]> git.saurik.com Git - apple/xnu.git/blame - bsd/kern/kern_prot.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-792.22.5.tar.gz
[apple/xnu.git] / bsd / kern / kern_prot.c
CommitLineData
1c79356b 1/*
91447636 2 * Copyright (c) 2000-2003 Apple Computer, Inc. All rights reserved.
1c79356b 3 *
8f6c56a5 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
1c79356b 5 *
8f6c56a5
A		 6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
8ad349bb 24 * limitations under the License.
8f6c56a5
A		 25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
1c79356b
A		 27 */
28/* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
29/*
30 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
31 * The Regents of the University of California. All rights reserved.
32 * (c) UNIX System Laboratories, Inc.
33 * All or some portions of this file are derived from material licensed
34 * to the University of California by American Telephone and Telegraph
35 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
36 * the permission of UNIX System Laboratories, Inc.
37 *
38 * Redistribution and use in source and binary forms, with or without
39 * modification, are permitted provided that the following conditions
40 * are met:
41 * 1. Redistributions of source code must retain the above copyright
42 * notice, this list of conditions and the following disclaimer.
43 * 2. Redistributions in binary form must reproduce the above copyright
44 * notice, this list of conditions and the following disclaimer in the
45 * documentation and/or other materials provided with the distribution.
46 * 3. All advertising materials mentioning features or use of this software
47 * must display the following acknowledgement:
48 * This product includes software developed by the University of
49 * California, Berkeley and its contributors.
50 * 4. Neither the name of the University nor the names of its contributors
51 * may be used to endorse or promote products derived from this software
52 * without specific prior written permission.
53 *
54 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
55 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
56 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
57 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
58 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
59 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
60 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
62 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
63 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
64 * SUCH DAMAGE.
65 *
66 * @(#)kern_prot.c 8.9 (Berkeley) 2/14/95
67 */
68
69/*
70 * System calls related to processes and protection
71 */
72
73#include <sys/param.h>
74#include <sys/acct.h>
75#include <sys/systm.h>
76#include <sys/ucred.h>
91447636
A		 77#include <sys/proc_internal.h>
78#include <sys/user.h>
79#include <sys/kauth.h>
1c79356b
A		 80#include <sys/timeb.h>
81#include <sys/times.h>
82#include <sys/malloc.h>
e5568f75
A		 83
84#include <bsm/audit_kernel.h>
1c79356b 85
91447636
A		 86#include <sys/mount_internal.h>
87#include <sys/sysproto.h>
1c79356b 88#include <mach/message.h>
9bccf70c
A		 89#include <mach/host_security.h>
90
1c79356b
A		 91#include <kern/host.h>
92
91447636
A		 93int groupmember(gid_t gid, kauth_cred_t cred);
94int is_suser(void);
95int is_suser1(void);
96
97extern int prepare_profile_database(int user);
98
1c79356b
A		 99/*
100 * setprivexec: (dis)allow this process to hold
101 * task, thread, or execption ports of processes about to exec.
102 */
1c79356b 103int
91447636 104setprivexec(struct proc *p, struct setprivexec_args *uap, register_t *retval)
1c79356b 105{
e5568f75 106 AUDIT_ARG(value, uap->flag);
1c79356b
A		 107 *retval = p->p_debugger;
108 p->p_debugger = (uap->flag != 0);
109 return(0);
110}
111
112/* ARGSUSED */
91447636
A		 113int
114getpid(struct proc *p, __unused struct getpid_args *uap, register_t *retval)
1c79356b
A		 115{
116
117 *retval = p->p_pid;
1c79356b
A		 118 return (0);
119}
120
121/* ARGSUSED */
91447636
A		 122int
123getppid(struct proc *p, __unused struct getppid_args *uap, register_t *retval)
1c79356b
A		 124{
125
126 *retval = p->p_pptr->p_pid;
127 return (0);
128}
129
130/* Get process group ID; note that POSIX getpgrp takes no parameter */
91447636
A		 131int
132getpgrp(struct proc *p, __unused struct getpgrp_args *uap, register_t *retval)
1c79356b
A		 133{
134
135 *retval = p->p_pgrp->pg_id;
136 return (0);
137}
138
9bccf70c 139/* Get an arbitary pid's process group id */
9bccf70c 140int
91447636 141getpgid(struct proc *p, struct getpgid_args *uap, register_t *retval)
9bccf70c
A		 142{
143 struct proc *pt;
144
145 pt = p;
146 if (uap->pid == 0)
147 goto found;
148
149 if ((pt = pfind(uap->pid)) == 0)
150 return (ESRCH);
151found:
152 *retval = pt->p_pgrp->pg_id;
153 return (0);
154}
155
156/*
157 * Get an arbitary pid's session id.
158 */
9bccf70c
A		 159
160int
91447636 161getsid(struct proc *p, struct getsid_args *uap, register_t *retval)
9bccf70c
A		 162{
163 struct proc *pt;
164
165 pt = p;
166 if (uap->pid == 0)
167 goto found;
168
169 if ((pt = pfind(uap->pid)) == 0)
170 return (ESRCH);
171found:
172 *retval = pt->p_session->s_sid;
173 return (0);
174}
175
1c79356b 176/* ARGSUSED */
91447636
A		 177int
178getuid(__unused struct proc *p, __unused struct getuid_args *uap, register_t *retval)
1c79356b
A		 179{
180
91447636 181 *retval = kauth_getruid();
1c79356b
A		 182 return (0);
183}
184
185/* ARGSUSED */
91447636
A		 186int
187geteuid(__unused struct proc *p, __unused struct geteuid_args *uap, register_t *retval)
188{
189
190 *retval = kauth_getuid();
191 return (0);
192}
193
194/*
195 * Return the per-thread override identity.
196 */
197int
198gettid(__unused struct proc *p, struct gettid_args *uap, register_t *retval)
1c79356b 199{
91447636
A		 200 struct uthread *uthread = get_bsdthread_info(current_thread());
201 int error;
1c79356b 202
91447636
A		 203 /*
204 * If this thread is not running with an override identity, we can't
205 * return one to the caller, so return an error instead.
206 */
207 if (!(uthread->uu_flag & UT_SETUID))
208 return (ESRCH);
209
210 if ((error = suword(uap->uidp, uthread->uu_ucred->cr_ruid)))
211 return (error);
212 if ((error = suword(uap->gidp, uthread->uu_ucred->cr_rgid)))
213 return (error);
214
215 *retval = 0;
1c79356b
A		 216 return (0);
217}
218
219/* ARGSUSED */
91447636
A		 220int
221getgid(__unused struct proc *p, __unused struct getgid_args *uap, register_t *retval)
1c79356b
A		 222{
223
91447636 224 *retval = kauth_getrgid();
1c79356b
A		 225 return (0);
226}
227
228/*
229 * Get effective group ID. The "egid" is groups[0], and could be obtained
230 * via getgroups. This syscall exists because it is somewhat painful to do
231 * correctly in a library function.
232 */
233/* ARGSUSED */
91447636
A		 234int
235getegid(struct proc *p, __unused struct getegid_args *uap, register_t *retval)
1c79356b
A		 236{
237
91447636 238 *retval = kauth_getgid();
1c79356b
A		 239 return (0);
240}
241
91447636
A		 242int
243getgroups(__unused struct proc *p, struct getgroups_args *uap, register_t *retval)
1c79356b 244{
91447636 245 register int ngrp;
1c79356b 246 int error;
91447636
A		 247 kauth_cred_t cred;
248
249 /* grab reference while we muck around with the credential */
250 cred = kauth_cred_get_with_ref();
1c79356b
A		 251
252 if ((ngrp = uap->gidsetsize) == 0) {
91447636 253 *retval = cred->cr_ngroups;
4452a7af 254 kauth_cred_unref(&cred);
1c79356b
A		 255 return (0);
256 }
91447636 257 if (ngrp < cred->cr_ngroups) {
4452a7af 258 kauth_cred_unref(&cred);
1c79356b 259 return (EINVAL);
91447636
A		 260 }
261 ngrp = cred->cr_ngroups;
262 if ((error = copyout((caddr_t)cred->cr_groups,
263 uap->gidset,
264 ngrp * sizeof(gid_t)))) {
4452a7af 265 kauth_cred_unref(&cred);
1c79356b
A		 266 return (error);
267 }
4452a7af 268 kauth_cred_unref(&cred);
1c79356b
A		 269 *retval = ngrp;
270 return (0);
271}
272
91447636
A		 273/*
274 * Return the per-thread/per-process supplementary groups list.
275 */
276#warning XXX implement
277int
278getsgroups(__unused struct proc *p, __unused struct getsgroups_args *uap, __unused register_t *retval)
279{
280 /* XXX implement */
281 return(ENOTSUP);
282}
283
284/*
285 * Return the per-thread/per-process whiteout groups list.
286 */
287#warning XXX implement
288int
289getwgroups(__unused struct proc *p, __unused struct getwgroups_args *uap, __unused register_t *retval)
290{
291 /* XXX implement */
292 return(ENOTSUP);
293}
294
1c79356b 295/* ARGSUSED */
91447636
A		 296int
297setsid(struct proc *p, __unused struct setsid_args *uap, register_t *retval)
1c79356b
A		 298{
299
55e303ae 300 if (p->p_pgid == p->p_pid || pgfind(p->p_pid) || p->p_flag & P_INVFORK) {
1c79356b
A		 301 return (EPERM);
302 } else {
303 (void)enterpgrp(p, p->p_pid, 1);
304 *retval = p->p_pid;
305 return (0);
306 }
307}
308
309/*
310 * set process group (setpgid/old setpgrp)
311 *
312 * caller does setpgid(targpid, targpgid)
313 *
314 * pid must be caller or child of caller (ESRCH)
315 * if a child
316 * pid must be in same session (EPERM)
317 * pid can't have done an exec (EACCES)
91447636 318 * ig pgid is -ve return EINVAL (as per SUV spec)
1c79356b
A		 319 * if pgid != pid
320 * there must exist some pid in same session having pgid (EPERM)
321 * pid must not be session leader (EPERM)
322 */
1c79356b 323/* ARGSUSED */
91447636
A		 324int
325setpgid(struct proc *curp, register struct setpgid_args *uap, __unused register_t *retval)
1c79356b
A		 326{
327 register struct proc *targp; /* target process */
328 register struct pgrp *pgrp; /* target pgrp */
329
330 if (uap->pid != 0 && uap->pid != curp->p_pid) {
331 if ((targp = pfind(uap->pid)) == 0 || !inferior(targp))
332 return (ESRCH);
333 if (targp->p_session != curp->p_session)
334 return (EPERM);
335 if (targp->p_flag & P_EXEC)
336 return (EACCES);
337 } else
338 targp = curp;
339 if (SESS_LEADER(targp))
340 return (EPERM);
91447636
A		 341 if (uap->pgid < 0)
342 return(EINVAL);
1c79356b
A		 343 if (uap->pgid == 0)
344 uap->pgid = targp->p_pid;
345 else if (uap->pgid != targp->p_pid)
346 if ((pgrp = pgfind(uap->pgid)) == 0 ||
55e303ae 347 pgrp->pg_session != curp->p_session)
1c79356b
A		 348 return (EPERM);
349 return (enterpgrp(targp, uap->pgid, 0));
350}
351
91447636
A		 352int
353issetugid(struct proc *p, __unused struct issetugid_args *uap, register_t *retval)
0b4e3aa0
A		 354{
355 /*
356 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
357 * we use P_SUGID because we consider changing the owners as
358 * "tainting" as well.
359 * This is significant for procs that start as root and "become"
360 * a user without an exec - programs cannot know *everything*
361 * that libc *might* have put in their data segment.
362 */
363
364 *retval = (p->p_flag & P_SUGID) ? 1 : 0;
365 return (0);
366}
367
1c79356b 368/* ARGSUSED */
91447636
A		 369int
370setuid(struct proc *p, struct setuid_args *uap, __unused register_t *retval)
1c79356b 371{
1c79356b
A		 372 register uid_t uid;
373 int error;
91447636 374 kauth_cred_t my_cred, my_new_cred;
1c79356b
A		 375
376 uid = uap->uid;
55e303ae 377 AUDIT_ARG(uid, uid, 0, 0, 0);
91447636
A		 378 if (uid != p->p_ucred->cr_ruid &&
379 (error = suser(p->p_ucred, &p->p_acflag)))
1c79356b
A		 380 return (error);
381 /*
382 * Everything's okay, do it.
383 * Transfer proc count to new user.
384 * Copy credentials so other references do not see our changes.
385 */
9bccf70c
A		 386
387 /* prepare app access profile files */
388 prepare_profile_database(uap->uid);
91447636 389 (void)chgproccnt(kauth_getruid(), -1);
1c79356b 390 (void)chgproccnt(uid, 1);
91447636
A		 391
392 /* get current credential and take a reference while we muck with it */
393 for (;;) {
394 my_cred = kauth_cred_proc_ref(p);
395
396 /*
4452a7af
A		 397 * Set the credential with new info. If there is no change,
398 * we get back the same credential we passed in; if there is
399 * a change, we drop the reference on the credential we
400 * passed in. The subsequent compare is safe, because it is
401 * a pointer compare rather than a contents compare.
91447636
A		 402 */
403 my_new_cred = kauth_cred_setuid(my_cred, uid);
404 if (my_cred != my_new_cred) {
405 proc_lock(p);
406 /* need to protect for a race where another thread also changed
407 * the credential after we took our reference. If p_ucred has
408 * changed then we should restart this again with the new cred.
409 */
410 if (p->p_ucred != my_cred) {
411 proc_unlock(p);
4452a7af 412 kauth_cred_unref(&my_new_cred);
91447636
A		 413 /* try again */
414 continue;
415 }
416 p->p_ucred = my_new_cred;
417 p->p_flag |= P_SUGID;
418 proc_unlock(p);
419 }
4452a7af
A		 420 /* drop old proc reference or our extra reference */
421 kauth_cred_unref(&my_cred);
91447636
A		 422 break;
423 }
424
1c79356b 425 set_security_token(p);
1c79356b
A		 426 return (0);
427}
428
1c79356b 429/* ARGSUSED */
91447636
A		 430int
431seteuid(struct proc *p, struct seteuid_args *uap, __unused register_t *retval)
1c79356b 432{
1c79356b
A		 433 register uid_t euid;
434 int error;
91447636 435 kauth_cred_t my_cred, my_new_cred;
1c79356b
A		 436
437 euid = uap->euid;
55e303ae 438 AUDIT_ARG(uid, 0, euid, 0, 0);
91447636
A		 439 if (euid != p->p_ucred->cr_ruid && euid != p->p_ucred->cr_svuid &&
440 (error = suser(p->p_ucred, &p->p_acflag)))
1c79356b
A		 441 return (error);
442 /*
443 * Everything's okay, do it. Copy credentials so other references do
91447636
A		 444 * not see our changes. get current credential and take a reference
445 * while we muck with it
1c79356b 446 */
91447636
A		 447 for (;;) {
448 my_cred = kauth_cred_proc_ref(p);
449
450 /*
4452a7af
A		 451 * Set the credential with new info. If there is no change,
452 * we get back the same credential we passed in; if there is
453 * a change, we drop the reference on the credential we
454 * passed in. The subsequent compare is safe, because it is
455 * a pointer compare rather than a contents compare.
91447636 456 */
4452a7af 457 my_new_cred = kauth_cred_seteuid(my_cred, euid);
91447636
A		 458
459 if (my_cred != my_new_cred) {
460 proc_lock(p);
4452a7af
A		 461 /*
462 * We need to protect for a race where another thread
463 * also changed the credential after we took our
464 * reference. If p_ucred has changed then we should
465 * restart this again with the new cred.
91447636
A		 466 */
467 if (p->p_ucred != my_cred) {
468 proc_unlock(p);
4452a7af 469 kauth_cred_unref(&my_new_cred);
91447636
A		 470 /* try again */
471 continue;
472 }
473 p->p_ucred = my_new_cred;
474 p->p_flag |= P_SUGID;
475 proc_unlock(p);
476 }
4452a7af
A		 477 /* drop old proc reference or our extra reference */
478 kauth_cred_unref(&my_cred);
91447636
A		 479 break;
480 }
481
1c79356b 482 set_security_token(p);
1c79356b
A		 483 return (0);
484}
485
1c79356b 486/* ARGSUSED */
91447636
A		 487int
488setgid(struct proc *p, struct setgid_args *uap, __unused register_t *retval)
1c79356b 489{
1c79356b
A		 490 register gid_t gid;
491 int error;
91447636 492 kauth_cred_t my_cred, my_new_cred;
1c79356b
A		 493
494 gid = uap->gid;
55e303ae 495 AUDIT_ARG(gid, gid, 0, 0, 0);
91447636 496 if (gid != p->p_ucred->cr_rgid && (error = suser(p->p_ucred, &p->p_acflag)))
1c79356b 497 return (error);
91447636
A		 498
499 /* get current credential and take a reference while we muck with it */
500 for (;;) {
501 my_cred = kauth_cred_proc_ref(p);
502
503 /*
4452a7af
A		 504 * Set the credential with new info. If there is no change,
505 * we get back the same credential we passed in; if there is
506 * a change, we drop the reference on the credential we
507 * passed in. The subsequent compare is safe, because it is
508 * a pointer compare rather than a contents compare.
91447636 509 */
4452a7af 510 my_new_cred = kauth_cred_setgid(my_cred, gid);
91447636
A		 511 if (my_cred != my_new_cred) {
512 proc_lock(p);
4452a7af
A		 513 /*
514 * We need to protect for a race where another thread
515 * also changed the credential after we took our
516 * reference. If p_ucred has changed then we should
517 * restart this again with the new cred.
91447636
A		 518 */
519 if (p->p_ucred != my_cred) {
520 proc_unlock(p);
4452a7af 521 kauth_cred_unref(&my_new_cred);
91447636
A		 522 /* try again */
523 continue;
524 }
525 p->p_ucred = my_new_cred;
526 p->p_flag |= P_SUGID;
527 proc_unlock(p);
528 }
4452a7af
A		 529 /* drop old proc reference or our extra reference */
530 kauth_cred_unref(&my_cred);
91447636
A		 531 break;
532 }
533
1c79356b 534 set_security_token(p);
1c79356b
A		 535 return (0);
536}
537
1c79356b 538/* ARGSUSED */
91447636
A		 539int
540setegid(struct proc *p, struct setegid_args *uap, __unused register_t *retval)
1c79356b 541{
1c79356b
A		 542 register gid_t egid;
543 int error;
91447636 544 kauth_cred_t my_cred, my_new_cred;
1c79356b
A		 545
546 egid = uap->egid;
55e303ae 547 AUDIT_ARG(gid, 0, egid, 0, 0);
91447636
A		 548 if (egid != p->p_ucred->cr_rgid && egid != p->p_ucred->cr_svgid &&
549 (error = suser(p->p_ucred, &p->p_acflag)))
1c79356b 550 return (error);
91447636
A		 551
552 /* get current credential and take a reference while we muck with it */
553 for (;;) {
554 my_cred = kauth_cred_proc_ref(p);
555
556 /*
4452a7af
A		 557 * Set the credential with new info. If there is no change,
558 * we get back the same credential we passed in; if there is
559 * a change, we drop the reference on the credential we
560 * passed in. The subsequent compare is safe, because it is
561 * a pointer compare rather than a contents compare.
91447636 562 */
4452a7af 563 my_new_cred = kauth_cred_setegid(my_cred, egid);
91447636
A		 564 if (my_cred != my_new_cred) {
565 proc_lock(p);
566 /* need to protect for a race where another thread also changed
567 * the credential after we took our reference. If p_ucred has
568 * changed then we should restart this again with the new cred.
569 */
570 if (p->p_ucred != my_cred) {
571 proc_unlock(p);
4452a7af 572 kauth_cred_unref(&my_new_cred);
91447636
A		 573 /* try again */
574 continue;
575 }
576 p->p_ucred = my_new_cred;
577 p->p_flag |= P_SUGID;
578 proc_unlock(p);
579 }
4452a7af
A		 580 /* drop old proc reference or our extra reference */
581 kauth_cred_unref(&my_cred);
91447636
A		 582 break;
583 }
584
1c79356b 585 set_security_token(p);
1c79356b
A		 586 return (0);
587}
588
91447636
A		 589/*
590 * Set the per-thread override identity. The first parameter can be the
591 * current real UID, KAUTH_UID_NONE, or, if the caller is priviledged, it
592 * can be any UID. If it is KAUTH_UID_NONE, then as a special case, this
593 * means "revert to the per process credential"; otherwise, if permitted,
594 * it changes the effective, real, and saved UIDs and GIDs for the current
595 * thread to the requested UID and single GID, and clears all other GIDs.
596 */
597int
598settid(struct proc *p, struct settid_args *uap, __unused register_t *retval)
599{
600 kauth_cred_t uc;
601 struct uthread *uthread = get_bsdthread_info(current_thread());
602 register uid_t uid;
603 register gid_t gid;
604
605 uid = uap->uid;
606 gid = uap->gid;
607 AUDIT_ARG(uid, uid, gid, gid, 0);
608
609 if (suser(p->p_ucred, &p->p_acflag) != 0) {
610 return (EPERM);
611 }
612
613 if (uid == KAUTH_UID_NONE) {
614
615 /* must already be assuming another identity in order to revert back */
616 if ((uthread->uu_flag & UT_SETUID) == 0)
617 return (EPERM);
618
619 /* revert to delayed binding of process credential */
620 uc = kauth_cred_proc_ref(p);
4452a7af 621 kauth_cred_unref(&uthread->uu_ucred);
91447636
A		 622 uthread->uu_ucred = uc;
623 uthread->uu_flag &= ~UT_SETUID;
624 } else {
625 kauth_cred_t my_cred, my_new_cred;
626
627 /* cannot already be assuming another identity */
628 if ((uthread->uu_flag & UT_SETUID) != 0) {
629 return (EPERM);
630 }
631
632 /*
633 * get a new credential instance from the old if this one changes else
634 * kauth_cred_setuidgid returns the same credential. we take an extra
635 * reference on the current credential while we muck wit it here.
636 */
637 kauth_cred_ref(uthread->uu_ucred);
638 my_cred = uthread->uu_ucred;
639 my_new_cred = kauth_cred_setuidgid(my_cred, uid, gid);
640 if (my_cred != my_new_cred)
641 uthread->uu_ucred = my_new_cred;
642 uthread->uu_flag |= UT_SETUID;
643
644 /* drop our extra reference */
4452a7af 645 kauth_cred_unref(&my_cred);
91447636
A		 646 }
647 /*
648 * XXX should potentially set per thread security token (there is
649 * XXX none).
650 * XXX it is unclear whether P_SUGID should be st at this point;
651 * XXX in theory, it is being deprecated.
652 */
653 return (0);
654}
655
656/*
657 * Set the per-thread override identity. Use this system call for a thread to
658 * assume the identity of another process or to revert back to normal identity
659 * of the current process.
660 * When the "assume" argument is non zero the current thread will assume the
661 * identity of the process represented by the pid argument.
662 * When the assume argument is zero we revert back to our normal identity.
663 */
664int
665settid_with_pid(struct proc *p, struct settid_with_pid_args *uap, __unused register_t *retval)
666{
667 proc_t target_proc;
668 struct uthread *uthread = get_bsdthread_info(current_thread());
669 kauth_cred_t my_cred, my_target_cred, my_new_cred;
670
671 AUDIT_ARG(pid, uap->pid);
672 AUDIT_ARG(value, uap->assume);
673
674 if (suser(p->p_ucred, &p->p_acflag) != 0) {
675 return (EPERM);
676 }
677
678 /*
679 * XXX should potentially set per thread security token (there is
680 * XXX none).
681 * XXX it is unclear whether P_SUGID should be st at this point;
682 * XXX in theory, it is being deprecated.
683 */
684
685 /*
686 * assume argument tells us to assume the identity of the process with the
687 * id passed in the pid argument.
688 */
689 if (uap->assume != 0) {
690 /* can't do this if we have already assumed an identity */
691 if ((uthread->uu_flag & UT_SETUID) != 0)
692 return (EPERM);
693
694 target_proc = pfind(uap->pid);
695 /* can't assume the identity of the kernel process */
696 if (target_proc == NULL || target_proc == kernproc) {
697 return (ESRCH);
698 }
699
700 /*
701 * take a reference on the credential used in our target process then use
702 * it as the identity for our current thread.
703 */
704 kauth_cred_ref(uthread->uu_ucred);
705 my_cred = uthread->uu_ucred;
706 my_target_cred = kauth_cred_proc_ref(target_proc);
707 my_new_cred = kauth_cred_setuidgid(my_cred, my_target_cred->cr_uid, my_target_cred->cr_gid);
708 if (my_cred != my_new_cred)
709 uthread->uu_ucred = my_new_cred;
710
711 uthread->uu_flag |= UT_SETUID;
712
713 /* drop our extra references */
4452a7af
A		 714 kauth_cred_unref(&my_cred);
715 kauth_cred_unref(&my_target_cred);
91447636
A		 716
717 return (0);
718 }
719
720 /* we are reverting back to normal mode of operation where delayed binding
721 * of the process credential sets the credential in the thread (uu_ucred)
722 */
723 if ((uthread->uu_flag & UT_SETUID) == 0)
724 return (EPERM);
725
726 /* revert to delayed binding of process credential */
727 my_new_cred = kauth_cred_proc_ref(p);
4452a7af 728 kauth_cred_unref(&uthread->uu_ucred);
91447636
A		 729 uthread->uu_ucred = my_new_cred;
730 uthread->uu_flag &= ~UT_SETUID;
731
732 return (0);
733}
1c79356b
A		 734
735/* ARGSUSED */
91447636
A		 736static int
737setgroups1(struct proc *p, u_int gidsetsize, user_addr_t gidset, uid_t gmuid, __unused register_t *retval)
1c79356b 738{
1c79356b 739 register u_int ngrp;
91447636
A		 740 gid_t newgroups[NGROUPS] = { 0 };
741 int error;
742 kauth_cred_t my_cred, my_new_cred;
13fec989 743 struct uthread *uthread = get_bsdthread_info(current_thread());
1c79356b 744
91447636 745 if ((error = suser(p->p_ucred, &p->p_acflag)))
1c79356b 746 return (error);
91447636 747 ngrp = gidsetsize;
55e303ae 748 if (ngrp > NGROUPS)
1c79356b 749 return (EINVAL);
91447636 750
55e303ae
A		 751 if ( ngrp < 1 ) {
752 ngrp = 1;
753 }
754 else {
91447636
A		 755 error = copyin(gidset,
756 (caddr_t)newgroups, ngrp * sizeof(gid_t));
55e303ae 757 if (error) {
55e303ae
A		 758 return (error);
759 }
1c79356b 760 }
91447636 761
13fec989
A		 762 if ((uthread->uu_flag & UT_SETUID) != 0) {
763 /*
764 * If this thread is under an assumed identity, set the
765 * supplementary grouplist on the thread credential instead
766 * of the process one. If we were the only reference holder,
767 * the credential is updated in place, otherwise, our reference
768 * is dropped and we get back a different cred with a reference
769 * already held on it. Because this is per-thread, we don't
770 * need the referencing/locking/retry required for per-process.
771 *
772 * Hack: this opts into memberd to avoid needing to use a per
773 * thread credential initgroups() instead of setgroups() in
774 * AFP server to address <rdar://4561060>
775 */
776 my_cred = uthread->uu_ucred;
777 uthread->uu_ucred = kauth_cred_setgroups(my_cred, &newgroups[0], ngrp, my_cred->cr_gmuid);
778 } else {
91447636 779
13fec989
A		 780 /*
781 * get current credential and take a reference while we muck
782 * with it
91447636 783 */
13fec989
A		 784 for (;;) {
785 my_cred = kauth_cred_proc_ref(p);
786
787 /*
4452a7af
A		 788 * Set the credential with new info. If there is no
789 * change, we get back the same credential we passed
790 * in; if there is a change, we drop the reference on
791 * the credential we passed in. The subsequent
792 * compare is safe, because it is a pointer compare
793 * rather than a contents compare.
91447636 794 */
13fec989
A		 795 my_new_cred = kauth_cred_setgroups(my_cred, &newgroups[0], ngrp, gmuid);
796 if (my_cred != my_new_cred) {
797 proc_lock(p);
798 /*
799 * need to protect for a race where another
800 * thread also changed the credential after we
801 * took our reference. If p_ucred has
802 * changed then we should restart this again
803 * with the new cred.
804 */
805 if (p->p_ucred != my_cred) {
806 proc_unlock(p);
4452a7af 807 kauth_cred_unref(&my_new_cred);
13fec989
A		 808 /* try again */
809 continue;
810 }
811 p->p_ucred = my_new_cred;
812 p->p_flag |= P_SUGID;
91447636 813 proc_unlock(p);
91447636 814 }
4452a7af
A		 815 /* drop old proc reference or our extra reference */
816 kauth_cred_unref(&my_cred);
13fec989 817 break;
91447636 818 }
91447636 819
13fec989
A		 820 AUDIT_ARG(groupset, p->p_ucred->cr_groups, ngrp);
821 set_security_token(p);
822 }
91447636 823
1c79356b
A		 824 return (0);
825}
826
91447636
A		 827int
828initgroups(struct proc *p, struct initgroups_args *uap, __unused register_t *retval)
1c79356b 829{
91447636
A		 830 return(setgroups1(p, uap->gidsetsize, uap->gidset, uap->gmuid, retval));
831}
1c79356b 832
91447636
A		 833int
834setgroups(struct proc *p, struct setgroups_args *uap, __unused register_t *retval)
835{
836 return(setgroups1(p, uap->gidsetsize, uap->gidset, KAUTH_UID_NONE, retval));
1c79356b
A		 837}
838
91447636
A		 839/*
840 * Set the per-thread/per-process supplementary groups list.
841 */
842#warning XXX implement
843int
844setsgroups(__unused struct proc *p, __unused struct setsgroups_args *uap, __unused register_t *retval)
1c79356b 845{
91447636
A		 846 return(ENOTSUP);
847}
1c79356b 848
91447636
A		 849/*
850 * Set the per-thread/per-process whiteout groups list.
851 */
852#warning XXX implement
853int
854setwgroups(__unused struct proc *p, __unused struct setwgroups_args *uap, __unused register_t *retval)
855{
856 return(ENOTSUP);
1c79356b 857}
1c79356b
A		 858
859/*
860 * Check if gid is a member of the group set.
91447636
A		 861 *
862 * XXX This interface is going away
1c79356b 863 */
91447636
A		 864int
865groupmember(gid_t gid, kauth_cred_t cred)
1c79356b 866{
91447636 867 int is_member;
1c79356b 868
91447636
A		 869 if (kauth_cred_ismember_gid(cred, gid, &is_member) == 0 && is_member)
870 return (1);
1c79356b
A		 871 return (0);
872}
873
874/*
875 * Test whether the specified credentials imply "super-user"
876 * privilege; if so, and we have accounting info, set the flag
877 * indicating use of super-powers.
878 * Returns 0 or error.
91447636
A		 879 *
880 * XXX This interface is going away
1c79356b 881 */
91447636
A		 882int
883suser(kauth_cred_t cred, u_short *acflag)
1c79356b
A		 884{
885#if DIAGNOSTIC
4452a7af 886 if (!IS_VALID_CRED(cred))
1c79356b
A		 887 panic("suser");
888#endif
91447636 889 if (kauth_cred_getuid(cred) == 0) {
1c79356b
A		 890 if (acflag)
891 *acflag |= ASU;
892 return (0);
893 }
894 return (EPERM);
895}
896
897int
898is_suser(void)
899{
900 struct proc *p = current_proc();
901
902 if (!p)
903 return (0);
904
905 return (suser(p->p_ucred, &p->p_acflag) == 0);
906}
907
908int
909is_suser1(void)
910{
911 struct proc *p = current_proc();
912
913 if (!p)
914 return (0);
915
916 return (suser(p->p_ucred, &p->p_acflag) == 0 ||
91447636 917 p->p_ucred->cr_ruid == 0 || p->p_ucred->cr_svuid == 0);
55e303ae
A		 918}
919
1c79356b
A		 920/*
921 * Get login name, if available.
922 */
1c79356b 923/* ARGSUSED */
91447636
A		 924int
925getlogin(struct proc *p, struct getlogin_args *uap, __unused register_t *retval)
1c79356b
A		 926{
927
928 if (uap->namelen > sizeof (p->p_pgrp->pg_session->s_login))
929 uap->namelen = sizeof (p->p_pgrp->pg_session->s_login);
930 return (copyout((caddr_t) p->p_pgrp->pg_session->s_login,
91447636 931 uap->namebuf, uap->namelen));
1c79356b
A		 932}
933
934/*
935 * Set login name.
936 */
1c79356b 937/* ARGSUSED */
91447636
A		 938int
939setlogin(struct proc *p, struct setlogin_args *uap, __unused register_t *retval)
1c79356b
A		 940{
941 int error;
942 int dummy=0;
943
91447636 944 if ((error = suser(p->p_ucred, &p->p_acflag)))
1c79356b
A		 945 return (error);
946
91447636 947 error = copyinstr(uap->namebuf,
1c79356b
A		 948 (caddr_t) p->p_pgrp->pg_session->s_login,
949 sizeof (p->p_pgrp->pg_session->s_login) - 1, (size_t *)&dummy);
91447636 950 if (!error)
e5568f75
A		 951 AUDIT_ARG(text, p->p_pgrp->pg_session->s_login);
952 else if (error == ENAMETOOLONG)
1c79356b
A		 953 error = EINVAL;
954 return (error);
955}
956
957
958/* Set the secrity token of the task with current euid and eguid */
91447636
A		 959/*
960 * XXX This needs to change to give the task a reference and/or an opaque
961 * XXX identifier.
962 */
963int
1c79356b
A		 964set_security_token(struct proc * p)
965{
966 security_token_t sec_token;
55e303ae 967 audit_token_t audit_token;
1c79356b 968
91447636
A		 969 /*
970 * Don't allow a vfork child to override the parent's token settings
971 * (since they share a task). Instead, the child will just have to
972 * suffer along using the parent's token until the exec(). It's all
973 * undefined behavior anyway, right?
974 */
975 if (p->task == current_task()) {
976 uthread_t uthread;
977 uthread = (uthread_t)get_bsdthread_info(current_thread());
978 if (uthread->uu_flag & UT_VFORK)
979 return (1);
980 }
981
982 /* XXX mach_init doesn't have a p_ucred when it calls this function */
4452a7af 983 if (IS_VALID_CRED(p->p_ucred)) {
91447636
A		 984 sec_token.val[0] = kauth_cred_getuid(p->p_ucred);
985 sec_token.val[1] = p->p_ucred->cr_gid;
986 } else {
987 sec_token.val[0] = 0;
988 sec_token.val[1] = 0;
989 }
e5568f75
A		 990
991 /*
992 * The current layout of the Mach audit token explicitly
993 * adds these fields. But nobody should rely on such
994 * a literal representation. Instead, the BSM library
995 * provides a function to convert an audit token into
996 * a BSM subject. Use of that mechanism will isolate
997 * the user of the trailer from future representation
998 * changes.
999 */
91447636 1000 audit_token.val[0] = p->p_ucred->cr_au.ai_auid;
e5568f75 1001 audit_token.val[1] = p->p_ucred->cr_uid;
91447636
A		 1002 audit_token.val[2] = p->p_ucred->cr_gid;
1003 audit_token.val[3] = p->p_ucred->cr_ruid;
1004 audit_token.val[4] = p->p_ucred->cr_rgid;
e5568f75 1005 audit_token.val[5] = p->p_pid;
91447636
A		 1006 audit_token.val[6] = p->p_ucred->cr_au.ai_asid;
1007 audit_token.val[7] = p->p_ucred->cr_au.ai_termid.port;
e5568f75 1008
91447636 1009 return (host_security_set_task_token(host_security_self(),
1c79356b
A		 1010 p->task,
1011 sec_token,
55e303ae 1012 audit_token,
1c79356b 1013 (sec_token.val[0]) ?
55e303ae 1014 HOST_PRIV_NULL :
91447636 1015 host_priv_self()) != KERN_SUCCESS);
1c79356b 1016}
55e303ae
A		 1017
1018
1019/*
91447636 1020 * Fill in a struct xucred based on a kauth_cred_t.
55e303ae
A		 1021 */
1022__private_extern__
1023void
91447636 1024cru2x(kauth_cred_t cr, struct xucred *xcr)
55e303ae
A		 1025{
1026
1027 bzero(xcr, sizeof(*xcr));
1028 xcr->cr_version = XUCRED_VERSION;
91447636 1029 xcr->cr_uid = kauth_cred_getuid(cr);
55e303ae
A		 1030 xcr->cr_ngroups = cr->cr_ngroups;
1031 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(xcr->cr_groups));
1032}
mirror of XNU