2 * Copyright (c) 2000-2008 Apple Inc. All rights reserved.
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
29 * Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved
32 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
33 * The Regents of the University of California. All rights reserved.
34 * (c) UNIX System Laboratories, Inc.
35 * All or some portions of this file are derived from material licensed
36 * to the University of California by American Telephone and Telegraph
37 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
38 * the permission of UNIX System Laboratories, Inc.
40 * Redistribution and use in source and binary forms, with or without
41 * modification, are permitted provided that the following conditions
43 * 1. Redistributions of source code must retain the above copyright
44 * notice, this list of conditions and the following disclaimer.
45 * 2. Redistributions in binary form must reproduce the above copyright
46 * notice, this list of conditions and the following disclaimer in the
47 * documentation and/or other materials provided with the distribution.
48 * 3. All advertising materials mentioning features or use of this software
49 * must display the following acknowledgement:
50 * This product includes software developed by the University of
51 * California, Berkeley and its contributors.
52 * 4. Neither the name of the University nor the names of its contributors
53 * may be used to endorse or promote products derived from this software
54 * without specific prior written permission.
56 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
57 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
58 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
59 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
60 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
61 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
62 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
63 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
64 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
65 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
68 * @(#)kern_prot.c 8.9 (Berkeley) 2/14/95
71 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
72 * support for mandatory and extensible security protections. This notice
73 * is included in support of clause 2.2 (b) of the Apple Public License,
77 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
78 * support for mandatory and extensible security protections. This notice
79 * is included in support of clause 2.2 (b) of the Apple Public License,
85 * System calls related to processes and protection
88 #include <sys/param.h>
90 #include <sys/systm.h>
91 #include <sys/ucred.h>
92 #include <sys/proc_internal.h>
94 #include <sys/kauth.h>
95 #include <sys/timeb.h>
96 #include <sys/times.h>
97 #include <sys/malloc.h>
99 #include <security/audit/audit.h>
102 #include <sys/lctx.h>
106 #include <security/mac_framework.h>
108 #include <secuity/mac_mach_internal.h>
112 #include <sys/mount_internal.h>
113 #include <sys/sysproto.h>
114 #include <mach/message.h>
115 #include <mach/host_security.h>
117 #include <kern/host.h>
118 #include <kern/task.h> /* for current_task() */
119 #include <kern/assert.h>
123 * Credential debugging; we can track entry into a function that might
124 * change a credential, and we can track actual credential changes that
127 * Note: Does *NOT* currently include per-thread credential changes
129 * We don't use kauth_cred_print() in current debugging, but it
130 * can be used if needed when debugging is active.
133 #define DEBUG_CRED_ENTER printf
134 #define DEBUG_CRED_CHANGE printf
135 extern void kauth_cred_print(kauth_cred_t cred
);
136 #else /* !DEBUG_CRED */
137 #define DEBUG_CRED_ENTER(fmt, ...) do {} while (0)
138 #define DEBUG_CRED_CHANGE(fmt, ...) do {} while (0)
139 #endif /* !DEBUG_CRED */
146 * Description: (dis)allow this process to hold task, thread, or execption
147 * ports of processes about to exec.
149 * Parameters: uap->flag New value for flag
151 * Returns: int Previous value of flag
153 * XXX: Belongs in kern_proc.c
156 setprivexec(proc_t p
, struct setprivexec_args
*uap
, int32_t *retval
)
158 AUDIT_ARG(value32
, uap
->flag
);
159 *retval
= p
->p_debugger
;
160 p
->p_debugger
= (uap
->flag
!= 0);
168 * Description: get the process ID
172 * Returns: pid_t Current process ID
174 * XXX: Belongs in kern_proc.c
177 getpid(proc_t p
, __unused
struct getpid_args
*uap
, int32_t *retval
)
188 * Description: get the parent process ID
192 * Returns: pid_t Parent process ID
194 * XXX: Belongs in kern_proc.c
197 getppid(proc_t p
, __unused
struct getppid_args
*uap
, int32_t *retval
)
208 * Description: get the process group ID of the calling process
212 * Returns: pid_t Process group ID
214 * XXX: Belongs in kern_proc.c
217 getpgrp(proc_t p
, __unused
struct getpgrp_args
*uap
, int32_t *retval
)
220 *retval
= p
->p_pgrpid
;
228 * Description: Get an arbitary pid's process group id
230 * Parameters: uap->pid The target pid
233 * ESRCH No such process
235 * Notes: We are permitted to return EPERM in the case that the target
236 * process is not in the same session as the calling process,
237 * which could be a security consideration
239 * XXX: Belongs in kern_proc.c
242 getpgid(proc_t p
, struct getpgid_args
*uap
, int32_t *retval
)
251 if ((pt
= proc_find(uap
->pid
)) == 0)
255 *retval
= pt
->p_pgrpid
;
265 * Description: Get an arbitary pid's session leaders process group ID
267 * Parameters: uap->pid The target pid
270 * ESRCH No such process
272 * Notes: We are permitted to return EPERM in the case that the target
273 * process is not in the same session as the calling process,
274 * which could be a security consideration
276 * XXX: Belongs in kern_proc.c
279 getsid(proc_t p
, struct getsid_args
*uap
, int32_t *retval
)
283 struct session
* sessp
;
289 if ((pt
= proc_find(uap
->pid
)) == 0)
293 sessp
= proc_session(pt
);
294 *retval
= sessp
->s_sid
;
306 * Description: get real user ID for caller
310 * Returns: uid_t The real uid of the caller
313 getuid(__unused proc_t p
, __unused
struct getuid_args
*uap
, int32_t *retval
)
316 *retval
= kauth_getruid();
324 * Description: get effective user ID for caller
328 * Returns: uid_t The effective uid of the caller
331 geteuid(__unused proc_t p
, __unused
struct geteuid_args
*uap
, int32_t *retval
)
334 *retval
= kauth_getuid();
342 * Description: Return the per-thread override identity.
344 * Parameters: uap->uidp Address of uid_t to get uid
345 * uap->gidp Address of gid_t to get gid
348 * ESRCH No per thread identity active
351 gettid(__unused proc_t p
, struct gettid_args
*uap
, int32_t *retval
)
353 struct uthread
*uthread
= get_bsdthread_info(current_thread());
357 * If this thread is not running with an override identity, we can't
358 * return one to the caller, so return an error instead.
360 if (!(uthread
->uu_flag
& UT_SETUID
))
363 if ((error
= suword(uap
->uidp
, kauth_cred_getruid(uthread
->uu_ucred
))))
365 if ((error
= suword(uap
->gidp
, kauth_cred_getrgid(uthread
->uu_ucred
))))
376 * Description: get the real group ID for the calling process
380 * Returns: gid_t The real gid of the caller
383 getgid(__unused proc_t p
, __unused
struct getgid_args
*uap
, int32_t *retval
)
386 *retval
= kauth_getrgid();
394 * Description: get the effective group ID for the calling process
398 * Returns: gid_t The effective gid of the caller
400 * Notes: As an implementation detail, the effective gid is stored as
401 * the first element of the supplementary group list.
403 * This could be implemented in Libc instead because of the above
407 getegid(__unused proc_t p
, __unused
struct getegid_args
*uap
, int32_t *retval
)
410 *retval
= kauth_getgid();
418 * Description: get the list of supplementary groups for the calling process
420 * Parameters: uap->gidsetsize # of gid_t's in user buffer
421 * uap->gidset Pointer to user buffer
424 * EINVAL User buffer too small
425 * copyout:EFAULT User buffer invalid
430 * Notes: The caller may specify a 0 value for gidsetsize, and we will
431 * then return how large a buffer is required (in gid_t's) to
432 * contain the answer at the time of the call. Otherwise, we
433 * return the number of gid_t's catually copied to user space.
435 * When called with a 0 gidsetsize from a multithreaded program,
436 * there is no guarantee that another thread may not change the
437 * number of supplementary groups, and therefore a subsequent
438 * call could still fail, unless the maximum possible buffer
439 * size is supplied by the user.
441 * As an implementation detail, the effective gid is stored as
442 * the first element of the supplementary group list, and will
443 * be returned by this call.
446 getgroups(__unused proc_t p
, struct getgroups_args
*uap
, int32_t *retval
)
453 /* grab reference while we muck around with the credential */
454 cred
= kauth_cred_get_with_ref();
455 pcred
= posix_cred_get(cred
);
457 if ((ngrp
= uap
->gidsetsize
) == 0) {
458 *retval
= pcred
->cr_ngroups
;
459 kauth_cred_unref(&cred
);
462 if (ngrp
< pcred
->cr_ngroups
) {
463 kauth_cred_unref(&cred
);
466 ngrp
= pcred
->cr_ngroups
;
467 if ((error
= copyout((caddr_t
)pcred
->cr_groups
,
469 ngrp
* sizeof(gid_t
)))) {
470 kauth_cred_unref(&cred
);
473 kauth_cred_unref(&cred
);
480 * Return the per-thread/per-process supplementary groups list.
482 * XXX implement getsgroups
487 getsgroups(__unused proc_t p
, __unused
struct getsgroups_args
*uap
, __unused
int32_t *retval
)
493 * Return the per-thread/per-process whiteout groups list.
495 * XXX implement getwgroups
500 getwgroups(__unused proc_t p
, __unused
struct getwgroups_args
*uap
, __unused
int32_t *retval
)
509 * Description: Create a new session and set the process group ID to the
515 * EPERM Permission denied
517 * Notes: If the calling process is not the process group leader; there
518 * is no existing process group with its ID, and we are not
519 * currently in vfork, then this function will create a new
520 * session, a new process group, and put the caller in the
521 * process group (as the sole member) and make it the session
522 * leader (as the sole process in the session).
524 * The existing controlling tty (if any) will be dissociated
525 * from the process, and the next non-O_NOCTTY open of a tty
526 * will establish a new controlling tty.
528 * XXX: Belongs in kern_proc.c
531 setsid(proc_t p
, __unused
struct setsid_args
*uap
, int32_t *retval
)
533 struct pgrp
* pg
= PGRP_NULL
;
535 if (p
->p_pgrpid
== p
->p_pid
|| (pg
= pgfind(p
->p_pid
)) || p
->p_lflag
& P_LINVFORK
) {
540 /* enter pgrp works with its own pgrp refcount */
541 (void)enterpgrp(p
, p
->p_pid
, 1);
551 * Description: set process group ID for job control
553 * Parameters: uap->pid Process to change
554 * uap->pgid Process group to join or create
557 * ESRCH pid is not the caller or a child of
559 * enterpgrp:ESRCH No such process
560 * EACCES Permission denied due to exec
561 * EINVAL Invalid argument
562 * EPERM The target process is not in the same
563 * session as the calling process
564 * EPERM The target process is a session leader
565 * EPERM pid and pgid are not the same, and
566 * there is no process in the calling
567 * process whose process group ID matches
570 * Notes: This function will cause the target process to either join
571 * an existing process process group, or create a new process
572 * group in the session of the calling process. It cannot be
573 * used to change the process group ID of a process which is
574 * already a session leader.
576 * If the target pid is 0, the pid of the calling process is
577 * substituted as the new target; if pgid is 0, the target pid
578 * is used as the target process group ID.
580 * Legacy: This system call entry point is also used to implement the
581 * legacy library routine setpgrp(), which under POSIX
583 * XXX: Belongs in kern_proc.c
586 setpgid(proc_t curp
, register struct setpgid_args
*uap
, __unused
int32_t *retval
)
588 proc_t targp
= PROC_NULL
; /* target process */
589 struct pgrp
*pg
= PGRP_NULL
; /* target pgrp */
593 struct session
* curp_sessp
= SESSION_NULL
;
594 struct session
* targp_sessp
= SESSION_NULL
;
596 curp_sessp
= proc_session(curp
);
598 if (uap
->pid
!= 0 && uap
->pid
!= curp
->p_pid
) {
599 if ((targp
= proc_find(uap
->pid
)) == 0 || !inferior(targp
)) {
600 if (targp
!= PROC_NULL
)
606 targp_sessp
= proc_session(targp
);
607 if (targp_sessp
!= curp_sessp
) {
611 if (targp
->p_flag
& P_EXEC
) {
617 targp_sessp
= proc_session(targp
);
620 if (SESS_LEADER(targp
, targp_sessp
)) {
624 if (targp_sessp
!= SESSION_NULL
) {
625 session_rele(targp_sessp
);
626 targp_sessp
= SESSION_NULL
;
634 uap
->pgid
= targp
->p_pid
;
635 else if (uap
->pgid
!= targp
->p_pid
) {
636 if ((pg
= pgfind(uap
->pgid
)) == 0){
640 samesess
= (pg
->pg_session
!= curp_sessp
);
647 error
= enterpgrp(targp
, uap
->pgid
, 0);
649 if (targp_sessp
!= SESSION_NULL
)
650 session_rele(targp_sessp
);
651 if (curp_sessp
!= SESSION_NULL
)
652 session_rele(curp_sessp
);
662 * Description: Is current process tainted by uid or gid changes system call
666 * Returns: 0 Not tainted
669 * Notes: A process is considered tainted if it was created as a retult
670 * of an execve call from an imnage that had either the SUID or
671 * SGID bit set on the executable, or if it has changed any of its
672 * real, effective, or saved user or group IDs since beginning
676 issetugid(proc_t p
, __unused
struct issetugid_args
*uap
, int32_t *retval
)
679 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
680 * we use P_SUGID because we consider changing the owners as
681 * "tainting" as well.
682 * This is significant for procs that start as root and "become"
683 * a user without an exec - programs cannot know *everything*
684 * that libc *might* have put in their data segment.
687 *retval
= (p
->p_flag
& P_SUGID
) ? 1 : 0;
695 * Description: Set user ID system call
697 * Parameters: uap->uid uid to set
700 * suser:EPERM Permission denied
702 * Notes: If called by a privileged process, this function will set the
703 * real, effective, and saved uid to the requested value.
705 * If called from an unprivileged process, but uid is equal to the
706 * real or saved uid, then the effective uid will be set to the
707 * requested value, but the real and saved uid will not change.
709 * If the credential is changed as a result of this call, then we
710 * flag the process as having set privilege since the last exec.
713 setuid(proc_t p
, struct setuid_args
*uap
, __unused
int32_t *retval
)
716 uid_t svuid
= KAUTH_UID_NONE
;
717 uid_t ruid
= KAUTH_UID_NONE
;
718 uid_t gmuid
= KAUTH_UID_NONE
;
720 kauth_cred_t my_cred
, my_new_cred
;
721 posix_cred_t my_pcred
;
726 my_cred
= kauth_cred_proc_ref(p
);
727 my_pcred
= posix_cred_get(my_cred
);
729 DEBUG_CRED_ENTER("setuid (%d/%d): %p %d\n", p
->p_pid
, (p
->p_pptr
? p
->p_pptr
->p_pid
: 0), my_cred
, uap
->uid
);
732 if (uid
!= my_pcred
->cr_ruid
&& /* allow setuid(getuid()) */
733 uid
!= my_pcred
->cr_svuid
&& /* allow setuid(saved uid) */
734 (error
= suser(my_cred
, &p
->p_acflag
))) {
735 kauth_cred_unref(&my_cred
);
739 * Everything's okay, do it.
743 * If we are priviledged, then set the saved and real UID too;
744 * otherwise, just set the effective UID
746 if (suser(my_cred
, &p
->p_acflag
) == 0) {
750 * Transfer proc count to new user.
751 * chgproccnt uses list lock for protection
753 (void)chgproccnt(uid
, 1);
754 (void)chgproccnt(my_pcred
->cr_ruid
, -1);
757 /* get current credential and take a reference while we muck with it */
760 * Only set the gmuid if the current cred has not opt'ed out;
761 * this normally only happens when calling setgroups() instead
762 * of initgroups() to set an explicit group list, or one of the
763 * other group manipulation functions is invoked and results in
764 * a dislocation (i.e. the credential group membership changes
765 * to something other than the default list for the user, as
766 * in entering a group or leaving an exclusion group).
768 if (!(my_pcred
->cr_flags
& CRF_NOMEMBERD
))
772 * Set the credential with new info. If there is no change,
773 * we get back the same credential we passed in; if there is
774 * a change, we drop the reference on the credential we
775 * passed in. The subsequent compare is safe, because it is
776 * a pointer compare rather than a contents compare.
778 my_new_cred
= kauth_cred_setresuid(my_cred
, ruid
, uid
, svuid
, gmuid
);
779 if (my_cred
!= my_new_cred
) {
781 DEBUG_CRED_CHANGE("setuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
785 * We need to protect for a race where another thread
786 * also changed the credential after we took our
787 * reference. If p_ucred has changed then we should
788 * restart this again with the new cred.
790 if (p
->p_ucred
!= my_cred
) {
792 kauth_cred_unref(&my_new_cred
);
793 my_cred
= kauth_cred_proc_ref(p
);
797 p
->p_ucred
= my_new_cred
;
798 /* update cred on proc */
799 PROC_UPDATE_CREDS_ONPROC(p
);
801 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
806 /* Drop old proc reference or our extra reference */
807 kauth_cred_unref(&my_cred
);
809 set_security_token(p
);
817 * Description: Set effective user ID system call
819 * Parameters: uap->euid effective uid to set
822 * suser:EPERM Permission denied
824 * Notes: If called by a privileged process, or called from an
825 * unprivileged process but euid is equal to the real or saved
826 * uid, then the effective uid will be set to the requested
827 * value, but the real and saved uid will not change.
829 * If the credential is changed as a result of this call, then we
830 * flag the process as having set privilege since the last exec.
833 seteuid(proc_t p
, struct seteuid_args
*uap
, __unused
int32_t *retval
)
837 kauth_cred_t my_cred
, my_new_cred
;
838 posix_cred_t my_pcred
;
840 DEBUG_CRED_ENTER("seteuid: %d\n", uap
->euid
);
843 AUDIT_ARG(euid
, euid
);
845 my_cred
= kauth_cred_proc_ref(p
);
846 my_pcred
= posix_cred_get(my_cred
);
848 if (euid
!= my_pcred
->cr_ruid
&& euid
!= my_pcred
->cr_svuid
&&
849 (error
= suser(my_cred
, &p
->p_acflag
))) {
850 kauth_cred_unref(&my_cred
);
855 * Everything's okay, do it. Copy credentials so other references do
856 * not see our changes. get current credential and take a reference
857 * while we muck with it
861 * Set the credential with new info. If there is no change,
862 * we get back the same credential we passed in; if there is
863 * a change, we drop the reference on the credential we
864 * passed in. The subsequent compare is safe, because it is
865 * a pointer compare rather than a contents compare.
867 my_new_cred
= kauth_cred_setresuid(my_cred
, KAUTH_UID_NONE
, euid
, KAUTH_UID_NONE
, my_pcred
->cr_gmuid
);
869 if (my_cred
!= my_new_cred
) {
871 DEBUG_CRED_CHANGE("seteuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
875 * We need to protect for a race where another thread
876 * also changed the credential after we took our
877 * reference. If p_ucred has changed then we
878 * should restart this again with the new cred.
880 if (p
->p_ucred
!= my_cred
) {
882 kauth_cred_unref(&my_new_cred
);
883 my_cred
= kauth_cred_proc_ref(p
);
887 p
->p_ucred
= my_new_cred
;
888 /* update cred on proc */
889 PROC_UPDATE_CREDS_ONPROC(p
);
890 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
895 /* drop old proc reference or our extra reference */
896 kauth_cred_unref(&my_cred
);
898 set_security_token(p
);
906 * Description: Set real and effective user ID system call
908 * Parameters: uap->ruid real uid to set
909 * uap->euid effective uid to set
912 * suser:EPERM Permission denied
914 * Notes: A value of -1 is a special case indicating that the uid for
915 * which that value is specified not be changed. If both values
916 * are specified as -1, no action is taken.
918 * If called by a privileged process, the real and effective uid
919 * will be set to the new value(s) specified.
921 * If called from an unprivileged process, the real uid may be
922 * set to the current value of the real uid, or to the current
923 * value of the saved uid. The effective uid may be set to the
924 * current value of any of the effective, real, or saved uid.
926 * If the newly requested real uid or effective uid does not
927 * match the saved uid, then set the saved uid to the new
928 * effective uid (potentially unrecoverably dropping saved
931 * If the credential is changed as a result of this call, then we
932 * flag the process as having set privilege since the last exec.
935 setreuid(proc_t p
, struct setreuid_args
*uap
, __unused
int32_t *retval
)
939 kauth_cred_t my_cred
, my_new_cred
;
940 posix_cred_t my_pcred
;
942 DEBUG_CRED_ENTER("setreuid %d %d\n", uap
->ruid
, uap
->euid
);
946 if (ruid
== (uid_t
)-1)
947 ruid
= KAUTH_UID_NONE
;
948 if (euid
== (uid_t
)-1)
949 euid
= KAUTH_UID_NONE
;
950 AUDIT_ARG(euid
, euid
);
951 AUDIT_ARG(ruid
, ruid
);
953 my_cred
= kauth_cred_proc_ref(p
);
954 my_pcred
= posix_cred_get(my_cred
);
956 if (((ruid
!= KAUTH_UID_NONE
&& /* allow no change of ruid */
957 ruid
!= my_pcred
->cr_ruid
&& /* allow ruid = ruid */
958 ruid
!= my_pcred
->cr_uid
&& /* allow ruid = euid */
959 ruid
!= my_pcred
->cr_svuid
) || /* allow ruid = svuid */
960 (euid
!= KAUTH_UID_NONE
&& /* allow no change of euid */
961 euid
!= my_pcred
->cr_uid
&& /* allow euid = euid */
962 euid
!= my_pcred
->cr_ruid
&& /* allow euid = ruid */
963 euid
!= my_pcred
->cr_svuid
)) && /* allow euid = svui */
964 (error
= suser(my_cred
, &p
->p_acflag
))) { /* allow root user any */
965 kauth_cred_unref(&my_cred
);
970 * Everything's okay, do it. Copy credentials so other references do
971 * not see our changes. get current credential and take a reference
972 * while we muck with it
977 uid_t svuid
= KAUTH_UID_NONE
;
979 new_euid
= my_pcred
->cr_uid
;
980 new_ruid
= my_pcred
->cr_ruid
;
983 * Set the credential with new info. If there is no change,
984 * we get back the same credential we passed in; if there is
985 * a change, we drop the reference on the credential we
986 * passed in. The subsequent compare is safe, because it is
987 * a pointer compare rather than a contents compare.
989 if (euid
== KAUTH_UID_NONE
&& my_pcred
->cr_uid
!= euid
) {
990 /* changing the effective UID */
992 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
994 if (ruid
!= KAUTH_UID_NONE
&& my_pcred
->cr_ruid
!= ruid
) {
995 /* changing the real UID; must do user accounting */
996 /* chgproccnt uses list lock for protection */
997 (void)chgproccnt(ruid
, 1);
998 (void)chgproccnt(my_pcred
->cr_ruid
, -1);
1000 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1003 * If the newly requested real uid or effective uid does
1004 * not match the saved uid, then set the saved uid to the
1005 * new effective uid. We are protected from escalation
1006 * by the prechecking.
1008 if (my_pcred
->cr_svuid
!= uap
->ruid
&&
1009 my_pcred
->cr_svuid
!= uap
->euid
) {
1011 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1014 my_new_cred
= kauth_cred_setresuid(my_cred
, ruid
, euid
, svuid
, my_pcred
->cr_gmuid
);
1016 if (my_cred
!= my_new_cred
) {
1018 DEBUG_CRED_CHANGE("setreuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
1022 * We need to protect for a race where another thread
1023 * also changed the credential after we took our
1024 * reference. If p_ucred has changed then we should
1025 * restart this again with the new cred.
1027 if (p
->p_ucred
!= my_cred
) {
1029 kauth_cred_unref(&my_new_cred
);
1030 my_cred
= kauth_cred_proc_ref(p
);
1034 p
->p_ucred
= my_new_cred
;
1035 /* update cred on proc */
1036 PROC_UPDATE_CREDS_ONPROC(p
);
1037 OSBitOrAtomic(P_SUGID
, &p
->p_flag
); /* XXX redundant? */
1042 /* drop old proc reference or our extra reference */
1043 kauth_cred_unref(&my_cred
);
1045 set_security_token(p
);
1053 * Description: Set group ID system call
1055 * Parameters: uap->gid gid to set
1057 * Returns: 0 Success
1058 * suser:EPERM Permission denied
1060 * Notes: If called by a privileged process, this function will set the
1061 * real, effective, and saved gid to the requested value.
1063 * If called from an unprivileged process, but gid is equal to the
1064 * real or saved gid, then the effective gid will be set to the
1065 * requested value, but the real and saved gid will not change.
1067 * If the credential is changed as a result of this call, then we
1068 * flag the process as having set privilege since the last exec.
1070 * As an implementation detail, the effective gid is stored as
1071 * the first element of the supplementary group list, and
1072 * therefore the effective group list may be reordered to keep
1073 * the supplementary group list unchanged.
1076 setgid(proc_t p
, struct setgid_args
*uap
, __unused
int32_t *retval
)
1079 gid_t rgid
= KAUTH_GID_NONE
;
1080 gid_t svgid
= KAUTH_GID_NONE
;
1082 kauth_cred_t my_cred
, my_new_cred
;
1083 posix_cred_t my_pcred
;
1085 DEBUG_CRED_ENTER("setgid(%d/%d): %d\n", p
->p_pid
, (p
->p_pptr
? p
->p_pptr
->p_pid
: 0), uap
->gid
);
1088 AUDIT_ARG(gid
, gid
);
1090 my_cred
= kauth_cred_proc_ref(p
);
1091 my_pcred
= posix_cred_get(my_cred
);
1093 if (gid
!= my_pcred
->cr_rgid
&& /* allow setgid(getgid()) */
1094 gid
!= my_pcred
->cr_svgid
&& /* allow setgid(saved gid) */
1095 (error
= suser(my_cred
, &p
->p_acflag
))) {
1096 kauth_cred_unref(&my_cred
);
1101 * If we are priviledged, then set the saved and real GID too;
1102 * otherwise, just set the effective GID
1104 if (suser(my_cred
, &p
->p_acflag
) == 0) {
1109 /* get current credential and take a reference while we muck with it */
1113 * Set the credential with new info. If there is no change,
1114 * we get back the same credential we passed in; if there is
1115 * a change, we drop the reference on the credential we
1116 * passed in. The subsequent compare is safe, because it is
1117 * a pointer compare rather than a contents compare.
1119 my_new_cred
= kauth_cred_setresgid(my_cred
, rgid
, gid
, svgid
);
1120 if (my_cred
!= my_new_cred
) {
1122 DEBUG_CRED_CHANGE("setgid(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_cred
->cr_flags
, my_new_cred
, my_new_cred
->cr_flags
);
1126 * We need to protect for a race where another thread
1127 * also changed the credential after we took our
1128 * reference. If p_ucred has changed then we
1129 * should restart this again with the new cred.
1131 if (p
->p_ucred
!= my_cred
) {
1133 kauth_cred_unref(&my_new_cred
);
1135 my_cred
= kauth_cred_proc_ref(p
);
1138 p
->p_ucred
= my_new_cred
;
1139 /* update cred on proc */
1140 PROC_UPDATE_CREDS_ONPROC(p
);
1141 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1146 /* Drop old proc reference or our extra reference */
1147 kauth_cred_unref(&my_cred
);
1149 set_security_token(p
);
1157 * Description: Set effective group ID system call
1159 * Parameters: uap->egid effective gid to set
1161 * Returns: 0 Success
1164 * Notes: If called by a privileged process, or called from an
1165 * unprivileged process but egid is equal to the real or saved
1166 * gid, then the effective gid will be set to the requested
1167 * value, but the real and saved gid will not change.
1169 * If the credential is changed as a result of this call, then we
1170 * flag the process as having set privilege since the last exec.
1172 * As an implementation detail, the effective gid is stored as
1173 * the first element of the supplementary group list, and
1174 * therefore the effective group list may be reordered to keep
1175 * the supplementary group list unchanged.
1178 setegid(proc_t p
, struct setegid_args
*uap
, __unused
int32_t *retval
)
1182 kauth_cred_t my_cred
, my_new_cred
;
1183 posix_cred_t my_pcred
;
1185 DEBUG_CRED_ENTER("setegid %d\n", uap
->egid
);
1188 AUDIT_ARG(egid
, egid
);
1190 my_cred
= kauth_cred_proc_ref(p
);
1191 my_pcred
= posix_cred_get(my_cred
);
1193 if (egid
!= my_pcred
->cr_rgid
&&
1194 egid
!= my_pcred
->cr_svgid
&&
1195 (error
= suser(my_cred
, &p
->p_acflag
))) {
1196 kauth_cred_unref(&my_cred
);
1200 /* get current credential and take a reference while we muck with it */
1203 * Set the credential with new info. If there is no change,
1204 * we get back the same credential we passed in; if there is
1205 * a change, we drop the reference on the credential we
1206 * passed in. The subsequent compare is safe, because it is
1207 * a pointer compare rather than a contents compare.
1209 my_new_cred
= kauth_cred_setresgid(my_cred
, KAUTH_GID_NONE
, egid
, KAUTH_GID_NONE
);
1210 if (my_cred
!= my_new_cred
) {
1212 DEBUG_CRED_CHANGE("setegid(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
1216 * We need to protect for a race where another thread
1217 * also changed the credential after we took our
1218 * reference. If p_ucred has changed then we
1219 * should restart this again with the new cred.
1221 if (p
->p_ucred
!= my_cred
) {
1223 kauth_cred_unref(&my_new_cred
);
1225 my_cred
= kauth_cred_proc_ref(p
);
1228 p
->p_ucred
= my_new_cred
;
1229 /* update cred on proc */
1230 PROC_UPDATE_CREDS_ONPROC(p
);
1231 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1237 /* Drop old proc reference or our extra reference */
1238 kauth_cred_unref(&my_cred
);
1240 set_security_token(p
);
1247 * Description: Set real and effective group ID system call
1249 * Parameters: uap->rgid real gid to set
1250 * uap->egid effective gid to set
1252 * Returns: 0 Success
1253 * suser:EPERM Permission denied
1255 * Notes: A value of -1 is a special case indicating that the gid for
1256 * which that value is specified not be changed. If both values
1257 * are specified as -1, no action is taken.
1259 * If called by a privileged process, the real and effective gid
1260 * will be set to the new value(s) specified.
1262 * If called from an unprivileged process, the real gid may be
1263 * set to the current value of the real gid, or to the current
1264 * value of the saved gid. The effective gid may be set to the
1265 * current value of any of the effective, real, or saved gid.
1267 * If the new real and effective gid will not be equal, or the
1268 * new real or effective gid is not the same as the saved gid,
1269 * then the saved gid will be updated to reflect the new
1270 * effective gid (potentially unrecoverably dropping saved
1273 * If the credential is changed as a result of this call, then we
1274 * flag the process as having set privilege since the last exec.
1276 * As an implementation detail, the effective gid is stored as
1277 * the first element of the supplementary group list, and
1278 * therefore the effective group list may be reordered to keep
1279 * the supplementary group list unchanged.
1282 setregid(proc_t p
, struct setregid_args
*uap
, __unused
int32_t *retval
)
1286 kauth_cred_t my_cred
, my_new_cred
;
1287 posix_cred_t my_pcred
;
1289 DEBUG_CRED_ENTER("setregid %d %d\n", uap
->rgid
, uap
->egid
);
1294 if (rgid
== (uid_t
)-1)
1295 rgid
= KAUTH_GID_NONE
;
1296 if (egid
== (uid_t
)-1)
1297 egid
= KAUTH_GID_NONE
;
1298 AUDIT_ARG(egid
, egid
);
1299 AUDIT_ARG(rgid
, rgid
);
1301 my_cred
= kauth_cred_proc_ref(p
);
1302 my_pcred
= posix_cred_get(my_cred
);
1304 if (((rgid
!= KAUTH_UID_NONE
&& /* allow no change of rgid */
1305 rgid
!= my_pcred
->cr_rgid
&& /* allow rgid = rgid */
1306 rgid
!= my_pcred
->cr_gid
&& /* allow rgid = egid */
1307 rgid
!= my_pcred
->cr_svgid
) || /* allow rgid = svgid */
1308 (egid
!= KAUTH_UID_NONE
&& /* allow no change of egid */
1309 egid
!= my_pcred
->cr_groups
[0] && /* allow no change of egid */
1310 egid
!= my_pcred
->cr_gid
&& /* allow egid = egid */
1311 egid
!= my_pcred
->cr_rgid
&& /* allow egid = rgid */
1312 egid
!= my_pcred
->cr_svgid
)) && /* allow egid = svgid */
1313 (error
= suser(my_cred
, &p
->p_acflag
))) { /* allow root user any */
1314 kauth_cred_unref(&my_cred
);
1318 /* get current credential and take a reference while we muck with it */
1320 uid_t new_egid
= my_pcred
->cr_gid
;
1321 uid_t new_rgid
= my_pcred
->cr_rgid
;
1322 uid_t svgid
= KAUTH_UID_NONE
;
1326 * Set the credential with new info. If there is no change,
1327 * we get back the same credential we passed in; if there is
1328 * a change, we drop the reference on the credential we
1329 * passed in. The subsequent compare is safe, because it is
1330 * a pointer compare rather than a contents compare.
1332 if (egid
== KAUTH_UID_NONE
&& my_pcred
->cr_gid
!= egid
) {
1333 /* changing the effective GID */
1335 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1337 if (rgid
!= KAUTH_UID_NONE
&& my_pcred
->cr_rgid
!= rgid
) {
1338 /* changing the real GID */
1340 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1343 * If the newly requested real gid or effective gid does
1344 * not match the saved gid, then set the saved gid to the
1345 * new effective gid. We are protected from escalation
1346 * by the prechecking.
1348 if (my_pcred
->cr_svgid
!= uap
->rgid
&&
1349 my_pcred
->cr_svgid
!= uap
->egid
) {
1351 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1354 my_new_cred
= kauth_cred_setresgid(my_cred
, rgid
, egid
, svgid
);
1355 if (my_cred
!= my_new_cred
) {
1357 DEBUG_CRED_CHANGE("setregid(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
1360 /* need to protect for a race where another thread
1361 * also changed the credential after we took our
1362 * reference. If p_ucred has changed then we
1363 * should restart this again with the new cred.
1365 if (p
->p_ucred
!= my_cred
) {
1367 kauth_cred_unref(&my_new_cred
);
1369 my_cred
= kauth_cred_proc_ref(p
);
1372 p
->p_ucred
= my_new_cred
;
1373 /* update cred on proc */
1374 PROC_UPDATE_CREDS_ONPROC(p
);
1375 OSBitOrAtomic(P_SUGID
, &p
->p_flag
); /* XXX redundant? */
1380 /* Drop old proc reference or our extra reference */
1381 kauth_cred_unref(&my_cred
);
1383 set_security_token(p
);
1389 * Set the per-thread override identity. The first parameter can be the
1390 * current real UID, KAUTH_UID_NONE, or, if the caller is priviledged, it
1391 * can be any UID. If it is KAUTH_UID_NONE, then as a special case, this
1392 * means "revert to the per process credential"; otherwise, if permitted,
1393 * it changes the effective, real, and saved UIDs and GIDs for the current
1394 * thread to the requested UID and single GID, and clears all other GIDs.
1397 settid(proc_t p
, struct settid_args
*uap
, __unused
int32_t *retval
)
1400 struct uthread
*uthread
= get_bsdthread_info(current_thread());
1406 AUDIT_ARG(uid
, uid
);
1407 AUDIT_ARG(gid
, gid
);
1409 if (proc_suser(p
) != 0)
1412 if (uid
== KAUTH_UID_NONE
) {
1414 /* must already be assuming another identity in order to revert back */
1415 if ((uthread
->uu_flag
& UT_SETUID
) == 0)
1418 /* revert to delayed binding of process credential */
1419 uc
= kauth_cred_proc_ref(p
);
1420 kauth_cred_unref(&uthread
->uu_ucred
);
1421 uthread
->uu_ucred
= uc
;
1422 uthread
->uu_flag
&= ~UT_SETUID
;
1424 kauth_cred_t my_cred
, my_new_cred
;
1426 /* cannot already be assuming another identity */
1427 if ((uthread
->uu_flag
& UT_SETUID
) != 0) {
1432 * Get a new credential instance from the old if this one
1433 * changes; otherwise kauth_cred_setuidgid() returns the
1434 * same credential. We take an extra reference on the
1435 * current credential while we muck with it, so we can do
1436 * the post-compare for changes by pointer.
1438 kauth_cred_ref(uthread
->uu_ucred
);
1439 my_cred
= uthread
->uu_ucred
;
1440 my_new_cred
= kauth_cred_setuidgid(my_cred
, uid
, gid
);
1441 if (my_cred
!= my_new_cred
)
1442 uthread
->uu_ucred
= my_new_cred
;
1443 uthread
->uu_flag
|= UT_SETUID
;
1445 /* Drop old uthread reference or our extra reference */
1446 kauth_cred_unref(&my_cred
);
1449 * XXX should potentially set per thread security token (there is
1451 * XXX it is unclear whether P_SUGID should be st at this point;
1452 * XXX in theory, it is being deprecated.
1459 * Set the per-thread override identity. Use this system call for a thread to
1460 * assume the identity of another process or to revert back to normal identity
1461 * of the current process.
1463 * When the "assume" argument is non zero the current thread will assume the
1464 * identity of the process represented by the pid argument.
1466 * When the assume argument is zero we revert back to our normal identity.
1469 settid_with_pid(proc_t p
, struct settid_with_pid_args
*uap
, __unused
int32_t *retval
)
1472 struct uthread
*uthread
= get_bsdthread_info(current_thread());
1473 kauth_cred_t my_cred
, my_target_cred
, my_new_cred
;
1474 posix_cred_t my_target_pcred
;
1476 AUDIT_ARG(pid
, uap
->pid
);
1477 AUDIT_ARG(value32
, uap
->assume
);
1479 if (proc_suser(p
) != 0) {
1484 * XXX should potentially set per thread security token (there is
1486 * XXX it is unclear whether P_SUGID should be st at this point;
1487 * XXX in theory, it is being deprecated.
1491 * assume argument tells us to assume the identity of the process with the
1492 * id passed in the pid argument.
1494 if (uap
->assume
!= 0) {
1495 /* can't do this if we have already assumed an identity */
1496 if ((uthread
->uu_flag
& UT_SETUID
) != 0)
1499 target_proc
= proc_find(uap
->pid
);
1500 /* can't assume the identity of the kernel process */
1501 if (target_proc
== NULL
|| target_proc
== kernproc
) {
1502 if (target_proc
!= NULL
)
1503 proc_rele(target_proc
);
1508 * Take a reference on the credential used in our target
1509 * process then use it as the identity for our current
1510 * thread. We take an extra reference on the current
1511 * credential while we muck with it, so we can do the
1512 * post-compare for changes by pointer.
1514 * The post-compare is needed for the case that our process
1515 * credential has been changed to be identical to our thread
1516 * credential following our assumption of a per-thread one,
1517 * since the credential cache will maintain a unique instance.
1519 kauth_cred_ref(uthread
->uu_ucred
);
1520 my_cred
= uthread
->uu_ucred
;
1521 my_target_cred
= kauth_cred_proc_ref(target_proc
);
1522 my_target_pcred
= posix_cred_get(my_target_cred
);
1523 my_new_cred
= kauth_cred_setuidgid(my_cred
, my_target_pcred
->cr_uid
, my_target_pcred
->cr_gid
);
1524 if (my_cred
!= my_new_cred
)
1525 uthread
->uu_ucred
= my_new_cred
;
1527 uthread
->uu_flag
|= UT_SETUID
;
1529 /* Drop old uthread reference or our extra reference */
1530 proc_rele(target_proc
);
1531 kauth_cred_unref(&my_cred
);
1532 kauth_cred_unref(&my_target_cred
);
1538 * Otherwise, we are reverting back to normal mode of operation where
1539 * delayed binding of the process credential sets the credential in
1540 * the thread (uu_ucred)
1542 if ((uthread
->uu_flag
& UT_SETUID
) == 0)
1545 /* revert to delayed binding of process credential */
1546 my_new_cred
= kauth_cred_proc_ref(p
);
1547 kauth_cred_unref(&uthread
->uu_ucred
);
1548 uthread
->uu_ucred
= my_new_cred
;
1549 uthread
->uu_flag
&= ~UT_SETUID
;
1558 * Description: Internal implementation for both the setgroups and initgroups
1561 * Parameters: gidsetsize Number of groups in set
1562 * gidset Pointer to group list
1563 * gmuid Base gid (initgroups only!)
1565 * Returns: 0 Success
1566 * suser:EPERM Permision denied
1567 * EINVAL Invalid gidsetsize value
1568 * copyin:EFAULT Bad gidset or gidsetsize is
1571 * Notes: When called from a thread running under an assumed per-thread
1572 * identity, this function will operate against the per-thread
1573 * credential, rather than against the process credential. In
1574 * this specific case, the process credential is verified to
1575 * still be privileged at the time of the call, rather than the
1576 * per-thread credential for this operation to be permitted.
1578 * This effectively means that setgroups/initigroups calls in
1579 * a thread running a per-thread credential should occur *after*
1580 * the settid call that created it, not before (unlike setuid,
1581 * which must be called after, since it will result in privilege
1584 * When called normally (i.e. no per-thread assumed identity),
1585 * the per process credential is updated per POSIX.
1587 * If the credential is changed as a result of this call, then we
1588 * flag the process as having set privilege since the last exec.
1591 setgroups1(proc_t p
, u_int gidsetsize
, user_addr_t gidset
, uid_t gmuid
, __unused
int32_t *retval
)
1594 gid_t newgroups
[NGROUPS
] = { 0 };
1596 kauth_cred_t my_cred
, my_new_cred
;
1597 struct uthread
*uthread
= get_bsdthread_info(current_thread());
1599 DEBUG_CRED_ENTER("setgroups1 (%d/%d): %d 0x%016x %d\n", p
->p_pid
, (p
->p_pptr
? p
->p_pptr
->p_pid
: 0), gidsetsize
, gidset
, gmuid
);
1608 error
= copyin(gidset
,
1609 (caddr_t
)newgroups
, ngrp
* sizeof(gid_t
));
1615 my_cred
= kauth_cred_proc_ref(p
);
1616 if ((error
= suser(my_cred
, &p
->p_acflag
))) {
1617 kauth_cred_unref(&my_cred
);
1621 if ((uthread
->uu_flag
& UT_SETUID
) != 0) {
1623 int my_cred_flags
= uthread
->uu_ucred
->cr_flags
;
1624 #endif /* DEBUG_CRED */
1625 kauth_cred_unref(&my_cred
);
1628 * If this thread is under an assumed identity, set the
1629 * supplementary grouplist on the thread credential instead
1630 * of the process one. If we were the only reference holder,
1631 * the credential is updated in place, otherwise, our reference
1632 * is dropped and we get back a different cred with a reference
1633 * already held on it. Because this is per-thread, we don't
1634 * need the referencing/locking/retry required for per-process.
1636 my_cred
= uthread
->uu_ucred
;
1637 uthread
->uu_ucred
= kauth_cred_setgroups(my_cred
, &newgroups
[0], ngrp
, gmuid
);
1639 if (my_cred
!= uthread
->uu_ucred
) {
1640 DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_cred_flags
, uthread
->uu_ucred
, uthread
->uu_ucred
->cr_flags
);
1642 #endif /* DEBUG_CRED */
1646 * get current credential and take a reference while we muck
1651 * Set the credential with new info. If there is no
1652 * change, we get back the same credential we passed
1653 * in; if there is a change, we drop the reference on
1654 * the credential we passed in. The subsequent
1655 * compare is safe, because it is a pointer compare
1656 * rather than a contents compare.
1658 my_new_cred
= kauth_cred_setgroups(my_cred
, &newgroups
[0], ngrp
, gmuid
);
1659 if (my_cred
!= my_new_cred
) {
1661 DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_cred
->cr_flags
, my_new_cred
, my_new_cred
->cr_flags
);
1665 * We need to protect for a race where another
1666 * thread also changed the credential after we
1667 * took our reference. If p_ucred has
1668 * changed then we should restart this again
1669 * with the new cred.
1671 if (p
->p_ucred
!= my_cred
) {
1673 kauth_cred_unref(&my_new_cred
);
1674 my_cred
= kauth_cred_proc_ref(p
);
1678 p
->p_ucred
= my_new_cred
;
1679 /* update cred on proc */
1680 PROC_UPDATE_CREDS_ONPROC(p
);
1681 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1686 /* Drop old proc reference or our extra reference */
1687 AUDIT_ARG(groupset
, posix_cred_get(my_cred
)->cr_groups
, ngrp
);
1688 kauth_cred_unref(&my_cred
);
1691 set_security_token(p
);
1701 * Description: Initialize the default supplementary groups list and set the
1702 * gmuid for use by the external group resolver (if any)
1704 * Parameters: uap->gidsetsize Number of groups in set
1705 * uap->gidset Pointer to group list
1706 * uap->gmuid Base gid
1708 * Returns: 0 Success
1709 * setgroups1:EPERM Permision denied
1710 * setgroups1:EINVAL Invalid gidsetsize value
1711 * setgroups1:EFAULT Bad gidset or gidsetsize is
1713 * Notes: This function opts *IN* to memberd participation
1715 * The normal purpose of this function is for a privileged
1716 * process to indicate supplementary groups and identity for
1717 * participation in extended group membership resolution prior
1718 * to dropping privilege by assuming a specific user identity.
1720 * It is the first half of the primary mechanism whereby user
1721 * identity is established to the system by programs such as
1722 * /usr/bin/login. The second half is the drop of uid privilege
1723 * for a specific uid corresponding to the user.
1725 * See also: setgroups1()
1728 initgroups(proc_t p
, struct initgroups_args
*uap
, __unused
int32_t *retval
)
1730 DEBUG_CRED_ENTER("initgroups\n");
1732 return(setgroups1(p
, uap
->gidsetsize
, uap
->gidset
, uap
->gmuid
, retval
));
1739 * Description: Initialize the default supplementary groups list
1741 * Parameters: gidsetsize Number of groups in set
1742 * gidset Pointer to group list
1744 * Returns: 0 Success
1745 * setgroups1:EPERM Permision denied
1746 * setgroups1:EINVAL Invalid gidsetsize value
1747 * setgroups1:EFAULT Bad gidset or gidsetsize is
1749 * Notes: This functions opts *OUT* of memberd participation.
1751 * This function exists for compatibility with POSIX. Most user
1752 * programs should use initgroups() instead to ensure correct
1753 * participation in group membership resolution when utilizing
1754 * a directory service for authentication.
1756 * It is identical to an initgroups() call with a gmuid argument
1757 * of KAUTH_UID_NONE.
1759 * See also: setgroups1()
1762 setgroups(proc_t p
, struct setgroups_args
*uap
, __unused
int32_t *retval
)
1764 DEBUG_CRED_ENTER("setgroups\n");
1766 return(setgroups1(p
, uap
->gidsetsize
, uap
->gidset
, KAUTH_UID_NONE
, retval
));
1771 * Set the per-thread/per-process supplementary groups list.
1773 * XXX implement setsgroups
1778 setsgroups(__unused proc_t p
, __unused
struct setsgroups_args
*uap
, __unused
int32_t *retval
)
1784 * Set the per-thread/per-process whiteout groups list.
1786 * XXX implement setwgroups
1791 setwgroups(__unused proc_t p
, __unused
struct setwgroups_args
*uap
, __unused
int32_t *retval
)
1798 * Check if gid is a member of the group set.
1800 * XXX This interface is going away; use kauth_cred_ismember_gid() directly
1804 groupmember(gid_t gid
, kauth_cred_t cred
)
1808 if (kauth_cred_ismember_gid(cred
, gid
, &is_member
) == 0 && is_member
)
1815 * Test whether the specified credentials imply "super-user"
1816 * privilege; if so, and we have accounting info, set the flag
1817 * indicating use of super-powers.
1818 * Returns 0 or error.
1820 * XXX This interface is going away; use kauth_cred_issuser() directly
1823 * Note: This interface exists to implement the "has used privilege"
1824 * bit (ASU) in the p_acflags field of the process, which is
1825 * only externalized via private sysctl and in process accounting
1826 * records. The flag is technically not required in either case.
1829 suser(kauth_cred_t cred
, u_short
*acflag
)
1832 if (!IS_VALID_CRED(cred
))
1835 if (kauth_cred_getuid(cred
) == 0) {
1847 * Description: Get login name, if available.
1849 * Parameters: uap->namebuf User buffer for return
1850 * uap->namelen User buffer length
1852 * Returns: 0 Success
1855 * Notes: Intended to obtain a string containing the user name of the
1856 * user associated with the controlling terminal for the calling
1859 * Not very useful on modern systems, due to inherent length
1860 * limitations for the static array in the session structure
1861 * which is used to store the login name.
1863 * Permitted to return NULL
1865 * XXX: Belongs in kern_proc.c
1868 getlogin(proc_t p
, struct getlogin_args
*uap
, __unused
int32_t *retval
)
1870 char buffer
[MAXLOGNAME
+1];
1871 struct session
* sessp
;
1873 bzero(buffer
, MAXLOGNAME
+1);
1875 sessp
= proc_session(p
);
1877 if (uap
->namelen
> MAXLOGNAME
)
1878 uap
->namelen
= MAXLOGNAME
;
1880 if(sessp
!= SESSION_NULL
) {
1881 session_lock(sessp
);
1882 bcopy( sessp
->s_login
, buffer
, uap
->namelen
);
1883 session_unlock(sessp
);
1885 session_rele(sessp
);
1887 return (copyout((caddr_t
)buffer
, uap
->namebuf
, uap
->namelen
));
1894 * Description: Set login name.
1896 * Parameters: uap->namebuf User buffer containing name
1898 * Returns: 0 Success
1899 * suser:EPERM Permission denied
1900 * copyinstr:EFAULT User buffer invalid
1901 * copyinstr:EINVAL Supplied name was too long
1903 * Notes: This is a utility system call to support getlogin().
1905 * XXX: Belongs in kern_proc.c
1908 setlogin(proc_t p
, struct setlogin_args
*uap
, __unused
int32_t *retval
)
1912 char buffer
[MAXLOGNAME
+1];
1913 struct session
* sessp
;
1915 if ((error
= proc_suser(p
)))
1918 bzero(&buffer
[0], MAXLOGNAME
+1);
1921 error
= copyinstr(uap
->namebuf
,
1922 (caddr_t
) &buffer
[0],
1923 MAXLOGNAME
- 1, (size_t *)&dummy
);
1925 sessp
= proc_session(p
);
1927 if (sessp
!= SESSION_NULL
) {
1928 session_lock(sessp
);
1929 bcopy(buffer
, sessp
->s_login
, MAXLOGNAME
);
1930 session_unlock(sessp
);
1931 session_rele(sessp
);
1936 AUDIT_ARG(text
, buffer
);
1937 } else if (error
== ENAMETOOLONG
)
1943 /* Set the secrity token of the task with current euid and eguid */
1945 * XXX This needs to change to give the task a reference and/or an opaque
1949 set_security_token(proc_t p
)
1951 security_token_t sec_token
;
1952 audit_token_t audit_token
;
1953 kauth_cred_t my_cred
;
1954 posix_cred_t my_pcred
;
1955 host_priv_t host_priv
;
1958 * Don't allow a vfork child to override the parent's token settings
1959 * (since they share a task). Instead, the child will just have to
1960 * suffer along using the parent's token until the exec(). It's all
1961 * undefined behavior anyway, right?
1963 if (p
->task
== current_task()) {
1965 uthread
= (uthread_t
)get_bsdthread_info(current_thread());
1966 if (uthread
->uu_flag
& UT_VFORK
)
1970 my_cred
= kauth_cred_proc_ref(p
);
1971 my_pcred
= posix_cred_get(my_cred
);
1973 /* XXX mach_init doesn't have a p_ucred when it calls this function */
1974 if (IS_VALID_CRED(my_cred
)) {
1975 sec_token
.val
[0] = kauth_cred_getuid(my_cred
);
1976 sec_token
.val
[1] = kauth_cred_getgid(my_cred
);
1978 sec_token
.val
[0] = 0;
1979 sec_token
.val
[1] = 0;
1983 * The current layout of the Mach audit token explicitly
1984 * adds these fields. But nobody should rely on such
1985 * a literal representation. Instead, the BSM library
1986 * provides a function to convert an audit token into
1987 * a BSM subject. Use of that mechanism will isolate
1988 * the user of the trailer from future representation
1991 audit_token
.val
[0] = my_cred
->cr_audit
.as_aia_p
->ai_auid
;
1992 audit_token
.val
[1] = my_pcred
->cr_uid
;
1993 audit_token
.val
[2] = my_pcred
->cr_gid
;
1994 audit_token
.val
[3] = my_pcred
->cr_ruid
;
1995 audit_token
.val
[4] = my_pcred
->cr_rgid
;
1996 audit_token
.val
[5] = p
->p_pid
;
1997 audit_token
.val
[6] = my_cred
->cr_audit
.as_aia_p
->ai_asid
;
1998 audit_token
.val
[7] = p
->p_idversion
;
2000 #if CONFIG_MACF_MACH
2001 mac_task_label_update_cred(my_cred
, p
->task
);
2004 host_priv
= (sec_token
.val
[0]) ? HOST_PRIV_NULL
: host_priv_self();
2006 if (host_priv
!= HOST_PRIV_NULL
&& mac_system_check_host_priv(my_cred
))
2007 host_priv
= HOST_PRIV_NULL
;
2009 kauth_cred_unref(&my_cred
);
2011 return (host_security_set_task_token(host_security_self(),
2015 host_priv
) != KERN_SUCCESS
);
2020 * Fill in a struct xucred based on a kauth_cred_t.
2024 cru2x(kauth_cred_t cr
, struct xucred
*xcr
)
2026 posix_cred_t pcr
= posix_cred_get(cr
);
2028 bzero(xcr
, sizeof(*xcr
));
2029 xcr
->cr_version
= XUCRED_VERSION
;
2030 xcr
->cr_uid
= kauth_cred_getuid(cr
);
2031 xcr
->cr_ngroups
= pcr
->cr_ngroups
;
2032 bcopy(pcr
->cr_groups
, xcr
->cr_groups
, sizeof(xcr
->cr_groups
));
2038 * Set Login Context ID
2041 * MPSAFE - assignment of (visible) process to context protected by ALLLCTX_LOCK,
2042 * LCTX by its own locks.
2045 setlcid(proc_t p0
, struct setlcid_args
*uap
, __unused
int32_t *retval
)
2052 AUDIT_ARG(pid
, uap
->pid
);
2053 AUDIT_ARG(value32
, uap
->lcid
);
2054 if (uap
->pid
== LCID_PROC_SELF
) { /* Create/Join/Leave */
2056 } else { /* Adopt/Orphan */
2057 p
= proc_find(uap
->pid
);
2064 error
= mac_proc_check_setlcid(p0
, p
, uap
->pid
, uap
->lcid
);
2069 switch (uap
->lcid
) {
2073 /* Only root may Leave/Orphan. */
2074 if (!kauth_cred_issuser(kauth_cred_get())) {
2079 /* Process not in login context. */
2080 if (p
->p_lctx
== NULL
) {
2092 /* Create only valid for self! */
2093 if (uap
->pid
!= LCID_PROC_SELF
) {
2098 /* Already in a login context. */
2099 if (p
->p_lctx
!= NULL
) {
2117 /* Only root may Join/Adopt. */
2118 if (!kauth_cred_issuser(kauth_cred_get())) {
2123 l
= lcfind(uap
->lcid
);
2134 enterlctx(p
, l
, (uap
->lcid
== LCID_CREATE
) ? 1 : 0);
2144 * Get Login Context ID
2147 * MPSAFE - membership of (visible) process in a login context
2148 * protected by the all-context lock.
2151 getlcid(proc_t p0
, struct getlcid_args
*uap
, int32_t *retval
)
2157 AUDIT_ARG(pid
, uap
->pid
);
2158 if (uap
->pid
== LCID_PROC_SELF
) {
2161 p
= proc_find(uap
->pid
);
2168 error
= mac_proc_check_getlcid(p0
, p
, uap
->pid
);
2173 if (p
->p_lctx
== NULL
) {
2178 *retval
= p
->p_lctx
->lc_id
;
2188 setlcid(proc_t p0
, struct setlcid_args
*uap
, int32_t *retval
)
2195 getlcid(proc_t p0
, struct getlcid_args
*uap
, int32_t *retval
)