POSIX standardized
837 * getgroups() to take an 'int' and it would be quite entrapping to have
838 * setgroups() differ.
839 */
840 gidsetsize = uap->gidsetsize;
841 if (gidsetsize > ngroups_max + 1 || gidsetsize < 0)
842 return (EINVAL);
843
844 if (gidsetsize > CRED_SMALLGROUPS_NB)
845 groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
846 else
847 groups = smallgroups;
848
849 error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t));
850 if (error == 0)
851 error = kern_setgroups(td, &gidsetsize, groups);
852
853 if (groups != smallgroups)
854 free(groups, M_TEMP);
855 return (error);
856 }
857
858 static int
gidp_cmp(const void * p1,const void * p2)859 gidp_cmp(const void *p1, const void *p2)
860 {
861 const gid_t g1 = *(const gid_t *)p1;
862 const gid_t g2 = *(const gid_t *)p2;
863
864 return ((g1 > g2) - (g1 < g2));
865 }
866
867 /*
868 * CAUTION: This function normalizes 'groups', possibly also changing the value
869 * of '*ngrpp' as a consequence.
870 */
871 int
kern_setgroups(struct thread * td,int * ngrpp,gid_t * groups)872 kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups)
873 {
874 struct proc *p = td->td_proc;
875 struct ucred *newcred, *oldcred;
876 int ngrp, error;
877
878 ngrp = *ngrpp;
879 /* Sanity check size. */
880 if (ngrp < 0 || ngrp > ngroups_max + 1)
881 return (EINVAL);
882
883 AUDIT_ARG_GROUPSET(groups, ngrp);
884 if (ngrp != 0) {
885 /* We allow and treat 0 specially below. */
886 groups_normalize(ngrpp, groups);
887 ngrp = *ngrpp;
888 }
889 newcred = crget();
890 if (ngrp != 0)
891 crextend(newcred, ngrp);
892 PROC_LOCK(p);
893 oldcred = crcopysafe(p, newcred);
894
895 #ifdef MAC
896 error = ngrp == 0 ?
897 /* If 'ngrp' is 0, we'll keep just the current effective GID. */
898 mac_cred_check_setgroups(oldcred, 1, oldcred->cr_groups) :
899 mac_cred_check_setgroups(oldcred, ngrp, groups);
900 if (error)
901 goto fail;
902 #endif
903
904 error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS);
905 if (error)
906 goto fail;
907
908 if (ngrp == 0) {
909 /*
910 * setgroups(0, NULL) is a legitimate way of clearing the
911 * groups vector on non-BSD systems (which generally do not
912 * have the egid in the groups[0]). We risk security holes
913 * when running non-BSD software if we do not do the same.
914 */
915 newcred->cr_ngroups = 1;
916 } else
917 crsetgroups_internal(newcred, ngrp, groups);
918
919 setsugid(p);
920 proc_set_cred(p, newcred);
921 PROC_UNLOCK(p);
922 crfree(oldcred);
923 return (0);
924
925 fail:
926 PROC_UNLOCK(p);
927 crfree(newcred);
928 return (error);
929 }
930
931 #ifndef _SYS_SYSPROTO_H_
932 struct setreuid_args {
933 uid_t ruid;
934 uid_t euid;
935 };
936 #endif
937 /* ARGSUSED */
938 int
sys_setreuid(struct thread * td,struct setreuid_args * uap)939 sys_setreuid(struct thread *td, struct setreuid_args *uap)
940 {
941 struct proc *p = td->td_proc;
942 struct ucred *newcred, *oldcred;
943 uid_t euid, ruid;
944 struct uidinfo *euip, *ruip;
945 int error;
946
947 euid = uap->euid;
948 ruid = uap->ruid;
949 AUDIT_ARG_EUID(euid);
950 AUDIT_ARG_RUID(ruid);
951 newcred = crget();
952 euip = uifind(euid);
953 ruip = uifind(ruid);
954 PROC_LOCK(p);
955 oldcred = crcopysafe(p, newcred);
956
957 #ifdef MAC
958 error = mac_cred_check_setreuid(oldcred, ruid, euid);
959 if (error)
960 goto fail;
961 #endif
962
963 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
964 ruid != oldcred->cr_svuid) ||
965 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
966 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
967 (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0)
968 goto fail;
969
970 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
971 change_euid(newcred, euip);
972 setsugid(p);
973 }
974 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
975 change_ruid(newcred, ruip);
976 setsugid(p);
977 }
978 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
979 newcred->cr_svuid != newcred->cr_uid) {
980 change_svuid(newcred, newcred->cr_uid);
981 setsugid(p);
982 }
983 proc_set_cred(p, newcred);
984 #ifdef RACCT
985 racct_proc_ucred_changed(p, oldcred, newcred);
986 crhold(newcred);
987 #endif
988 PROC_UNLOCK(p);
989 #ifdef RCTL
990 rctl_proc_ucred_changed(p, newcred);
991 crfree(newcred);
992 #endif
993 uifree(ruip);
994 uifree(euip);
995 crfree(oldcred);
996 return (0);
997
998 fail:
999 PROC_UNLOCK(p);
1000 uifree(ruip);
1001 uifree(euip);
1002 crfree(newcred);
1003 return (error);
1004 }
1005
1006 #ifndef _SYS_SYSPROTO_H_
1007 struct setregid_args {
1008 gid_t rgid;
1009 gid_t egid;
1010 };
1011 #endif
1012 /* ARGSUSED */
1013 int
sys_setregid(struct thread * td,struct setregid_args * uap)1014 sys_setregid(struct thread *td, struct setregid_args *uap)
1015 {
1016 struct proc *p = td->td_proc;
1017 struct ucred *newcred, *oldcred;
1018 gid_t egid, rgid;
1019 int error;
1020
1021 egid = uap->egid;
1022 rgid = uap->rgid;
1023 AUDIT_ARG_EGID(egid);
1024 AUDIT_ARG_RGID(rgid);
1025 newcred = crget();
1026 PROC_LOCK(p);
1027 oldcred = crcopysafe(p, newcred);
1028
1029 #ifdef MAC
1030 error = mac_cred_check_setregid(oldcred, rgid, egid);
1031 if (error)
1032 goto fail;
1033 #endif
1034
1035 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1036 rgid != oldcred->cr_svgid) ||
1037 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
1038 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
1039 (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0)
1040 goto fail;
1041
1042 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1043 change_egid(newcred, egid);
1044 setsugid(p);
1045 }
1046 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1047 change_rgid(newcred, rgid);
1048 setsugid(p);
1049 }
1050 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
1051 newcred->cr_svgid != newcred->cr_groups[0]) {
1052 change_svgid(newcred, newcred->cr_groups[0]);
1053 setsugid(p);
1054 }
1055 proc_set_cred(p, newcred);
1056 PROC_UNLOCK(p);
1057 crfree(oldcred);
1058 return (0);
1059
1060 fail:
1061 PROC_UNLOCK(p);
1062 crfree(newcred);
1063 return (error);
1064 }
1065
1066 /*
1067 * setresuid(ruid, euid, suid) is like setreuid except control over the saved
1068 * uid is explicit.
1069 */
1070 #ifndef _SYS_SYSPROTO_H_
1071 struct setresuid_args {
1072 uid_t ruid;
1073 uid_t euid;
1074 uid_t suid;
1075 };
1076 #endif
1077 /* ARGSUSED */
1078 int
sys_setresuid(struct thread * td,struct setresuid_args * uap)1079 sys_setresuid(struct thread *td, struct setresuid_args *uap)
1080 {
1081 struct proc *p = td->td_proc;
1082 struct ucred *newcred, *oldcred;
1083 uid_t euid, ruid, suid;
1084 struct uidinfo *euip, *ruip;
1085 int error;
1086
1087 euid = uap->euid;
1088 ruid = uap->ruid;
1089 suid = uap->suid;
1090 AUDIT_ARG_EUID(euid);
1091 AUDIT_ARG_RUID(ruid);
1092 AUDIT_ARG_SUID(suid);
1093 newcred = crget();
1094 euip = uifind(euid);
1095 ruip = uifind(ruid);
1096 PROC_LOCK(p);
1097 oldcred = crcopysafe(p, newcred);
1098
1099 #ifdef MAC
1100 error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
1101 if (error)
1102 goto fail;
1103 #endif
1104
1105 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
1106 ruid != oldcred->cr_svuid &&
1107 ruid != oldcred->cr_uid) ||
1108 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
1109 euid != oldcred->cr_svuid &&
1110 euid != oldcred->cr_uid) ||
1111 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
1112 suid != oldcred->cr_svuid &&
1113 suid != oldcred->cr_uid)) &&
1114 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0)
1115 goto fail;
1116
1117 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
1118 change_euid(newcred, euip);
1119 setsugid(p);
1120 }
1121 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
1122 change_ruid(newcred, ruip);
1123 setsugid(p);
1124 }
1125 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
1126 change_svuid(newcred, suid);
1127 setsugid(p);
1128 }
1129 proc_set_cred(p, newcred);
1130 #ifdef RACCT
1131 racct_proc_ucred_changed(p, oldcred, newcred);
1132 crhold(newcred);
1133 #endif
1134 PROC_UNLOCK(p);
1135 #ifdef RCTL
1136 rctl_proc_ucred_changed(p, newcred);
1137 crfree(newcred);
1138 #endif
1139 uifree(ruip);
1140 uifree(euip);
1141 crfree(oldcred);
1142 return (0);
1143
1144 fail:
1145 PROC_UNLOCK(p);
1146 uifree(ruip);
1147 uifree(euip);
1148 crfree(newcred);
1149 return (error);
1150
1151 }
1152
1153 /*
1154 * setresgid(rgid, egid, sgid) is like setregid except control over the saved
1155 * gid is explicit.
1156 */
1157 #ifndef _SYS_SYSPROTO_H_
1158 struct setresgid_args {
1159 gid_t rgid;
1160 gid_t egid;
1161 gid_t sgid;
1162 };
1163 #endif
1164 /* ARGSUSED */
1165 int
sys_setresgid(struct thread * td,struct setresgid_args * uap)1166 sys_setresgid(struct thread *td, struct setresgid_args *uap)
1167 {
1168 struct proc *p = td->td_proc;
1169 struct ucred *newcred, *oldcred;
1170 gid_t egid, rgid, sgid;
1171 int error;
1172
1173 egid = uap->egid;
1174 rgid = uap->rgid;
1175 sgid = uap->sgid;
1176 AUDIT_ARG_EGID(egid);
1177 AUDIT_ARG_RGID(rgid);
1178 AUDIT_ARG_SGID(sgid);
1179 newcred = crget();
1180 PROC_LOCK(p);
1181 oldcred = crcopysafe(p, newcred);
1182
1183 #ifdef MAC
1184 error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
1185 if (error)
1186 goto fail;
1187 #endif
1188
1189 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1190 rgid != oldcred->cr_svgid &&
1191 rgid != oldcred->cr_groups[0]) ||
1192 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1193 egid != oldcred->cr_svgid &&
1194 egid != oldcred->cr_groups[0]) ||
1195 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1196 sgid != oldcred->cr_svgid &&
1197 sgid != oldcred->cr_groups[0])) &&
1198 (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0)
1199 goto fail;
1200
1201 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1202 change_egid(newcred, egid);
1203 setsugid(p);
1204 }
1205 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1206 change_rgid(newcred, rgid);
1207 setsugid(p);
1208 }
1209 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1210 change_svgid(newcred, sgid);
1211 setsugid(p);
1212 }
1213 proc_set_cred(p, newcred);
1214 PROC_UNLOCK(p);
1215 crfree(oldcred);
1216 return (0);
1217
1218 fail:
1219 PROC_UNLOCK(p);
1220 crfree(newcred);
1221 return (error);
1222 }
1223
1224 #ifndef _SYS_SYSPROTO_H_
1225 struct getresuid_args {
1226 uid_t *ruid;
1227 uid_t *euid;
1228 uid_t *suid;
1229 };
1230 #endif
1231 /* ARGSUSED */
1232 int
sys_getresuid(struct thread * td,struct getresuid_args * uap)1233 sys_getresuid(struct thread *td, struct getresuid_args *uap)
1234 {
1235 struct ucred *cred;
1236 int error1 = 0, error2 = 0, error3 = 0;
1237
1238 cred = td->td_ucred;
1239 if (uap->ruid)
1240 error1 = copyout(&cred->cr_ruid,
1241 uap->ruid, sizeof(cred->cr_ruid));
1242 if (uap->euid)
1243 error2 = copyout(&cred->cr_uid,
1244 uap->euid, sizeof(cred->cr_uid));
1245 if (uap->suid)
1246 error3 = copyout(&cred->cr_svuid,
1247 uap->suid, sizeof(cred->cr_svuid));
1248 return (error1 ? error1 : error2 ? error2 : error3);
1249 }
1250
1251 #ifndef _SYS_SYSPROTO_H_
1252 struct getresgid_args {
1253 gid_t *rgid;
1254 gid_t *egid;
1255 gid_t *sgid;
1256 };
1257 #endif
1258 /* ARGSUSED */
1259 int
sys_getresgid(struct thread * td,struct getresgid_args * uap)1260 sys_getresgid(struct thread *td, struct getresgid_args *uap)
1261 {
1262 struct ucred *cred;
1263 int error1 = 0, error2 = 0, error3 = 0;
1264
1265 cred = td->td_ucred;
1266 if (uap->rgid)
1267 error1 = copyout(&cred->cr_rgid,
1268 uap->rgid, sizeof(cred->cr_rgid));
1269 if (uap->egid)
1270 error2 = copyout(&cred->cr_groups[0],
1271 uap->egid, sizeof(cred->cr_groups[0]));
1272 if (uap->sgid)
1273 error3 = copyout(&cred->cr_svgid,
1274 uap->sgid, sizeof(cred->cr_svgid));
1275 return (error1 ? error1 : error2 ? error2 : error3);
1276 }
1277
1278 #ifndef _SYS_SYSPROTO_H_
1279 struct issetugid_args {
1280 int dummy;
1281 };
1282 #endif
1283 /* ARGSUSED */
1284 int
sys_issetugid(struct thread * td,struct issetugid_args * uap)1285 sys_issetugid(struct thread *td, struct issetugid_args *uap)
1286 {
1287 struct proc *p = td->td_proc;
1288
1289 /*
1290 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1291 * we use P_SUGID because we consider changing the owners as
1292 * "tainting" as well.
1293 * This is significant for procs that start as root and "become"
1294 * a user without an exec - programs cannot know *everything*
1295 * that libc *might* have put in their data segment.
1296 */
1297 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1298 return (0);
1299 }
1300
1301 int
sys___setugid(struct thread * td,struct __setugid_args * uap)1302 sys___setugid(struct thread *td, struct __setugid_args *uap)
1303 {
1304 #ifdef REGRESSION
1305 struct proc *p;
1306
1307 p = td->td_proc;
1308 switch (uap->flag) {
1309 case 0:
1310 PROC_LOCK(p);
1311 p->p_flag &= ~P_SUGID;
1312 PROC_UNLOCK(p);
1313 return (0);
1314 case 1:
1315 PROC_LOCK(p);
1316 p->p_flag |= P_SUGID;
1317 PROC_UNLOCK(p);
1318 return (0);
1319 default:
1320 return (EINVAL);
1321 }
1322 #else /* !REGRESSION */
1323
1324 return (ENOSYS);
1325 #endif /* REGRESSION */
1326 }
1327
1328 #ifdef INVARIANTS
1329 static void
groups_check_normalized(int ngrp,const gid_t * groups)1330 groups_check_normalized(int ngrp, const gid_t *groups)
1331 {
1332 gid_t prev_g;
1333
1334 groups_check_positive_len(ngrp);
1335 groups_check_max_len(ngrp);
1336
1337 if (ngrp == 1)
1338 return;
1339
1340 prev_g = groups[1];
1341 for (int i = 2; i < ngrp; ++i) {
1342 const gid_t g = groups[i];
1343
1344 if (prev_g >= g)
1345 panic("%s: groups[%d] (%u) >= groups[%d] (%u)",
1346 __func__, i - 1, prev_g, i, g);
1347 prev_g = g;
1348 }
1349 }
1350 #else
1351 #define groups_check_normalized(...)
1352 #endif
1353
1354 /*
1355 * Returns whether gid designates a supplementary group in cred.
1356 */
1357 int
group_is_supplementary(const gid_t gid,const struct ucred * const cred)1358 group_is_supplementary(const gid_t gid, const struct ucred *const cred)
1359 {
1360
1361 groups_check_normalized(cred->cr_ngroups, cred->cr_groups);
1362
1363 /*
1364 * Perform a binary search of the supplementary groups. This is
1365 * possible because we sort the groups in crsetgroups().
1366 */
1367 return (bsearch(&gid, cred->cr_groups + 1, cred->cr_ngroups - 1,
1368 sizeof(gid), gidp_cmp) != NULL);
1369 }
1370
1371 /*
1372 * Check if gid is a member of the (effective) group set (i.e., effective and
1373 * supplementary groups).
1374 */
1375 int
groupmember(gid_t gid,const struct ucred * cred)1376 groupmember(gid_t gid, const struct ucred *cred)
1377 {
1378
1379 groups_check_positive_len(cred->cr_ngroups);
1380
1381 if (gid == cred->cr_groups[0])
1382 return (1);
1383
1384 return (group_is_supplementary(gid, cred));
1385 }
1386
1387 /*
1388 * Check if gid is a member of the real group set (i.e., real and supplementary
1389 * groups).
1390 */
1391 int
realgroupmember(gid_t gid,const struct ucred * cred)1392 realgroupmember(gid_t gid, const struct ucred *cred)
1393 {
1394 /*
1395 * Although the equality test on 'cr_rgid' below doesn't access
1396 * 'cr_groups', we check for the latter's length here as we assume that,
1397 * if 'cr_ngroups' is 0, the passed 'struct ucred' is invalid, and
1398 * 'cr_rgid' may not have been filled.
1399 */
1400 groups_check_positive_len(cred->cr_ngroups);
1401
1402 if (gid == cred->cr_rgid)
1403 return (1);
1404
1405 return (group_is_supplementary(gid, cred));
1406 }
1407
1408 /*
1409 * Test the active securelevel against a given level. securelevel_gt()
1410 * implements (securelevel > level). securelevel_ge() implements
1411 * (securelevel >= level). Note that the logic is inverted -- these
1412 * functions return EPERM on "success" and 0 on "failure".
1413 *
1414 * Due to care taken when setting the securelevel, we know that no jail will
1415 * be less secure that its parent (or the physical system), so it is sufficient
1416 * to test the current jail only.
1417 *
1418 * XXXRW: Possibly since this has to do with privilege, it should move to
1419 * kern_priv.c.
1420 */
1421 int
securelevel_gt(struct ucred * cr,int level)1422 securelevel_gt(struct ucred *cr, int level)
1423 {
1424
1425 return (cr->cr_prison->pr_securelevel > level ? EPERM : 0);
1426 }
1427
1428 int
securelevel_ge(struct ucred * cr,int level)1429 securelevel_ge(struct ucred *cr, int level)
1430 {
1431
1432 return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0);
1433 }
1434
1435 /*
1436 * 'see_other_uids' determines whether or not visibility of processes
1437 * and sockets with credentials holding different real uids is possible
1438 * using a variety of system MIBs.
1439 * XXX: data declarations should be together near the beginning of the file.
1440 */
1441 static int see_other_uids = 1;
1442 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1443 &see_other_uids, 0,
1444 "Unprivileged processes may see subjects/objects with different real uid");
1445
1446 /*-
1447 * Determine if u1 "can see" the subject specified by u2, according to the
1448 * 'see_other_uids' policy.
1449 * Returns: 0 for permitted, ESRCH otherwise
1450 * Locks: none
1451 * References: *u1 and *u2 must not change during the call
1452 * u1 may equal u2, in which case only one reference is required
1453 */
1454 int
cr_canseeotheruids(struct ucred * u1,struct ucred * u2)1455 cr_canseeotheruids(struct ucred *u1, struct ucred *u2)
1456 {
1457
1458 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1459 if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0)
1460 return (ESRCH);
1461 }
1462 return (0);
1463 }
1464
1465 /*
1466 * 'see_other_gids' determines whether or not visibility of processes
1467 * and sockets with credentials holding different real gids is possible
1468 * using a variety of system MIBs.
1469 * XXX: data declarations should be together near the beginning of the file.
1470 */
1471 static int see_other_gids = 1;
1472 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1473 &see_other_gids, 0,
1474 "Unprivileged processes may see subjects/objects with different real gid");
1475
1476 /*
1477 * Determine if u1 can "see" the subject specified by u2, according to the
1478 * 'see_other_gids' policy.
1479 * Returns: 0 for permitted, ESRCH otherwise
1480 * Locks: none
1481 * References: *u1 and *u2 must not change during the call
1482 * u1 may equal u2, in which case only one reference is required
1483 */
1484 int
cr_canseeothergids(struct ucred * u1,struct ucred * u2)1485 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
1486 {
1487 if (!see_other_gids) {
1488 if (realgroupmember(u1->cr_rgid, u2))
1489 return (0);
1490
1491 for (int i = 1; i < u1->cr_ngroups; i++)
1492 if (realgroupmember(u1->cr_groups[i], u2))
1493 return (0);
1494
1495 if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
1496 return (ESRCH);
1497 }
1498
1499 return (0);
1500 }
1501
1502 /*
1503 * 'see_jail_proc' determines whether or not visibility of processes and
1504 * sockets with credentials holding different jail ids is possible using a
1505 * variety of system MIBs.
1506 *
1507 * XXX: data declarations should be together near the beginning of the file.
1508 */
1509
1510 static int see_jail_proc = 1;
1511 SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
1512 &see_jail_proc, 0,
1513 "Unprivileged processes may see subjects/objects with different jail ids");
1514
1515 /*-
1516 * Determine if u1 "can see" the subject specified by u2, according to the
1517 * 'see_jail_proc' policy.
1518 * Returns: 0 for permitted, ESRCH otherwise
1519 * Locks: none
1520 * References: *u1 and *u2 must not change during the call
1521 * u1 may equal u2, in which case only one reference is required
1522 */
1523 int
cr_canseejailproc(struct ucred * u1,struct ucred * u2)1524 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
1525 {
1526 if (see_jail_proc || /* Policy deactivated. */
1527 u1->cr_prison == u2->cr_prison || /* Same jail. */
1528 priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
1529 return (0);
1530
1531 return (ESRCH);
1532 }
1533
1534 /*
1535 * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
1536 * policies. Determines if u1 "can see" u2 according to these policies.
1537 * Returns: 0 for permitted, ESRCH otherwise
1538 */
1539 int
cr_bsd_visible(struct ucred * u1,struct ucred * u2)1540 cr_bsd_visible(struct ucred *u1, struct ucred *u2)
1541 {
1542 int error;
1543
1544 error = cr_canseeotheruids(u1, u2);
1545 if (error != 0)
1546 return (error);
1547 error = cr_canseeothergids(u1, u2);
1548 if (error != 0)
1549 return (error);
1550 error = cr_canseejailproc(u1, u2);
1551 if (error != 0)
1552 return (error);
1553 return (0);
1554 }
1555
1556 /*-
1557 * Determine if u1 "can see" the subject specified by u2.
1558 * Returns: 0 for permitted, an errno value otherwise
1559 * Locks: none
1560 * References: *u1 and *u2 must not change during the call
1561 * u1 may equal u2, in which case only one reference is required
1562 */
1563 int
cr_cansee(struct ucred * u1,struct ucred * u2)1564 cr_cansee(struct ucred *u1, struct ucred *u2)
1565 {
1566 int error;
1567
1568 if ((error = prison_check(u1, u2)))
1569 return (error);
1570 #ifdef MAC
1571 if ((error = mac_cred_check_visible(u1, u2)))
1572 return (error);
1573 #endif
1574 if ((error = cr_bsd_visible(u1, u2)))
1575 return (error);
1576 return (0);
1577 }
1578
1579 /*-
1580 * Determine if td "can see" the subject specified by p.
1581 * Returns: 0 for permitted, an errno value otherwise
1582 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1583 * should be curthread.
1584 * References: td and p must be valid for the lifetime of the call
1585 */
1586 int
p_cansee(struct thread * td,struct proc * p)1587 p_cansee(struct thread *td, struct proc *p)
1588 {
1589 /* Wrap cr_cansee() for all functionality. */
1590 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1591 PROC_LOCK_ASSERT(p, MA_OWNED);
1592
1593 if (td->td_proc == p)
1594 return (0);
1595 return (cr_cansee(td->td_ucred, p->p_ucred));
1596 }
1597
1598 /*
1599 * 'conservative_signals' prevents the delivery of a broad class of
1600 * signals by unprivileged processes to processes that have changed their
1601 * credentials since the last invocation of execve(). This can prevent
1602 * the leakage of cached information or retained privileges as a result
1603 * of a common class of signal-related vulnerabilities. However, this
1604 * may interfere with some applications that expect to be able to
1605 * deliver these signals to peer processes after having given up
1606 * privilege.
1607 */
1608 static int conservative_signals = 1;
1609 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1610 &conservative_signals, 0, "Unprivileged processes prevented from "
1611 "sending certain signals to processes whose credentials have changed");
1612 /*-
1613 * Determine whether cred may deliver the specified signal to proc.
1614 * Returns: 0 for permitted, an errno value otherwise.
1615 * Locks: A lock must be held for proc.
1616 * References: cred and proc must be valid for the lifetime of the call.
1617 */
1618 int
cr_cansignal(struct ucred * cred,struct proc * proc,int signum)1619 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1620 {
1621 int error;
1622
1623 PROC_LOCK_ASSERT(proc, MA_OWNED);
1624 /*
1625 * Jail semantics limit the scope of signalling to proc in the
1626 * same jail as cred, if cred is in jail.
1627 */
1628 error = prison_check(cred, proc->p_ucred);
1629 if (error)
1630 return (error);
1631 #ifdef MAC
1632 if ((error = mac_proc_check_signal(cred, proc, signum)))
1633 return (error);
1634 #endif
1635 if ((error = cr_bsd_visible(cred, proc->p_ucred)))
1636 return (error);
1637
1638 /*
1639 * UNIX signal semantics depend on the status of the P_SUGID
1640 * bit on the target process. If the bit is set, then additional
1641 * restrictions are placed on the set of available signals.
1642 */
1643 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1644 switch (signum) {
1645 case 0:
1646 case SIGKILL:
1647 case SIGINT:
1648 case SIGTERM:
1649 case SIGALRM:
1650 case SIGSTOP:
1651 case SIGTTIN:
1652 case SIGTTOU:
1653 case SIGTSTP:
1654 case SIGHUP:
1655 case SIGUSR1:
1656 case SIGUSR2:
1657 /*
1658 * Generally, permit job and terminal control
1659 * signals.
1660 */
1661 break;
1662 default:
1663 /* Not permitted without privilege. */
1664 error = priv_check_cred(cred, PRIV_SIGNAL_SUGID);
1665 if (error)
1666 return (error);
1667 }
1668 }
1669
1670 /*
1671 * Generally, the target credential's ruid or svuid must match the
1672 * subject credential's ruid or euid.
1673 */
1674 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1675 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1676 cred->cr_uid != proc->p_ucred->cr_ruid &&
1677 cred->cr_uid != proc->p_ucred->cr_svuid) {
1678 error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED);
1679 if (error)
1680 return (error);
1681 }
1682
1683 return (0);
1684 }
1685
1686 /*-
1687 * Determine whether td may deliver the specified signal to p.
1688 * Returns: 0 for permitted, an errno value otherwise
1689 * Locks: Sufficient locks to protect various components of td and p
1690 * must be held. td must be curthread, and a lock must be
1691 * held for p.
1692 * References: td and p must be valid for the lifetime of the call
1693 */
1694 int
p_cansignal(struct thread * td,struct proc * p,int signum)1695 p_cansignal(struct thread *td, struct proc *p, int signum)
1696 {
1697
1698 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1699 PROC_LOCK_ASSERT(p, MA_OWNED);
1700 if (td->td_proc == p)
1701 return (0);
1702
1703 /*
1704 * UNIX signalling semantics require that processes in the same
1705 * session always be able to deliver SIGCONT to one another,
1706 * overriding the remaining protections.
1707 */
1708 /* XXX: This will require an additional lock of some sort. */
1709 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1710 return (0);
1711 /*
1712 * Some compat layers use SIGTHR and higher signals for
1713 * communication between different kernel threads of the same
1714 * process, so that they expect that it's always possible to
1715 * deliver them, even for suid applications where cr_cansignal() can
1716 * deny such ability for security consideration. It should be
1717 * pretty safe to do since the only way to create two processes
1718 * with the same p_leader is via rfork(2).
1719 */
1720 if (td->td_proc->p_leader != NULL && signum >= SIGTHR &&
1721 signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader)
1722 return (0);
1723
1724 return (cr_cansignal(td->td_ucred, p, signum));
1725 }
1726
1727 /*-
1728 * Determine whether td may reschedule p.
1729 * Returns: 0 for permitted, an errno value otherwise
1730 * Locks: Sufficient locks to protect various components of td and p
1731 * must be held. td must be curthread, and a lock must
1732 * be held for p.
1733 * References: td and p must be valid for the lifetime of the call
1734 */
1735 int
p_cansched(struct thread * td,struct proc * p)1736 p_cansched(struct thread *td, struct proc *p)
1737 {
1738 int error;
1739
1740 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1741 PROC_LOCK_ASSERT(p, MA_OWNED);
1742 if (td->td_proc == p)
1743 return (0);
1744 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1745 return (error);
1746 #ifdef MAC
1747 if ((error = mac_proc_check_sched(td->td_ucred, p)))
1748 return (error);
1749 #endif
1750 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
1751 return (error);
1752
1753 if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
1754 td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
1755 error = priv_check(td, PRIV_SCHED_DIFFCRED);
1756 if (error)
1757 return (error);
1758 }
1759 return (0);
1760 }
1761
1762 /*
1763 * Handle getting or setting the prison's unprivileged_proc_debug
1764 * value.
1765 */
1766 static int
sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)1767 sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS)
1768 {
1769 int error, val;
1770
1771 val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG);
1772 error = sysctl_handle_int(oidp, &val, 0, req);
1773 if (error != 0 || req->newptr == NULL)
1774 return (error);
1775 if (val != 0 && val != 1)
1776 return (EINVAL);
1777 prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val);
1778 return (0);
1779 }
1780
1781 /*
1782 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1783 * unprivileged inter-process debugging services, including some procfs
1784 * functionality, ptrace(), and ktrace(). In the past, inter-process
1785 * debugging has been involved in a variety of security problems, and sites
1786 * not requiring the service might choose to disable it when hardening
1787 * systems.
1788 */
1789 SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug,
1790 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE |
1791 CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I",
1792 "Unprivileged processes may use process debugging facilities");
1793
1794 /*-
1795 * Determine whether td may debug p.
1796 * Returns: 0 for permitted, an errno value otherwise
1797 * Locks: Sufficient locks to protect various components of td and p
1798 * must be held. td must be curthread, and a lock must
1799 * be held for p.
1800 * References: td and p must be valid for the lifetime of the call
1801 */
1802 int
p_candebug(struct thread * td,struct proc * p)1803 p_candebug(struct thread *td, struct proc *p)
1804 {
1805 int credentialchanged, error, grpsubset, i, uidsubset;
1806
1807 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1808 PROC_LOCK_ASSERT(p, MA_OWNED);
1809 if (td->td_proc == p)
1810 return (0);
1811 if ((error = priv_check(td, PRIV_DEBUG_UNPRIV)))
1812 return (error);
1813 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1814 return (error);
1815 #ifdef MAC
1816 if ((error = mac_proc_check_debug(td->td_ucred, p)))
1817 return (error);
1818 #endif
1819 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
1820 return (error);
1821
1822 /*
1823 * Is p's group set a subset of td's effective group set? This
1824 * includes p's egid, group access list, rgid, and svgid.
1825 */
1826 grpsubset = 1;
1827 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1828 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1829 grpsubset = 0;
1830 break;
1831 }
1832 }
1833 grpsubset = grpsubset &&
1834 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1835 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1836
1837 /*
1838 * Are the uids present in p's credential equal to td's
1839 * effective uid? This includes p's euid, svuid, and ruid.
1840 */
1841 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1842 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1843 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1844
1845 /*
1846 * Has the credential of the process changed since the last exec()?
1847 */
1848 credentialchanged = (p->p_flag & P_SUGID);
1849
1850 /*
1851 * If p's gids aren't a subset, or the uids aren't a subset,
1852 * or the credential has changed, require appropriate privilege
1853 * for td to debug p.
1854 */
1855 if (!grpsubset || !uidsubset) {
1856 error = priv_check(td, PRIV_DEBUG_DIFFCRED);
1857 if (error)
1858 return (error);
1859 }
1860
1861 if (credentialchanged) {
1862 error = priv_check(td, PRIV_DEBUG_SUGID);
1863 if (error)
1864 return (error);
1865 }
1866
1867 /* Can't trace init when securelevel > 0. */
1868 if (p == initproc) {
1869 error = securelevel_gt(td->td_ucred, 0);
1870 if (error)
1871 return (error);
1872 }
1873
1874 /*
1875 * Can't trace a process that's currently exec'ing.
1876 *
1877 * XXX: Note, this is not a security policy decision, it's a
1878 * basic correctness/functionality decision. Therefore, this check
1879 * should be moved to the caller's of p_candebug().
1880 */
1881 if ((p->p_flag & P_INEXEC) != 0)
1882 return (EBUSY);
1883
1884 /* Denied explicitly */
1885 if ((p->p_flag2 & P2_NOTRACE) != 0) {
1886 error = priv_check(td, PRIV_DEBUG_DENIED);
1887 if (error != 0)
1888 return (error);
1889 }
1890
1891 return (0);
1892 }
1893
1894 /*-
1895 * Determine whether the subject represented by cred can "see" a socket.
1896 * Returns: 0 for permitted, ENOENT otherwise.
1897 */
1898 int
cr_canseesocket(struct ucred * cred,struct socket * so)1899 cr_canseesocket(struct ucred *cred, struct socket *so)
1900 {
1901 int error;
1902
1903 error = prison_check(cred, so->so_cred);
1904 if (error)
1905 return (ENOENT);
1906 #ifdef MAC
1907 error = mac_socket_check_visible(cred, so);
1908 if (error)
1909 return (error);
1910 #endif
1911 if (cr_bsd_visible(cred, so->so_cred))
1912 return (ENOENT);
1913
1914 return (0);
1915 }
1916
1917 /*-
1918 * Determine whether td can wait for the exit of p.
1919 * Returns: 0 for permitted, an errno value otherwise
1920 * Locks: Sufficient locks to protect various components of td and p
1921 * must be held. td must be curthread, and a lock must
1922 * be held for p.
1923 * References: td and p must be valid for the lifetime of the call
1924
1925 */
1926 int
p_canwait(struct thread * td,struct proc * p)1927 p_canwait(struct thread *td, struct proc *p)
1928 {
1929 int error;
1930
1931 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1932 PROC_LOCK_ASSERT(p, MA_OWNED);
1933 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1934 return (error);
1935 #ifdef MAC
1936 if ((error = mac_proc_check_wait(td->td_ucred, p)))
1937 return (error);
1938 #endif
1939 #if 0
1940 /* XXXMAC: This could have odd effects on some shells. */
1941 if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
1942 return (error);
1943 #endif
1944
1945 return (0);
1946 }
1947
1948 /*
1949 * Credential management.
1950 *
1951 * struct ucred objects are rarely allocated but gain and lose references all
1952 * the time (e.g., on struct file alloc/dealloc) turning refcount updates into
1953 * a significant source of cache-line ping ponging. Common cases are worked
1954 * around by modifying thread-local counter instead if the cred to operate on
1955 * matches td_realucred.
1956 *
1957 * The counter is split into 2 parts:
1958 * - cr_users -- total count of all struct proc and struct thread objects
1959 * which have given cred in p_ucred and td_ucred respectively
1960 * - cr_ref -- the actual ref count, only valid if cr_users == 0
1961 *
1962 * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if
1963 * the count reaches 0 the object is freeable.
1964 * If users > 0 and curthread->td_realucred == cred, then updates are performed
1965 * against td_ucredref.
1966 * In other cases updates are performed against cr_ref.
1967 *
1968 * Changing td_realucred into something else decrements cr_users and transfers
1969 * accumulated updates.
1970 */
1971 struct ucred *
crcowget(struct ucred * cr)1972 crcowget(struct ucred *cr)
1973 {
1974
1975 mtx_lock(&cr->cr_mtx);
1976 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
1977 __func__, cr->cr_users, cr));
1978 cr->cr_users++;
1979 cr->cr_ref++;
1980 mtx_unlock(&cr->cr_mtx);
1981 return (cr);
1982 }
1983
1984 static struct ucred *
crunuse(struct thread * td)1985 crunuse(struct thread *td)
1986 {
1987 struct ucred *cr, *crold;
1988
1989 MPASS(td->td_realucred == td->td_ucred);
1990 cr = td->td_realucred;
1991 mtx_lock(&cr->cr_mtx);
1992 cr->cr_ref += td->td_ucredref;
1993 td->td_ucredref = 0;
1994 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
1995 __func__, cr->cr_users, cr));
1996 cr->cr_users--;
1997 if (cr->cr_users == 0) {
1998 KASSERT(cr->cr_ref > 0, ("%s: ref %d not > 0 on cred %p",
1999 __func__, cr->cr_ref, cr));
2000 crold = cr;
2001 } else {
2002 cr->cr_ref--;
2003 crold = NULL;
2004 }
2005 mtx_unlock(&cr->cr_mtx);
2006 td->td_realucred = NULL;
2007 return (crold);
2008 }
2009
2010 static void
crunusebatch(struct ucred * cr,int users,int ref)2011 crunusebatch(struct ucred *cr, int users, int ref)
2012 {
2013
2014 KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p",
2015 __func__, users, cr));
2016 mtx_lock(&cr->cr_mtx);
2017 KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p",
2018 __func__, cr->cr_users, users, cr));
2019 cr->cr_users -= users;
2020 cr->cr_ref += ref;
2021 cr->cr_ref -= users;
2022 if (cr->cr_users > 0) {
2023 mtx_unlock(&cr->cr_mtx);
2024 return;
2025 }
2026 KASSERT(cr->cr_ref >= 0, ("%s: ref %d not >= 0 on cred %p",
2027 __func__, cr->cr_ref, cr));
2028 if (cr->cr_ref > 0) {
2029 mtx_unlock(&cr->cr_mtx);
2030 return;
2031 }
2032 crfree_final(cr);
2033 }
2034
2035 void
crcowfree(struct thread * td)2036 crcowfree(struct thread *td)
2037 {
2038 struct ucred *cr;
2039
2040 cr = crunuse(td);
2041 if (cr != NULL)
2042 crfree(cr);
2043 }
2044
2045 struct ucred *
crcowsync(void)2046 crcowsync(void)
2047 {
2048 struct thread *td;
2049 struct proc *p;
2050 struct ucred *crnew, *crold;
2051
2052 td = curthread;
2053 p = td->td_proc;
2054 PROC_LOCK_ASSERT(p, MA_OWNED);
2055
2056 MPASS(td->td_realucred == td->td_ucred);
2057 if (td->td_realucred == p->p_ucred)
2058 return (NULL);
2059
2060 crnew = crcowget(p->p_ucred);
2061 crold = crunuse(td);
2062 td->td_realucred = crnew;
2063 td->td_ucred = td->td_realucred;
2064 return (crold);
2065 }
2066
2067 /*
2068 * Batching.
2069 */
2070 void
credbatch_add(struct credbatch * crb,struct thread * td)2071 credbatch_add(struct credbatch *crb, struct thread *td)
2072 {
2073 struct ucred *cr;
2074
2075 MPASS(td->td_realucred != NULL);
2076 MPASS(td->td_realucred == td->td_ucred);
2077 MPASS(td->td_state == TDS_INACTIVE);
2078 cr = td->td_realucred;
2079 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2080 __func__, cr->cr_users, cr));
2081 if (crb->cred != cr) {
2082 if (crb->users > 0) {
2083 MPASS(crb->cred != NULL);
2084 crunusebatch(crb->cred, crb->users, crb->ref);
2085 crb->users = 0;
2086 crb->ref = 0;
2087 }
2088 }
2089 crb->cred = cr;
2090 crb->users++;
2091 crb->ref += td->td_ucredref;
2092 td->td_ucredref = 0;
2093 td->td_realucred = NULL;
2094 }
2095
2096 void
credbatch_final(struct credbatch * crb)2097 credbatch_final(struct credbatch *crb)
2098 {
2099
2100 MPASS(crb->cred != NULL);
2101 MPASS(crb->users > 0);
2102 crunusebatch(crb->cred, crb->users, crb->ref);
2103 }
2104
2105 /*
2106 * Allocate a zeroed cred structure.
2107 */
2108 struct ucred *
crget(void)2109 crget(void)
2110 {
2111 struct ucred *cr;
2112
2113 cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
2114 mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF);
2115 cr->cr_ref = 1;
2116 #ifdef AUDIT
2117 audit_cred_init(cr);
2118 #endif
2119 #ifdef MAC
2120 mac_cred_init(cr);
2121 #endif
2122 cr->cr_groups = cr->cr_smallgroups;
2123 cr->cr_agroups = nitems(cr->cr_smallgroups);
2124 return (cr);
2125 }
2126
2127 /*
2128 * Claim another reference to a ucred structure.
2129 */
2130 struct ucred *
crhold(struct ucred * cr)2131 crhold(struct ucred *cr)
2132 {
2133 struct thread *td;
2134
2135 td = curthread;
2136 if (__predict_true(td->td_realucred == cr)) {
2137 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2138 __func__, cr->cr_users, cr));
2139 td->td_ucredref++;
2140 return (cr);
2141 }
2142 mtx_lock(&cr->cr_mtx);
2143 cr->cr_ref++;
2144 mtx_unlock(&cr->cr_mtx);
2145 return (cr);
2146 }
2147
2148 /*
2149 * Free a cred structure. Throws away space when ref count gets to 0.
2150 */
2151 void
crfree(struct ucred * cr)2152 crfree(struct ucred *cr)
2153 {
2154 struct thread *td;
2155
2156 td = curthread;
2157 if (__predict_true(td->td_realucred == cr)) {
2158 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2159 __func__, cr->cr_users, cr));
2160 td->td_ucredref--;
2161 return;
2162 }
2163 mtx_lock(&cr->cr_mtx);
2164 KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p",
2165 __func__, cr->cr_users, cr));
2166 cr->cr_ref--;
2167 if (cr->cr_users > 0) {
2168 mtx_unlock(&cr->cr_mtx);
2169 return;
2170 }
2171 KASSERT(cr->cr_ref >= 0, ("%s: ref %d not >= 0 on cred %p",
2172 __func__, cr->cr_ref, cr));
2173 if (cr->cr_ref > 0) {
2174 mtx_unlock(&cr->cr_mtx);
2175 return;
2176 }
2177 crfree_final(cr);
2178 }
2179
2180 static void
crfree_final(struct ucred * cr)2181 crfree_final(struct ucred *cr)
2182 {
2183
2184 KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p",
2185 __func__, cr->cr_users, cr));
2186 KASSERT(cr->cr_ref == 0, ("%s: ref %d not == 0 on cred %p",
2187 __func__, cr->cr_ref, cr));
2188
2189 /*
2190 * Some callers of crget(), such as nfs_statfs(), allocate a temporary
2191 * credential, but don't allocate a uidinfo structure.
2192 */
2193 if (cr->cr_uidinfo != NULL)
2194 uifree(cr->cr_uidinfo);
2195 if (cr->cr_ruidinfo != NULL)
2196 uifree(cr->cr_ruidinfo);
2197 if (cr->cr_prison != NULL)
2198 prison_free(cr->cr_prison);
2199 if (cr->cr_loginclass != NULL)
2200 loginclass_free(cr->cr_loginclass);
2201 #ifdef AUDIT
2202 audit_cred_destroy(cr);
2203 #endif
2204 #ifdef MAC
2205 mac_cred_destroy(cr);
2206 #endif
2207 mtx_destroy(&cr->cr_mtx);
2208 if (cr->cr_groups != cr->cr_smallgroups)
2209 free(cr->cr_groups, M_CRED);
2210 free(cr, M_CRED);
2211 }
2212
2213 /*
2214 * Copy a ucred's contents from a template. Does not block.
2215 */
2216 void
crcopy(struct ucred * dest,struct ucred * src)2217 crcopy(struct ucred *dest, struct ucred *src)
2218 {
2219
2220 /*
2221 * Ideally, 'cr_ngroups' should be moved out of 'struct ucred''s bcopied
2222 * area, but this would break the ABI, so is deferred until there is
2223 * a compelling need to change it.
2224 */
2225 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
2226 (unsigned)((caddr_t)&src->cr_endcopy -
2227 (caddr_t)&src->cr_startcopy));
2228 crsetgroups(dest, src->cr_ngroups, src->cr_groups);
2229 uihold(dest->cr_uidinfo);
2230 uihold(dest->cr_ruidinfo);
2231 prison_hold(dest->cr_prison);
2232 loginclass_hold(dest->cr_loginclass);
2233 #ifdef AUDIT
2234 audit_cred_copy(src, dest);
2235 #endif
2236 #ifdef MAC
2237 mac_cred_copy(src, dest);
2238 #endif
2239 }
2240
2241 /*
2242 * Dup cred struct to a new held one.
2243 */
2244 struct ucred *
crdup(struct ucred * cr)2245 crdup(struct ucred *cr)
2246 {
2247 struct ucred *newcr;
2248
2249 newcr = crget();
2250 crcopy(newcr, cr);
2251 return (newcr);
2252 }
2253
2254 /*
2255 * Fill in a struct xucred based on a struct ucred.
2256 */
2257 void
cru2x(struct ucred * cr,struct xucred * xcr)2258 cru2x(struct ucred *cr, struct xucred *xcr)
2259 {
2260 int ngroups;
2261
2262 bzero(xcr, sizeof(*xcr));
2263 xcr->cr_version = XUCRED_VERSION;
2264 xcr->cr_uid = cr->cr_uid;
2265
2266 ngroups = MIN(cr->cr_ngroups, XU_NGROUPS);
2267 xcr->cr_ngroups = ngroups;
2268 bcopy(cr->cr_groups, xcr->cr_groups,
2269 ngroups * sizeof(*cr->cr_groups));
2270 }
2271
2272 void
cru2xt(struct thread * td,struct xucred * xcr)2273 cru2xt(struct thread *td, struct xucred *xcr)
2274 {
2275
2276 cru2x(td->td_ucred, xcr);
2277 xcr->cr_pid = td->td_proc->p_pid;
2278 }
2279
2280 /*
2281 * Change process credentials.
2282 *
2283 * Callers are responsible for providing the reference for passed credentials
2284 * and for freeing old ones. Calls chgproccnt() to correctly account the
2285 * current process to the proper real UID, if the latter has changed. Returns
2286 * whether the operation was successful. Failure can happen only on
2287 * 'enforce_proc_lim' being true and if no new process can be accounted to the
2288 * new real UID because of the current limit (see the inner comment for more
2289 * details) and the caller does not have privilege (PRIV_PROC_LIMIT) to override
2290 * that.
2291 */
2292 static bool
_proc_set_cred(struct proc * p,struct ucred * newcred,bool enforce_proc_lim)2293 _proc_set_cred(struct proc *p, struct ucred *newcred, bool enforce_proc_lim)
2294 {
2295 struct ucred *const oldcred = p->p_ucred;
2296
2297 MPASS(oldcred != NULL);
2298 PROC_LOCK_ASSERT(p, MA_OWNED);
2299 KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p",
2300 __func__, newcred->cr_users, newcred));
2301 KASSERT(newcred->cr_ref == 1, ("%s: ref %d not 1 on cred %p",
2302 __func__, newcred->cr_ref, newcred));
2303
2304 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo) {
2305 /*
2306 * XXXOC: This check is flawed but nonetheless the best we can
2307 * currently do as we don't really track limits per UID contrary
2308 * to what we pretend in setrlimit(2). Until this is reworked,
2309 * we just check here that the number of processes for our new
2310 * real UID doesn't exceed this process' process number limit
2311 * (which is meant to be associated with the current real UID).
2312 */
2313 const int proccnt_changed = chgproccnt(newcred->cr_ruidinfo, 1,
2314 enforce_proc_lim ? lim_cur_proc(p, RLIMIT_NPROC) : 0);
2315
2316 if (!proccnt_changed) {
2317 if (priv_check_cred(oldcred, PRIV_PROC_LIMIT) != 0)
2318 return (false);
2319 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
2320 }
2321 }
2322
2323 mtx_lock(&oldcred->cr_mtx);
2324 KASSERT(oldcred->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2325 __func__, oldcred->cr_users, oldcred));
2326 oldcred->cr_users--;
2327 mtx_unlock(&oldcred->cr_mtx);
2328 p->p_ucred = newcred;
2329 newcred->cr_users = 1;
2330 PROC_UPDATE_COW(p);
2331 if (newcred->cr_ruidinfo != oldcred->cr_ruidinfo)
2332 (void)chgproccnt(oldcred->cr_ruidinfo, -1, 0);
2333 return (true);
2334 }
2335
2336 void
proc_set_cred(struct proc * p,struct ucred * newcred)2337 proc_set_cred(struct proc *p, struct ucred *newcred)
2338 {
2339 bool success __diagused = _proc_set_cred(p, newcred, false);
2340
2341 MPASS(success);
2342 }
2343
2344 bool
proc_set_cred_enforce_proc_lim(struct proc * p,struct ucred * newcred)2345 proc_set_cred_enforce_proc_lim(struct proc *p, struct ucred *newcred)
2346 {
2347 return (_proc_set_cred(p, newcred, true));
2348 }
2349
2350 void
proc_unset_cred(struct proc * p,bool decrement_proc_count)2351 proc_unset_cred(struct proc *p, bool decrement_proc_count)
2352 {
2353 struct ucred *cr;
2354
2355 MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW);
2356 cr = p->p_ucred;
2357 p->p_ucred = NULL;
2358 KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p",
2359 __func__, cr->cr_users, cr));
2360 mtx_lock(&cr->cr_mtx);
2361 cr->cr_users--;
2362 if (cr->cr_users == 0)
2363 KASSERT(cr->cr_ref > 0, ("%s: ref %d not > 0 on cred %p",
2364 __func__, cr->cr_ref, cr));
2365 mtx_unlock(&cr->cr_mtx);
2366 if (decrement_proc_count)
2367 (void)chgproccnt(cr->cr_ruidinfo, -1, 0);
2368 crfree(cr);
2369 }
2370
2371 struct ucred *
crcopysafe(struct proc * p,struct ucred * cr)2372 crcopysafe(struct proc *p, struct ucred *cr)
2373 {
2374 struct ucred *oldcred;
2375 int groups;
2376
2377 PROC_LOCK_ASSERT(p, MA_OWNED);
2378
2379 oldcred = p->p_ucred;
2380 while (cr->cr_agroups < oldcred->cr_agroups) {
2381 groups = oldcred->cr_agroups;
2382 PROC_UNLOCK(p);
2383 crextend(cr, groups);
2384 PROC_LOCK(p);
2385 oldcred = p->p_ucred;
2386 }
2387 crcopy(cr, oldcred);
2388
2389 return (oldcred);
2390 }
2391
2392 /*
2393 * Extend the passed-in credentials to hold n groups.
2394 *
2395 * Must not be called after groups have been set.
2396 */
2397 void
crextend(struct ucred * cr,int n)2398 crextend(struct ucred *cr, int n)
2399 {
2400 size_t nbytes;
2401
2402 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
2403 MPASS2(cr->cr_ngroups == 0, "groups on 'cr' already set!");
2404 groups_check_positive_len(n);
2405 groups_check_max_len(n);
2406
2407 if (n <= cr->cr_agroups)
2408 return;
2409
2410 nbytes = n * sizeof(gid_t);
2411 if (nbytes < n)
2412 panic("Too many groups (memory size overflow)! "
2413 "Computation of 'kern.ngroups' should have prevented this, "
2414 "please fix it. In the meantime, reduce 'kern.ngroups'.");
2415
2416 /*
2417 * We allocate a power of 2 larger than 'nbytes', except when that
2418 * exceeds PAGE_SIZE, in which case we allocate the right multiple of
2419 * pages. We assume PAGE_SIZE is a power of 2 (the call to roundup2()
2420 * below) but do not need to for sizeof(gid_t).
2421 */
2422 if (nbytes < PAGE_SIZE) {
2423 if (!powerof2(nbytes))
2424 /* fls*() return a bit index starting at 1. */
2425 nbytes = 1 << flsl(nbytes);
2426 } else
2427 nbytes = roundup2(nbytes, PAGE_SIZE);
2428
2429 /* Free the old array. */
2430 if (cr->cr_groups != cr->cr_smallgroups)
2431 free(cr->cr_groups, M_CRED);
2432
2433 cr->cr_groups = malloc(nbytes, M_CRED, M_WAITOK | M_ZERO);
2434 cr->cr_agroups = nbytes / sizeof(gid_t);
2435 }
2436
2437 /*
2438 * Normalizes a set of groups to be applied to a 'struct ucred'.
2439 *
2440 * The set of groups is an array that must comprise the effective GID as its
2441 * first element (so its length cannot be 0).
2442 *
2443 * Normalization ensures that elements after the first, which stand for the
2444 * supplementary groups, are sorted in ascending order and do not contain
2445 * duplicates.
2446 */
2447 static void
groups_normalize(int * ngrp,gid_t * groups)2448 groups_normalize(int *ngrp, gid_t *groups)
2449 {
2450 gid_t prev_g;
2451 int ins_idx;
2452
2453 groups_check_positive_len(*ngrp);
2454 groups_check_max_len(*ngrp);
2455
2456 if (*ngrp == 1)
2457 return;
2458
2459 qsort(groups + 1, *ngrp - 1, sizeof(*groups), gidp_cmp);
2460
2461 /* Remove duplicates. */
2462 prev_g = groups[1];
2463 ins_idx = 2;
2464 for (int i = 2; i < *ngrp; ++i) {
2465 const gid_t g = groups[i];
2466
2467 if (g != prev_g) {
2468 if (i != ins_idx)
2469 groups[ins_idx] = g;
2470 ++ins_idx;
2471 prev_g = g;
2472 }
2473 }
2474 *ngrp = ins_idx;
2475
2476 groups_check_normalized(*ngrp, groups);
2477 }
2478
2479 /*
2480 * Internal function copying groups into a credential.
2481 *
2482 * 'ngrp' must be strictly positive. Either the passed 'groups' array must have
2483 * been normalized in advance (see groups_normalize()), else it must be so
2484 * before the structure is to be used again.
2485 *
2486 * This function is suitable to be used under any lock (it doesn't take any lock
2487 * itself nor sleep, and in particular doesn't allocate memory). crextend()
2488 * must have been called beforehand to ensure sufficient space is available.
2489 * See also crsetgroups(), which handles that.
2490 */
2491 static void
crsetgroups_internal(struct ucred * cr,int ngrp,const gid_t * groups)2492 crsetgroups_internal(struct ucred *cr, int ngrp, const gid_t *groups)
2493 {
2494
2495 MPASS2(cr->cr_ref == 1, "'cr_ref' must be 1 (referenced, unshared)");
2496 MPASS2(cr->cr_agroups >= ngrp, "'cr_agroups' too small");
2497 groups_check_positive_len(ngrp);
2498
2499 bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t));
2500 cr->cr_ngroups = ngrp;
2501 }
2502
2503 /*
2504 * Copy groups in to a credential after expanding it if required.
2505 *
2506 * May sleep in order to allocate memory (except if, e.g., crextend() was called
2507 * before with 'ngrp' or greater). Truncates the list to (ngroups_max + 1) if
2508 * it is too large. Array 'groups' doesn't need to be sorted. 'ngrp' must be
2509 * strictly positive.
2510 */
2511 void
crsetgroups(struct ucred * cr,int ngrp,const gid_t * groups)2512 crsetgroups(struct ucred *cr, int ngrp, const gid_t *groups)
2513 {
2514
2515 if (ngrp > ngroups_max + 1)
2516 ngrp = ngroups_max + 1;
2517 /*
2518 * crextend() asserts that groups are not set, as it may allocate a new
2519 * backing storage without copying the content of the old one. Since we
2520 * are going to install a completely new set anyway, signal that we
2521 * consider the old ones thrown away.
2522 */
2523 cr->cr_ngroups = 0;
2524 crextend(cr, ngrp);
2525 crsetgroups_internal(cr, ngrp, groups);
2526 groups_normalize(&cr->cr_ngroups, cr->cr_groups);
2527 }
2528
2529 /*
2530 * Same as crsetgroups() but accepts an empty groups array.
2531 *
2532 * This function ensures that an effective GID is always present in credentials.
2533 * An empty array is treated as a one-size one holding the passed effective GID
2534 * fallback.
2535 */
2536 void
crsetgroups_fallback(struct ucred * cr,int ngrp,const gid_t * groups,const gid_t fallback)2537 crsetgroups_fallback(struct ucred *cr, int ngrp, const gid_t *groups,
2538 const gid_t fallback)
2539 {
2540 if (ngrp == 0)
2541 /* Shortcut. */
2542 crsetgroups_internal(cr, 1, &fallback);
2543 else
2544 crsetgroups(cr, ngrp, groups);
2545 }
2546
2547 /*
2548 * Get login name, if available.
2549 */
2550 #ifndef _SYS_SYSPROTO_H_
2551 struct getlogin_args {
2552 char *namebuf;
2553 u_int namelen;
2554 };
2555 #endif
2556 /* ARGSUSED */
2557 int
sys_getlogin(struct thread * td,struct getlogin_args * uap)2558 sys_getlogin(struct thread *td, struct getlogin_args *uap)
2559 {
2560 char login[MAXLOGNAME];
2561 struct proc *p = td->td_proc;
2562 size_t len;
2563
2564 if (uap->namelen > MAXLOGNAME)
2565 uap->namelen = MAXLOGNAME;
2566 PROC_LOCK(p);
2567 SESS_LOCK(p->p_session);
2568 len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
2569 SESS_UNLOCK(p->p_session);
2570 PROC_UNLOCK(p);
2571 if (len > uap->namelen)
2572 return (ERANGE);
2573 return (copyout(login, uap->namebuf, len));
2574 }
2575
2576 /*
2577 * Set login name.
2578 */
2579 #ifndef _SYS_SYSPROTO_H_
2580 struct setlogin_args {
2581 char *namebuf;
2582 };
2583 #endif
2584 /* ARGSUSED */
2585 int
sys_setlogin(struct thread * td,struct setlogin_args * uap)2586 sys_setlogin(struct thread *td, struct setlogin_args *uap)
2587 {
2588 struct proc *p = td->td_proc;
2589 int error;
2590 char logintmp[MAXLOGNAME];
2591
2592 CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
2593
2594 error = priv_check(td, PRIV_PROC_SETLOGIN);
2595 if (error)
2596 return (error);
2597 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
2598 if (error != 0) {
2599 if (error == ENAMETOOLONG)
2600 error = EINVAL;
2601 return (error);
2602 }
2603 AUDIT_ARG_LOGIN(logintmp);
2604 PROC_LOCK(p);
2605 SESS_LOCK(p->p_session);
2606 strcpy(p->p_session->s_login, logintmp);
2607 SESS_UNLOCK(p->p_session);
2608 PROC_UNLOCK(p);
2609 return (0);
2610 }
2611
2612 void
setsugid(struct proc * p)2613 setsugid(struct proc *p)
2614 {
2615
2616 PROC_LOCK_ASSERT(p, MA_OWNED);
2617 p->p_flag |= P_SUGID;
2618 }
2619
2620 /*-
2621 * Change a process's effective uid.
2622 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
2623 * References: newcred must be an exclusive credential reference for the
2624 * duration of the call.
2625 */
2626 void
change_euid(struct ucred * newcred,struct uidinfo * euip)2627 change_euid(struct ucred *newcred, struct uidinfo *euip)
2628 {
2629
2630 newcred->cr_uid = euip->ui_uid;
2631 uihold(euip);
2632 uifree(newcred->cr_uidinfo);
2633 newcred->cr_uidinfo = euip;
2634 }
2635
2636 /*-
2637 * Change a process's effective gid.
2638 * Side effects: newcred->cr_gid will be modified.
2639 * References: newcred must be an exclusive credential reference for the
2640 * duration of the call.
2641 */
2642 void
change_egid(struct ucred * newcred,gid_t egid)2643 change_egid(struct ucred *newcred, gid_t egid)
2644 {
2645
2646 newcred->cr_groups[0] = egid;
2647 }
2648
2649 /*-
2650 * Change a process's real uid.
2651 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
2652 * will be updated.
2653 * References: newcred must be an exclusive credential reference for the
2654 * duration of the call.
2655 */
2656 void
change_ruid(struct ucred * newcred,struct uidinfo * ruip)2657 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
2658 {
2659
2660 newcred->cr_ruid = ruip->ui_uid;
2661 uihold(ruip);
2662 uifree(newcred->cr_ruidinfo);
2663 newcred->cr_ruidinfo = ruip;
2664 }
2665
2666 /*-
2667 * Change a process's real gid.
2668 * Side effects: newcred->cr_rgid will be updated.
2669 * References: newcred must be an exclusive credential reference for the
2670 * duration of the call.
2671 */
2672 void
change_rgid(struct ucred * newcred,gid_t rgid)2673 change_rgid(struct ucred *newcred, gid_t rgid)
2674 {
2675
2676 newcred->cr_rgid = rgid;
2677 }
2678
2679 /*-
2680 * Change a process's saved uid.
2681 * Side effects: newcred->cr_svuid will be updated.
2682 * References: newcred must be an exclusive credential reference for the
2683 * duration of the call.
2684 */
2685 void
change_svuid(struct ucred * newcred,uid_t svuid)2686 change_svuid(struct ucred *newcred, uid_t svuid)
2687 {
2688
2689 newcred->cr_svuid = svuid;
2690 }
2691
2692 /*-
2693 * Change a process's saved gid.
2694 * Side effects: newcred->cr_svgid will be updated.
2695 * References: newcred must be an exclusive credential reference for the
2696 * duration of the call.
2697 */
2698 void
change_svgid(struct ucred * newcred,gid_t svgid)2699 change_svgid(struct ucred *newcred, gid_t svgid)
2700 {
2701
2702 newcred->cr_svgid = svgid;
2703 }
2704
2705 bool allow_ptrace = true;
2706 SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN,
2707 &allow_ptrace, 0,
2708 "Deny ptrace(2) use by returning ENOSYS");
2709