2 * Copyright (c) 2000-2008 Apple Inc. All rights reserved.
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
29 * Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved
32 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
33 * The Regents of the University of California. All rights reserved.
34 * (c) UNIX System Laboratories, Inc.
35 * All or some portions of this file are derived from material licensed
36 * to the University of California by American Telephone and Telegraph
37 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
38 * the permission of UNIX System Laboratories, Inc.
40 * Redistribution and use in source and binary forms, with or without
41 * modification, are permitted provided that the following conditions
43 * 1. Redistributions of source code must retain the above copyright
44 * notice, this list of conditions and the following disclaimer.
45 * 2. Redistributions in binary form must reproduce the above copyright
46 * notice, this list of conditions and the following disclaimer in the
47 * documentation and/or other materials provided with the distribution.
48 * 3. All advertising materials mentioning features or use of this software
49 * must display the following acknowledgement:
50 * This product includes software developed by the University of
51 * California, Berkeley and its contributors.
52 * 4. Neither the name of the University nor the names of its contributors
53 * may be used to endorse or promote products derived from this software
54 * without specific prior written permission.
56 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
57 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
58 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
59 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
60 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
61 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
62 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
63 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
64 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
65 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
68 * @(#)kern_prot.c 8.9 (Berkeley) 2/14/95
71 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
72 * support for mandatory and extensible security protections. This notice
73 * is included in support of clause 2.2 (b) of the Apple Public License,
77 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
78 * support for mandatory and extensible security protections. This notice
79 * is included in support of clause 2.2 (b) of the Apple Public License,
85 * System calls related to processes and protection
88 #include <sys/param.h>
90 #include <sys/systm.h>
91 #include <sys/ucred.h>
92 #include <sys/proc_internal.h>
94 #include <sys/kauth.h>
95 #include <sys/timeb.h>
96 #include <sys/times.h>
97 #include <sys/malloc.h>
99 #include <security/audit/audit.h>
102 #include <sys/lctx.h>
106 #include <security/mac_framework.h>
109 #include <sys/mount_internal.h>
110 #include <sys/sysproto.h>
111 #include <mach/message.h>
112 #include <mach/host_security.h>
114 #include <kern/host.h>
115 #include <kern/task.h> /* for current_task() */
116 #include <kern/assert.h>
120 * Credential debugging; we can track entry into a function that might
121 * change a credential, and we can track actual credential changes that
124 * Note: Does *NOT* currently include per-thread credential changes
126 * We don't use kauth_cred_print() in current debugging, but it
127 * can be used if needed when debugging is active.
130 #define DEBUG_CRED_ENTER printf
131 #define DEBUG_CRED_CHANGE printf
132 extern void kauth_cred_print(kauth_cred_t cred
);
133 #else /* !DEBUG_CRED */
134 #define DEBUG_CRED_ENTER(fmt, ...) do {} while (0)
135 #define DEBUG_CRED_CHANGE(fmt, ...) do {} while (0)
136 #endif /* !DEBUG_CRED */
138 #if DEVELOPMENT || DEBUG
139 extern void task_importance_update_owner_info(task_t
);
146 * Description: (dis)allow this process to hold task, thread, or execption
147 * ports of processes about to exec.
149 * Parameters: uap->flag New value for flag
151 * Returns: int Previous value of flag
153 * XXX: Belongs in kern_proc.c
156 setprivexec(proc_t p
, struct setprivexec_args
*uap
, int32_t *retval
)
158 AUDIT_ARG(value32
, uap
->flag
);
159 *retval
= p
->p_debugger
;
160 p
->p_debugger
= (uap
->flag
!= 0);
168 * Description: get the process ID
172 * Returns: pid_t Current process ID
174 * XXX: Belongs in kern_proc.c
177 getpid(proc_t p
, __unused
struct getpid_args
*uap
, int32_t *retval
)
188 * Description: get the parent process ID
192 * Returns: pid_t Parent process ID
194 * XXX: Belongs in kern_proc.c
197 getppid(proc_t p
, __unused
struct getppid_args
*uap
, int32_t *retval
)
208 * Description: get the process group ID of the calling process
212 * Returns: pid_t Process group ID
214 * XXX: Belongs in kern_proc.c
217 getpgrp(proc_t p
, __unused
struct getpgrp_args
*uap
, int32_t *retval
)
220 *retval
= p
->p_pgrpid
;
228 * Description: Get an arbitary pid's process group id
230 * Parameters: uap->pid The target pid
233 * ESRCH No such process
235 * Notes: We are permitted to return EPERM in the case that the target
236 * process is not in the same session as the calling process,
237 * which could be a security consideration
239 * XXX: Belongs in kern_proc.c
242 getpgid(proc_t p
, struct getpgid_args
*uap
, int32_t *retval
)
251 if ((pt
= proc_find(uap
->pid
)) == 0)
255 *retval
= pt
->p_pgrpid
;
265 * Description: Get an arbitary pid's session leaders process group ID
267 * Parameters: uap->pid The target pid
270 * ESRCH No such process
272 * Notes: We are permitted to return EPERM in the case that the target
273 * process is not in the same session as the calling process,
274 * which could be a security consideration
276 * XXX: Belongs in kern_proc.c
279 getsid(proc_t p
, struct getsid_args
*uap
, int32_t *retval
)
283 struct session
* sessp
;
289 if ((pt
= proc_find(uap
->pid
)) == 0)
293 sessp
= proc_session(pt
);
294 *retval
= sessp
->s_sid
;
306 * Description: get real user ID for caller
310 * Returns: uid_t The real uid of the caller
313 getuid(__unused proc_t p
, __unused
struct getuid_args
*uap
, int32_t *retval
)
316 *retval
= kauth_getruid();
324 * Description: get effective user ID for caller
328 * Returns: uid_t The effective uid of the caller
331 geteuid(__unused proc_t p
, __unused
struct geteuid_args
*uap
, int32_t *retval
)
334 *retval
= kauth_getuid();
342 * Description: Return the per-thread override identity.
344 * Parameters: uap->uidp Address of uid_t to get uid
345 * uap->gidp Address of gid_t to get gid
348 * ESRCH No per thread identity active
351 gettid(__unused proc_t p
, struct gettid_args
*uap
, int32_t *retval
)
353 struct uthread
*uthread
= get_bsdthread_info(current_thread());
357 * If this thread is not running with an override identity, we can't
358 * return one to the caller, so return an error instead.
360 if (!(uthread
->uu_flag
& UT_SETUID
))
363 if ((error
= suword(uap
->uidp
, kauth_cred_getruid(uthread
->uu_ucred
))))
365 if ((error
= suword(uap
->gidp
, kauth_cred_getrgid(uthread
->uu_ucred
))))
376 * Description: get the real group ID for the calling process
380 * Returns: gid_t The real gid of the caller
383 getgid(__unused proc_t p
, __unused
struct getgid_args
*uap
, int32_t *retval
)
386 *retval
= kauth_getrgid();
394 * Description: get the effective group ID for the calling process
398 * Returns: gid_t The effective gid of the caller
400 * Notes: As an implementation detail, the effective gid is stored as
401 * the first element of the supplementary group list.
403 * This could be implemented in Libc instead because of the above
407 getegid(__unused proc_t p
, __unused
struct getegid_args
*uap
, int32_t *retval
)
410 *retval
= kauth_getgid();
418 * Description: get the list of supplementary groups for the calling process
420 * Parameters: uap->gidsetsize # of gid_t's in user buffer
421 * uap->gidset Pointer to user buffer
424 * EINVAL User buffer too small
425 * copyout:EFAULT User buffer invalid
430 * Notes: The caller may specify a 0 value for gidsetsize, and we will
431 * then return how large a buffer is required (in gid_t's) to
432 * contain the answer at the time of the call. Otherwise, we
433 * return the number of gid_t's catually copied to user space.
435 * When called with a 0 gidsetsize from a multithreaded program,
436 * there is no guarantee that another thread may not change the
437 * number of supplementary groups, and therefore a subsequent
438 * call could still fail, unless the maximum possible buffer
439 * size is supplied by the user.
441 * As an implementation detail, the effective gid is stored as
442 * the first element of the supplementary group list, and will
443 * be returned by this call.
446 getgroups(__unused proc_t p
, struct getgroups_args
*uap
, int32_t *retval
)
453 /* grab reference while we muck around with the credential */
454 cred
= kauth_cred_get_with_ref();
455 pcred
= posix_cred_get(cred
);
457 if ((ngrp
= uap
->gidsetsize
) == 0) {
458 *retval
= pcred
->cr_ngroups
;
459 kauth_cred_unref(&cred
);
462 if (ngrp
< pcred
->cr_ngroups
) {
463 kauth_cred_unref(&cred
);
466 ngrp
= pcred
->cr_ngroups
;
467 if ((error
= copyout((caddr_t
)pcred
->cr_groups
,
469 ngrp
* sizeof(gid_t
)))) {
470 kauth_cred_unref(&cred
);
473 kauth_cred_unref(&cred
);
480 * Return the per-thread/per-process supplementary groups list.
482 * XXX implement getsgroups
487 getsgroups(__unused proc_t p
, __unused
struct getsgroups_args
*uap
, __unused
int32_t *retval
)
493 * Return the per-thread/per-process whiteout groups list.
495 * XXX implement getwgroups
500 getwgroups(__unused proc_t p
, __unused
struct getwgroups_args
*uap
, __unused
int32_t *retval
)
509 * Description: Create a new session and set the process group ID to the
515 * EPERM Permission denied
517 * Notes: If the calling process is not the process group leader; there
518 * is no existing process group with its ID, and we are not
519 * currently in vfork, then this function will create a new
520 * session, a new process group, and put the caller in the
521 * process group (as the sole member) and make it the session
522 * leader (as the sole process in the session).
524 * The existing controlling tty (if any) will be dissociated
525 * from the process, and the next non-O_NOCTTY open of a tty
526 * will establish a new controlling tty.
528 * XXX: Belongs in kern_proc.c
531 setsid(proc_t p
, __unused
struct setsid_args
*uap
, int32_t *retval
)
533 struct pgrp
* pg
= PGRP_NULL
;
535 if (p
->p_pgrpid
== p
->p_pid
|| (pg
= pgfind(p
->p_pid
)) || p
->p_lflag
& P_LINVFORK
) {
540 /* enter pgrp works with its own pgrp refcount */
541 (void)enterpgrp(p
, p
->p_pid
, 1);
551 * Description: set process group ID for job control
553 * Parameters: uap->pid Process to change
554 * uap->pgid Process group to join or create
557 * ESRCH pid is not the caller or a child of
559 * enterpgrp:ESRCH No such process
560 * EACCES Permission denied due to exec
561 * EINVAL Invalid argument
562 * EPERM The target process is not in the same
563 * session as the calling process
564 * EPERM The target process is a session leader
565 * EPERM pid and pgid are not the same, and
566 * there is no process in the calling
567 * process whose process group ID matches
570 * Notes: This function will cause the target process to either join
571 * an existing process process group, or create a new process
572 * group in the session of the calling process. It cannot be
573 * used to change the process group ID of a process which is
574 * already a session leader.
576 * If the target pid is 0, the pid of the calling process is
577 * substituted as the new target; if pgid is 0, the target pid
578 * is used as the target process group ID.
580 * Legacy: This system call entry point is also used to implement the
581 * legacy library routine setpgrp(), which under POSIX
583 * XXX: Belongs in kern_proc.c
586 setpgid(proc_t curp
, register struct setpgid_args
*uap
, __unused
int32_t *retval
)
588 proc_t targp
= PROC_NULL
; /* target process */
589 struct pgrp
*pg
= PGRP_NULL
; /* target pgrp */
593 struct session
* curp_sessp
= SESSION_NULL
;
594 struct session
* targp_sessp
= SESSION_NULL
;
596 curp_sessp
= proc_session(curp
);
598 if (uap
->pid
!= 0 && uap
->pid
!= curp
->p_pid
) {
599 if ((targp
= proc_find(uap
->pid
)) == 0 || !inferior(targp
)) {
600 if (targp
!= PROC_NULL
)
606 targp_sessp
= proc_session(targp
);
607 if (targp_sessp
!= curp_sessp
) {
611 if (targp
->p_flag
& P_EXEC
) {
617 targp_sessp
= proc_session(targp
);
620 if (SESS_LEADER(targp
, targp_sessp
)) {
624 if (targp_sessp
!= SESSION_NULL
) {
625 session_rele(targp_sessp
);
626 targp_sessp
= SESSION_NULL
;
634 uap
->pgid
= targp
->p_pid
;
635 else if (uap
->pgid
!= targp
->p_pid
) {
636 if ((pg
= pgfind(uap
->pgid
)) == 0){
640 samesess
= (pg
->pg_session
!= curp_sessp
);
647 error
= enterpgrp(targp
, uap
->pgid
, 0);
649 if (targp_sessp
!= SESSION_NULL
)
650 session_rele(targp_sessp
);
651 if (curp_sessp
!= SESSION_NULL
)
652 session_rele(curp_sessp
);
662 * Description: Is current process tainted by uid or gid changes system call
666 * Returns: 0 Not tainted
669 * Notes: A process is considered tainted if it was created as a retult
670 * of an execve call from an imnage that had either the SUID or
671 * SGID bit set on the executable, or if it has changed any of its
672 * real, effective, or saved user or group IDs since beginning
676 issetugid(proc_t p
, __unused
struct issetugid_args
*uap
, int32_t *retval
)
679 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
680 * we use P_SUGID because we consider changing the owners as
681 * "tainting" as well.
682 * This is significant for procs that start as root and "become"
683 * a user without an exec - programs cannot know *everything*
684 * that libc *might* have put in their data segment.
687 *retval
= (p
->p_flag
& P_SUGID
) ? 1 : 0;
695 * Description: Set user ID system call
697 * Parameters: uap->uid uid to set
700 * suser:EPERM Permission denied
702 * Notes: If called by a privileged process, this function will set the
703 * real, effective, and saved uid to the requested value.
705 * If called from an unprivileged process, but uid is equal to the
706 * real or saved uid, then the effective uid will be set to the
707 * requested value, but the real and saved uid will not change.
709 * If the credential is changed as a result of this call, then we
710 * flag the process as having set privilege since the last exec.
713 setuid(proc_t p
, struct setuid_args
*uap
, __unused
int32_t *retval
)
716 uid_t svuid
= KAUTH_UID_NONE
;
717 uid_t ruid
= KAUTH_UID_NONE
;
718 uid_t gmuid
= KAUTH_UID_NONE
;
720 kauth_cred_t my_cred
, my_new_cred
;
721 posix_cred_t my_pcred
;
725 /* get current credential and take a reference while we muck with it */
726 my_cred
= kauth_cred_proc_ref(p
);
727 my_pcred
= posix_cred_get(my_cred
);
729 DEBUG_CRED_ENTER("setuid (%d/%d): %p %d\n", p
->p_pid
, (p
->p_pptr
? p
->p_pptr
->p_pid
: 0), my_cred
, uap
->uid
);
733 if (uid
!= my_pcred
->cr_ruid
&& /* allow setuid(getuid()) */
734 uid
!= my_pcred
->cr_svuid
&& /* allow setuid(saved uid) */
735 (error
= suser(my_cred
, &p
->p_acflag
))) {
736 kauth_cred_unref(&my_cred
);
741 * If we are privileged, then set the saved and real UID too;
742 * otherwise, just set the effective UID
744 if (suser(my_cred
, &p
->p_acflag
) == 0) {
748 svuid
= KAUTH_UID_NONE
;
749 ruid
= KAUTH_UID_NONE
;
752 * Only set the gmuid if the current cred has not opt'ed out;
753 * this normally only happens when calling setgroups() instead
754 * of initgroups() to set an explicit group list, or one of the
755 * other group manipulation functions is invoked and results in
756 * a dislocation (i.e. the credential group membership changes
757 * to something other than the default list for the user, as
758 * in entering a group or leaving an exclusion group).
760 if (!(my_pcred
->cr_flags
& CRF_NOMEMBERD
))
764 * Set the credential with new info. If there is no change,
765 * we get back the same credential we passed in; if there is
766 * a change, we drop the reference on the credential we
767 * passed in. The subsequent compare is safe, because it is
768 * a pointer compare rather than a contents compare.
770 my_new_cred
= kauth_cred_setresuid(my_cred
, ruid
, uid
, svuid
, gmuid
);
771 if (my_cred
!= my_new_cred
) {
773 DEBUG_CRED_CHANGE("setuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
776 * If we're changing the ruid from A to B, we might race with another thread that's setting ruid from B to A.
777 * The current locking mechanisms don't allow us to make the entire credential switch operation atomic,
778 * thus we may be able to change the process credentials from ruid A to B, but get preempted before incrementing the proc
779 * count of B. If a second thread sees the new process credentials and switches back to ruid A, that other thread
780 * may be able to decrement the proc count of B before we can increment it. This results in a panic.
781 * Incrementing the proc count of the target ruid, B, before setting the process credentials prevents this race.
783 if (ruid
!= KAUTH_UID_NONE
) {
784 (void)chgproccnt(ruid
, 1);
789 * We need to protect for a race where another thread
790 * also changed the credential after we took our
791 * reference. If p_ucred has changed then we should
792 * restart this again with the new cred.
794 * Note: the kauth_cred_setresuid has consumed a reference to my_cred, it p_ucred != my_cred, then my_cred must not be dereferenced!
796 if (p
->p_ucred
!= my_cred
) {
799 * We didn't successfully switch to the new ruid, so decrement
800 * the procs/uid count that we incremented above.
802 if (ruid
!= KAUTH_UID_NONE
) {
803 (void)chgproccnt(ruid
, -1);
805 kauth_cred_unref(&my_new_cred
);
806 my_cred
= kauth_cred_proc_ref(p
);
807 my_pcred
= posix_cred_get(my_cred
);
811 p
->p_ucred
= my_new_cred
;
812 /* update cred on proc */
813 PROC_UPDATE_CREDS_ONPROC(p
);
815 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
818 * If we've updated the ruid, decrement the count of procs running
819 * under the previous ruid
821 if (ruid
!= KAUTH_UID_NONE
) {
822 (void)chgproccnt(my_pcred
->cr_ruid
, -1);
827 /* Drop old proc reference or our extra reference */
828 kauth_cred_unref(&my_cred
);
830 set_security_token(p
);
838 * Description: Set effective user ID system call
840 * Parameters: uap->euid effective uid to set
843 * suser:EPERM Permission denied
845 * Notes: If called by a privileged process, or called from an
846 * unprivileged process but euid is equal to the real or saved
847 * uid, then the effective uid will be set to the requested
848 * value, but the real and saved uid will not change.
850 * If the credential is changed as a result of this call, then we
851 * flag the process as having set privilege since the last exec.
854 seteuid(proc_t p
, struct seteuid_args
*uap
, __unused
int32_t *retval
)
858 kauth_cred_t my_cred
, my_new_cred
;
859 posix_cred_t my_pcred
;
861 DEBUG_CRED_ENTER("seteuid: %d\n", uap
->euid
);
864 AUDIT_ARG(euid
, euid
);
866 my_cred
= kauth_cred_proc_ref(p
);
867 my_pcred
= posix_cred_get(my_cred
);
871 if (euid
!= my_pcred
->cr_ruid
&& euid
!= my_pcred
->cr_svuid
&&
872 (error
= suser(my_cred
, &p
->p_acflag
))) {
873 kauth_cred_unref(&my_cred
);
878 * Set the credential with new info. If there is no change,
879 * we get back the same credential we passed in; if there is
880 * a change, we drop the reference on the credential we
881 * passed in. The subsequent compare is safe, because it is
882 * a pointer compare rather than a contents compare.
884 my_new_cred
= kauth_cred_setresuid(my_cred
, KAUTH_UID_NONE
, euid
, KAUTH_UID_NONE
, my_pcred
->cr_gmuid
);
886 if (my_cred
!= my_new_cred
) {
888 DEBUG_CRED_CHANGE("seteuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
892 * We need to protect for a race where another thread
893 * also changed the credential after we took our
894 * reference. If p_ucred has changed then we
895 * should restart this again with the new cred.
897 if (p
->p_ucred
!= my_cred
) {
899 kauth_cred_unref(&my_new_cred
);
900 my_cred
= kauth_cred_proc_ref(p
);
901 my_pcred
= posix_cred_get(my_cred
);
905 p
->p_ucred
= my_new_cred
;
906 /* update cred on proc */
907 PROC_UPDATE_CREDS_ONPROC(p
);
908 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
913 /* drop old proc reference or our extra reference */
914 kauth_cred_unref(&my_cred
);
916 set_security_token(p
);
924 * Description: Set real and effective user ID system call
926 * Parameters: uap->ruid real uid to set
927 * uap->euid effective uid to set
930 * suser:EPERM Permission denied
932 * Notes: A value of -1 is a special case indicating that the uid for
933 * which that value is specified not be changed. If both values
934 * are specified as -1, no action is taken.
936 * If called by a privileged process, the real and effective uid
937 * will be set to the new value(s) specified.
939 * If called from an unprivileged process, the real uid may be
940 * set to the current value of the real uid, or to the current
941 * value of the saved uid. The effective uid may be set to the
942 * current value of any of the effective, real, or saved uid.
944 * If the newly requested real uid or effective uid does not
945 * match the saved uid, then set the saved uid to the new
946 * effective uid (potentially unrecoverably dropping saved
949 * If the credential is changed as a result of this call, then we
950 * flag the process as having set privilege since the last exec.
953 setreuid(proc_t p
, struct setreuid_args
*uap
, __unused
int32_t *retval
)
957 kauth_cred_t my_cred
, my_new_cred
;
958 posix_cred_t my_pcred
;
960 DEBUG_CRED_ENTER("setreuid %d %d\n", uap
->ruid
, uap
->euid
);
964 if (ruid
== (uid_t
)-1)
965 ruid
= KAUTH_UID_NONE
;
966 if (euid
== (uid_t
)-1)
967 euid
= KAUTH_UID_NONE
;
968 AUDIT_ARG(euid
, euid
);
969 AUDIT_ARG(ruid
, ruid
);
971 my_cred
= kauth_cred_proc_ref(p
);
972 my_pcred
= posix_cred_get(my_cred
);
976 if (((ruid
!= KAUTH_UID_NONE
&& /* allow no change of ruid */
977 ruid
!= my_pcred
->cr_ruid
&& /* allow ruid = ruid */
978 ruid
!= my_pcred
->cr_uid
&& /* allow ruid = euid */
979 ruid
!= my_pcred
->cr_svuid
) || /* allow ruid = svuid */
980 (euid
!= KAUTH_UID_NONE
&& /* allow no change of euid */
981 euid
!= my_pcred
->cr_uid
&& /* allow euid = euid */
982 euid
!= my_pcred
->cr_ruid
&& /* allow euid = ruid */
983 euid
!= my_pcred
->cr_svuid
)) && /* allow euid = svuid */
984 (error
= suser(my_cred
, &p
->p_acflag
))) { /* allow root user any */
985 kauth_cred_unref(&my_cred
);
990 uid_t svuid
= KAUTH_UID_NONE
;
992 new_euid
= my_pcred
->cr_uid
;
994 * Set the credential with new info. If there is no change,
995 * we get back the same credential we passed in; if there is
996 * a change, we drop the reference on the credential we
997 * passed in. The subsequent compare is safe, because it is
998 * a pointer compare rather than a contents compare.
1000 if (euid
!= KAUTH_UID_NONE
&& my_pcred
->cr_uid
!= euid
) {
1001 /* changing the effective UID */
1003 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1006 * If the newly requested real uid or effective uid does
1007 * not match the saved uid, then set the saved uid to the
1008 * new effective uid. We are protected from escalation
1009 * by the prechecking.
1011 if (my_pcred
->cr_svuid
!= uap
->ruid
&&
1012 my_pcred
->cr_svuid
!= uap
->euid
) {
1014 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1017 my_new_cred
= kauth_cred_setresuid(my_cred
, ruid
, euid
, svuid
, my_pcred
->cr_gmuid
);
1019 if (my_cred
!= my_new_cred
) {
1021 DEBUG_CRED_CHANGE("setreuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
1024 * If we're changing the ruid from A to B, we might race with another thread that's setting ruid from B to A.
1025 * The current locking mechanisms don't allow us to make the entire credential switch operation atomic,
1026 * thus we may be able to change the process credentials from ruid A to B, but get preempted before incrementing the proc
1027 * count of B. If a second thread sees the new process credentials and switches back to ruid A, that other thread
1028 * may be able to decrement the proc count of B before we can increment it. This results in a panic.
1029 * Incrementing the proc count of the target ruid, B, before setting the process credentials prevents this race.
1031 if (ruid
!= KAUTH_UID_NONE
) {
1032 (void)chgproccnt(ruid
, 1);
1037 * We need to protect for a race where another thread
1038 * also changed the credential after we took our
1039 * reference. If p_ucred has changed then we should
1040 * restart this again with the new cred.
1042 * Note: the kauth_cred_setresuid has consumed a reference to my_cred, it p_ucred != my_cred, then my_cred must not be dereferenced!
1044 if (p
->p_ucred
!= my_cred
) {
1046 if (ruid
!= KAUTH_UID_NONE
) {
1048 * We didn't successfully switch to the new ruid, so decrement
1049 * the procs/uid count that we incremented above.
1051 (void)chgproccnt(ruid
, -1);
1053 kauth_cred_unref(&my_new_cred
);
1054 my_cred
= kauth_cred_proc_ref(p
);
1055 my_pcred
= posix_cred_get(my_cred
);
1060 p
->p_ucred
= my_new_cred
;
1061 /* update cred on proc */
1062 PROC_UPDATE_CREDS_ONPROC(p
);
1063 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1066 if (ruid
!= KAUTH_UID_NONE
) {
1068 * We switched to a new ruid, so decrement the count of procs running
1069 * under the previous ruid
1071 (void)chgproccnt(my_pcred
->cr_ruid
, -1);
1076 /* drop old proc reference or our extra reference */
1077 kauth_cred_unref(&my_cred
);
1079 set_security_token(p
);
1087 * Description: Set group ID system call
1089 * Parameters: uap->gid gid to set
1091 * Returns: 0 Success
1092 * suser:EPERM Permission denied
1094 * Notes: If called by a privileged process, this function will set the
1095 * real, effective, and saved gid to the requested value.
1097 * If called from an unprivileged process, but gid is equal to the
1098 * real or saved gid, then the effective gid will be set to the
1099 * requested value, but the real and saved gid will not change.
1101 * If the credential is changed as a result of this call, then we
1102 * flag the process as having set privilege since the last exec.
1104 * As an implementation detail, the effective gid is stored as
1105 * the first element of the supplementary group list, and
1106 * therefore the effective group list may be reordered to keep
1107 * the supplementary group list unchanged.
1110 setgid(proc_t p
, struct setgid_args
*uap
, __unused
int32_t *retval
)
1113 gid_t rgid
= KAUTH_GID_NONE
;
1114 gid_t svgid
= KAUTH_GID_NONE
;
1116 kauth_cred_t my_cred
, my_new_cred
;
1117 posix_cred_t my_pcred
;
1119 DEBUG_CRED_ENTER("setgid(%d/%d): %d\n", p
->p_pid
, (p
->p_pptr
? p
->p_pptr
->p_pid
: 0), uap
->gid
);
1122 AUDIT_ARG(gid
, gid
);
1124 /* get current credential and take a reference while we muck with it */
1125 my_cred
= kauth_cred_proc_ref(p
);
1126 my_pcred
= posix_cred_get(my_cred
);
1129 if (gid
!= my_pcred
->cr_rgid
&& /* allow setgid(getgid()) */
1130 gid
!= my_pcred
->cr_svgid
&& /* allow setgid(saved gid) */
1131 (error
= suser(my_cred
, &p
->p_acflag
))) {
1132 kauth_cred_unref(&my_cred
);
1137 * If we are privileged, then set the saved and real GID too;
1138 * otherwise, just set the effective GID
1140 if (suser(my_cred
, &p
->p_acflag
) == 0) {
1144 svgid
= KAUTH_GID_NONE
;
1145 rgid
= KAUTH_GID_NONE
;
1149 * Set the credential with new info. If there is no change,
1150 * we get back the same credential we passed in; if there is
1151 * a change, we drop the reference on the credential we
1152 * passed in. The subsequent compare is safe, because it is
1153 * a pointer compare rather than a contents compare.
1155 my_new_cred
= kauth_cred_setresgid(my_cred
, rgid
, gid
, svgid
);
1156 if (my_cred
!= my_new_cred
) {
1158 DEBUG_CRED_CHANGE("setgid(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_cred
->cr_flags
, my_new_cred
, my_new_cred
->cr_flags
);
1162 * We need to protect for a race where another thread
1163 * also changed the credential after we took our
1164 * reference. If p_ucred has changed then we
1165 * should restart this again with the new cred.
1167 if (p
->p_ucred
!= my_cred
) {
1169 kauth_cred_unref(&my_new_cred
);
1171 my_cred
= kauth_cred_proc_ref(p
);
1172 my_pcred
= posix_cred_get(my_cred
);
1175 p
->p_ucred
= my_new_cred
;
1176 /* update cred on proc */
1177 PROC_UPDATE_CREDS_ONPROC(p
);
1178 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1183 /* Drop old proc reference or our extra reference */
1184 kauth_cred_unref(&my_cred
);
1186 set_security_token(p
);
1194 * Description: Set effective group ID system call
1196 * Parameters: uap->egid effective gid to set
1198 * Returns: 0 Success
1201 * Notes: If called by a privileged process, or called from an
1202 * unprivileged process but egid is equal to the real or saved
1203 * gid, then the effective gid will be set to the requested
1204 * value, but the real and saved gid will not change.
1206 * If the credential is changed as a result of this call, then we
1207 * flag the process as having set privilege since the last exec.
1209 * As an implementation detail, the effective gid is stored as
1210 * the first element of the supplementary group list, and
1211 * therefore the effective group list may be reordered to keep
1212 * the supplementary group list unchanged.
1215 setegid(proc_t p
, struct setegid_args
*uap
, __unused
int32_t *retval
)
1219 kauth_cred_t my_cred
, my_new_cred
;
1220 posix_cred_t my_pcred
;
1222 DEBUG_CRED_ENTER("setegid %d\n", uap
->egid
);
1225 AUDIT_ARG(egid
, egid
);
1227 /* get current credential and take a reference while we muck with it */
1228 my_cred
= kauth_cred_proc_ref(p
);
1229 my_pcred
= posix_cred_get(my_cred
);
1233 if (egid
!= my_pcred
->cr_rgid
&&
1234 egid
!= my_pcred
->cr_svgid
&&
1235 (error
= suser(my_cred
, &p
->p_acflag
))) {
1236 kauth_cred_unref(&my_cred
);
1240 * Set the credential with new info. If there is no change,
1241 * we get back the same credential we passed in; if there is
1242 * a change, we drop the reference on the credential we
1243 * passed in. The subsequent compare is safe, because it is
1244 * a pointer compare rather than a contents compare.
1246 my_new_cred
= kauth_cred_setresgid(my_cred
, KAUTH_GID_NONE
, egid
, KAUTH_GID_NONE
);
1247 if (my_cred
!= my_new_cred
) {
1249 DEBUG_CRED_CHANGE("setegid(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
1253 * We need to protect for a race where another thread
1254 * also changed the credential after we took our
1255 * reference. If p_ucred has changed then we
1256 * should restart this again with the new cred.
1258 if (p
->p_ucred
!= my_cred
) {
1260 kauth_cred_unref(&my_new_cred
);
1262 my_cred
= kauth_cred_proc_ref(p
);
1263 my_pcred
= posix_cred_get(my_cred
);
1266 p
->p_ucred
= my_new_cred
;
1267 /* update cred on proc */
1268 PROC_UPDATE_CREDS_ONPROC(p
);
1269 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1275 /* Drop old proc reference or our extra reference */
1276 kauth_cred_unref(&my_cred
);
1278 set_security_token(p
);
1285 * Description: Set real and effective group ID system call
1287 * Parameters: uap->rgid real gid to set
1288 * uap->egid effective gid to set
1290 * Returns: 0 Success
1291 * suser:EPERM Permission denied
1293 * Notes: A value of -1 is a special case indicating that the gid for
1294 * which that value is specified not be changed. If both values
1295 * are specified as -1, no action is taken.
1297 * If called by a privileged process, the real and effective gid
1298 * will be set to the new value(s) specified.
1300 * If called from an unprivileged process, the real gid may be
1301 * set to the current value of the real gid, or to the current
1302 * value of the saved gid. The effective gid may be set to the
1303 * current value of any of the effective, real, or saved gid.
1305 * If the new real and effective gid will not be equal, or the
1306 * new real or effective gid is not the same as the saved gid,
1307 * then the saved gid will be updated to reflect the new
1308 * effective gid (potentially unrecoverably dropping saved
1311 * If the credential is changed as a result of this call, then we
1312 * flag the process as having set privilege since the last exec.
1314 * As an implementation detail, the effective gid is stored as
1315 * the first element of the supplementary group list, and
1316 * therefore the effective group list may be reordered to keep
1317 * the supplementary group list unchanged.
1320 setregid(proc_t p
, struct setregid_args
*uap
, __unused
int32_t *retval
)
1324 kauth_cred_t my_cred
, my_new_cred
;
1325 posix_cred_t my_pcred
;
1327 DEBUG_CRED_ENTER("setregid %d %d\n", uap
->rgid
, uap
->egid
);
1332 if (rgid
== (uid_t
)-1)
1333 rgid
= KAUTH_GID_NONE
;
1334 if (egid
== (uid_t
)-1)
1335 egid
= KAUTH_GID_NONE
;
1336 AUDIT_ARG(egid
, egid
);
1337 AUDIT_ARG(rgid
, rgid
);
1339 /* get current credential and take a reference while we muck with it */
1340 my_cred
= kauth_cred_proc_ref(p
);
1341 my_pcred
= posix_cred_get(my_cred
);
1345 if (((rgid
!= KAUTH_UID_NONE
&& /* allow no change of rgid */
1346 rgid
!= my_pcred
->cr_rgid
&& /* allow rgid = rgid */
1347 rgid
!= my_pcred
->cr_gid
&& /* allow rgid = egid */
1348 rgid
!= my_pcred
->cr_svgid
) || /* allow rgid = svgid */
1349 (egid
!= KAUTH_UID_NONE
&& /* allow no change of egid */
1350 egid
!= my_pcred
->cr_groups
[0] && /* allow no change of egid */
1351 egid
!= my_pcred
->cr_gid
&& /* allow egid = egid */
1352 egid
!= my_pcred
->cr_rgid
&& /* allow egid = rgid */
1353 egid
!= my_pcred
->cr_svgid
)) && /* allow egid = svgid */
1354 (error
= suser(my_cred
, &p
->p_acflag
))) { /* allow root user any */
1355 kauth_cred_unref(&my_cred
);
1359 uid_t new_egid
= my_pcred
->cr_gid
;
1360 uid_t new_rgid
= my_pcred
->cr_rgid
;
1361 uid_t svgid
= KAUTH_UID_NONE
;
1365 * Set the credential with new info. If there is no change,
1366 * we get back the same credential we passed in; if there is
1367 * a change, we drop the reference on the credential we
1368 * passed in. The subsequent compare is safe, because it is
1369 * a pointer compare rather than a contents compare.
1371 if (egid
!= KAUTH_UID_NONE
&& my_pcred
->cr_gid
!= egid
) {
1372 /* changing the effective GID */
1374 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1376 if (rgid
!= KAUTH_UID_NONE
&& my_pcred
->cr_rgid
!= rgid
) {
1377 /* changing the real GID */
1379 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1382 * If the newly requested real gid or effective gid does
1383 * not match the saved gid, then set the saved gid to the
1384 * new effective gid. We are protected from escalation
1385 * by the prechecking.
1387 if (my_pcred
->cr_svgid
!= uap
->rgid
&&
1388 my_pcred
->cr_svgid
!= uap
->egid
) {
1390 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1393 my_new_cred
= kauth_cred_setresgid(my_cred
, rgid
, egid
, svgid
);
1394 if (my_cred
!= my_new_cred
) {
1396 DEBUG_CRED_CHANGE("setregid(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_pcred
->cr_flags
, my_new_cred
, posix_cred_get(my_new_cred
)->cr_flags
);
1399 /* need to protect for a race where another thread
1400 * also changed the credential after we took our
1401 * reference. If p_ucred has changed then we
1402 * should restart this again with the new cred.
1404 if (p
->p_ucred
!= my_cred
) {
1406 kauth_cred_unref(&my_new_cred
);
1408 my_cred
= kauth_cred_proc_ref(p
);
1409 my_pcred
= posix_cred_get(my_cred
);
1412 p
->p_ucred
= my_new_cred
;
1413 /* update cred on proc */
1414 PROC_UPDATE_CREDS_ONPROC(p
);
1415 OSBitOrAtomic(P_SUGID
, &p
->p_flag
); /* XXX redundant? */
1420 /* Drop old proc reference or our extra reference */
1421 kauth_cred_unref(&my_cred
);
1423 set_security_token(p
);
1429 * Set the per-thread override identity. The first parameter can be the
1430 * current real UID, KAUTH_UID_NONE, or, if the caller is privileged, it
1431 * can be any UID. If it is KAUTH_UID_NONE, then as a special case, this
1432 * means "revert to the per process credential"; otherwise, if permitted,
1433 * it changes the effective, real, and saved UIDs and GIDs for the current
1434 * thread to the requested UID and single GID, and clears all other GIDs.
1437 settid(proc_t p
, struct settid_args
*uap
, __unused
int32_t *retval
)
1440 struct uthread
*uthread
= get_bsdthread_info(current_thread());
1446 AUDIT_ARG(uid
, uid
);
1447 AUDIT_ARG(gid
, gid
);
1449 if (proc_suser(p
) != 0)
1452 if (uid
== KAUTH_UID_NONE
) {
1454 /* must already be assuming another identity in order to revert back */
1455 if ((uthread
->uu_flag
& UT_SETUID
) == 0)
1458 /* revert to delayed binding of process credential */
1459 uc
= kauth_cred_proc_ref(p
);
1460 kauth_cred_unref(&uthread
->uu_ucred
);
1461 uthread
->uu_ucred
= uc
;
1462 uthread
->uu_flag
&= ~UT_SETUID
;
1464 kauth_cred_t my_cred
, my_new_cred
;
1466 /* cannot already be assuming another identity */
1467 if ((uthread
->uu_flag
& UT_SETUID
) != 0) {
1472 * Get a new credential instance from the old if this one
1473 * changes; otherwise kauth_cred_setuidgid() returns the
1474 * same credential. We take an extra reference on the
1475 * current credential while we muck with it, so we can do
1476 * the post-compare for changes by pointer.
1478 kauth_cred_ref(uthread
->uu_ucred
);
1479 my_cred
= uthread
->uu_ucred
;
1480 my_new_cred
= kauth_cred_setuidgid(my_cred
, uid
, gid
);
1481 if (my_cred
!= my_new_cred
)
1482 uthread
->uu_ucred
= my_new_cred
;
1483 uthread
->uu_flag
|= UT_SETUID
;
1485 /* Drop old uthread reference or our extra reference */
1486 kauth_cred_unref(&my_cred
);
1489 * XXX should potentially set per thread security token (there is
1491 * XXX it is unclear whether P_SUGID should be st at this point;
1492 * XXX in theory, it is being deprecated.
1499 * Set the per-thread override identity. Use this system call for a thread to
1500 * assume the identity of another process or to revert back to normal identity
1501 * of the current process.
1503 * When the "assume" argument is non zero the current thread will assume the
1504 * identity of the process represented by the pid argument.
1506 * When the assume argument is zero we revert back to our normal identity.
1509 settid_with_pid(proc_t p
, struct settid_with_pid_args
*uap
, __unused
int32_t *retval
)
1512 struct uthread
*uthread
= get_bsdthread_info(current_thread());
1513 kauth_cred_t my_cred
, my_target_cred
, my_new_cred
;
1514 posix_cred_t my_target_pcred
;
1516 AUDIT_ARG(pid
, uap
->pid
);
1517 AUDIT_ARG(value32
, uap
->assume
);
1519 if (proc_suser(p
) != 0) {
1524 * XXX should potentially set per thread security token (there is
1526 * XXX it is unclear whether P_SUGID should be st at this point;
1527 * XXX in theory, it is being deprecated.
1531 * assume argument tells us to assume the identity of the process with the
1532 * id passed in the pid argument.
1534 if (uap
->assume
!= 0) {
1535 /* can't do this if we have already assumed an identity */
1536 if ((uthread
->uu_flag
& UT_SETUID
) != 0)
1539 target_proc
= proc_find(uap
->pid
);
1540 /* can't assume the identity of the kernel process */
1541 if (target_proc
== NULL
|| target_proc
== kernproc
) {
1542 if (target_proc
!= NULL
)
1543 proc_rele(target_proc
);
1548 * Take a reference on the credential used in our target
1549 * process then use it as the identity for our current
1550 * thread. We take an extra reference on the current
1551 * credential while we muck with it, so we can do the
1552 * post-compare for changes by pointer.
1554 * The post-compare is needed for the case that our process
1555 * credential has been changed to be identical to our thread
1556 * credential following our assumption of a per-thread one,
1557 * since the credential cache will maintain a unique instance.
1559 kauth_cred_ref(uthread
->uu_ucred
);
1560 my_cred
= uthread
->uu_ucred
;
1561 my_target_cred
= kauth_cred_proc_ref(target_proc
);
1562 my_target_pcred
= posix_cred_get(my_target_cred
);
1563 my_new_cred
= kauth_cred_setuidgid(my_cred
, my_target_pcred
->cr_uid
, my_target_pcred
->cr_gid
);
1564 if (my_cred
!= my_new_cred
)
1565 uthread
->uu_ucred
= my_new_cred
;
1567 uthread
->uu_flag
|= UT_SETUID
;
1569 /* Drop old uthread reference or our extra reference */
1570 proc_rele(target_proc
);
1571 kauth_cred_unref(&my_cred
);
1572 kauth_cred_unref(&my_target_cred
);
1578 * Otherwise, we are reverting back to normal mode of operation where
1579 * delayed binding of the process credential sets the credential in
1580 * the thread (uu_ucred)
1582 if ((uthread
->uu_flag
& UT_SETUID
) == 0)
1585 /* revert to delayed binding of process credential */
1586 my_new_cred
= kauth_cred_proc_ref(p
);
1587 kauth_cred_unref(&uthread
->uu_ucred
);
1588 uthread
->uu_ucred
= my_new_cred
;
1589 uthread
->uu_flag
&= ~UT_SETUID
;
1598 * Description: Internal implementation for both the setgroups and initgroups
1601 * Parameters: gidsetsize Number of groups in set
1602 * gidset Pointer to group list
1603 * gmuid Base gid (initgroups only!)
1605 * Returns: 0 Success
1606 * suser:EPERM Permision denied
1607 * EINVAL Invalid gidsetsize value
1608 * copyin:EFAULT Bad gidset or gidsetsize is
1611 * Notes: When called from a thread running under an assumed per-thread
1612 * identity, this function will operate against the per-thread
1613 * credential, rather than against the process credential. In
1614 * this specific case, the process credential is verified to
1615 * still be privileged at the time of the call, rather than the
1616 * per-thread credential for this operation to be permitted.
1618 * This effectively means that setgroups/initigroups calls in
1619 * a thread running a per-thread credential should occur *after*
1620 * the settid call that created it, not before (unlike setuid,
1621 * which must be called after, since it will result in privilege
1624 * When called normally (i.e. no per-thread assumed identity),
1625 * the per process credential is updated per POSIX.
1627 * If the credential is changed as a result of this call, then we
1628 * flag the process as having set privilege since the last exec.
1631 setgroups1(proc_t p
, u_int gidsetsize
, user_addr_t gidset
, uid_t gmuid
, __unused
int32_t *retval
)
1634 gid_t newgroups
[NGROUPS
] = { 0 };
1636 kauth_cred_t my_cred
, my_new_cred
;
1637 struct uthread
*uthread
= get_bsdthread_info(current_thread());
1639 DEBUG_CRED_ENTER("setgroups1 (%d/%d): %d 0x%016x %d\n", p
->p_pid
, (p
->p_pptr
? p
->p_pptr
->p_pid
: 0), gidsetsize
, gidset
, gmuid
);
1648 error
= copyin(gidset
,
1649 (caddr_t
)newgroups
, ngrp
* sizeof(gid_t
));
1655 my_cred
= kauth_cred_proc_ref(p
);
1656 if ((error
= suser(my_cred
, &p
->p_acflag
))) {
1657 kauth_cred_unref(&my_cred
);
1661 if ((uthread
->uu_flag
& UT_SETUID
) != 0) {
1663 int my_cred_flags
= uthread
->uu_ucred
->cr_flags
;
1664 #endif /* DEBUG_CRED */
1665 kauth_cred_unref(&my_cred
);
1668 * If this thread is under an assumed identity, set the
1669 * supplementary grouplist on the thread credential instead
1670 * of the process one. If we were the only reference holder,
1671 * the credential is updated in place, otherwise, our reference
1672 * is dropped and we get back a different cred with a reference
1673 * already held on it. Because this is per-thread, we don't
1674 * need the referencing/locking/retry required for per-process.
1676 my_cred
= uthread
->uu_ucred
;
1677 uthread
->uu_ucred
= kauth_cred_setgroups(my_cred
, &newgroups
[0], ngrp
, gmuid
);
1679 if (my_cred
!= uthread
->uu_ucred
) {
1680 DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_cred_flags
, uthread
->uu_ucred
, uthread
->uu_ucred
->cr_flags
);
1682 #endif /* DEBUG_CRED */
1686 * get current credential and take a reference while we muck
1691 * Set the credential with new info. If there is no
1692 * change, we get back the same credential we passed
1693 * in; if there is a change, we drop the reference on
1694 * the credential we passed in. The subsequent
1695 * compare is safe, because it is a pointer compare
1696 * rather than a contents compare.
1698 my_new_cred
= kauth_cred_setgroups(my_cred
, &newgroups
[0], ngrp
, gmuid
);
1699 if (my_cred
!= my_new_cred
) {
1701 DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p
->p_pid
, my_cred
, my_cred
->cr_flags
, my_new_cred
, my_new_cred
->cr_flags
);
1705 * We need to protect for a race where another
1706 * thread also changed the credential after we
1707 * took our reference. If p_ucred has
1708 * changed then we should restart this again
1709 * with the new cred.
1711 if (p
->p_ucred
!= my_cred
) {
1713 kauth_cred_unref(&my_new_cred
);
1714 my_cred
= kauth_cred_proc_ref(p
);
1718 p
->p_ucred
= my_new_cred
;
1719 /* update cred on proc */
1720 PROC_UPDATE_CREDS_ONPROC(p
);
1721 OSBitOrAtomic(P_SUGID
, &p
->p_flag
);
1726 /* Drop old proc reference or our extra reference */
1727 AUDIT_ARG(groupset
, posix_cred_get(my_cred
)->cr_groups
, ngrp
);
1728 kauth_cred_unref(&my_cred
);
1731 set_security_token(p
);
1741 * Description: Initialize the default supplementary groups list and set the
1742 * gmuid for use by the external group resolver (if any)
1744 * Parameters: uap->gidsetsize Number of groups in set
1745 * uap->gidset Pointer to group list
1746 * uap->gmuid Base gid
1748 * Returns: 0 Success
1749 * setgroups1:EPERM Permision denied
1750 * setgroups1:EINVAL Invalid gidsetsize value
1751 * setgroups1:EFAULT Bad gidset or gidsetsize is
1753 * Notes: This function opts *IN* to memberd participation
1755 * The normal purpose of this function is for a privileged
1756 * process to indicate supplementary groups and identity for
1757 * participation in extended group membership resolution prior
1758 * to dropping privilege by assuming a specific user identity.
1760 * It is the first half of the primary mechanism whereby user
1761 * identity is established to the system by programs such as
1762 * /usr/bin/login. The second half is the drop of uid privilege
1763 * for a specific uid corresponding to the user.
1765 * See also: setgroups1()
1768 initgroups(proc_t p
, struct initgroups_args
*uap
, __unused
int32_t *retval
)
1770 DEBUG_CRED_ENTER("initgroups\n");
1772 return(setgroups1(p
, uap
->gidsetsize
, uap
->gidset
, uap
->gmuid
, retval
));
1779 * Description: Initialize the default supplementary groups list
1781 * Parameters: gidsetsize Number of groups in set
1782 * gidset Pointer to group list
1784 * Returns: 0 Success
1785 * setgroups1:EPERM Permision denied
1786 * setgroups1:EINVAL Invalid gidsetsize value
1787 * setgroups1:EFAULT Bad gidset or gidsetsize is
1789 * Notes: This functions opts *OUT* of memberd participation.
1791 * This function exists for compatibility with POSIX. Most user
1792 * programs should use initgroups() instead to ensure correct
1793 * participation in group membership resolution when utilizing
1794 * a directory service for authentication.
1796 * It is identical to an initgroups() call with a gmuid argument
1797 * of KAUTH_UID_NONE.
1799 * See also: setgroups1()
1802 setgroups(proc_t p
, struct setgroups_args
*uap
, __unused
int32_t *retval
)
1804 DEBUG_CRED_ENTER("setgroups\n");
1806 return(setgroups1(p
, uap
->gidsetsize
, uap
->gidset
, KAUTH_UID_NONE
, retval
));
1811 * Set the per-thread/per-process supplementary groups list.
1813 * XXX implement setsgroups
1818 setsgroups(__unused proc_t p
, __unused
struct setsgroups_args
*uap
, __unused
int32_t *retval
)
1824 * Set the per-thread/per-process whiteout groups list.
1826 * XXX implement setwgroups
1831 setwgroups(__unused proc_t p
, __unused
struct setwgroups_args
*uap
, __unused
int32_t *retval
)
1838 * Check if gid is a member of the group set.
1840 * XXX This interface is going away; use kauth_cred_ismember_gid() directly
1844 groupmember(gid_t gid
, kauth_cred_t cred
)
1848 if (kauth_cred_ismember_gid(cred
, gid
, &is_member
) == 0 && is_member
)
1855 * Test whether the specified credentials imply "super-user"
1856 * privilege; if so, and we have accounting info, set the flag
1857 * indicating use of super-powers.
1858 * Returns 0 or error.
1860 * XXX This interface is going away; use kauth_cred_issuser() directly
1863 * Note: This interface exists to implement the "has used privilege"
1864 * bit (ASU) in the p_acflags field of the process, which is
1865 * only externalized via private sysctl and in process accounting
1866 * records. The flag is technically not required in either case.
1869 suser(kauth_cred_t cred
, u_short
*acflag
)
1872 if (!IS_VALID_CRED(cred
))
1875 if (kauth_cred_getuid(cred
) == 0) {
1887 * Description: Get login name, if available.
1889 * Parameters: uap->namebuf User buffer for return
1890 * uap->namelen User buffer length
1892 * Returns: 0 Success
1895 * Notes: Intended to obtain a string containing the user name of the
1896 * user associated with the controlling terminal for the calling
1899 * Not very useful on modern systems, due to inherent length
1900 * limitations for the static array in the session structure
1901 * which is used to store the login name.
1903 * Permitted to return NULL
1905 * XXX: Belongs in kern_proc.c
1908 getlogin(proc_t p
, struct getlogin_args
*uap
, __unused
int32_t *retval
)
1910 char buffer
[MAXLOGNAME
+1];
1911 struct session
* sessp
;
1913 bzero(buffer
, MAXLOGNAME
+1);
1915 sessp
= proc_session(p
);
1917 if (uap
->namelen
> MAXLOGNAME
)
1918 uap
->namelen
= MAXLOGNAME
;
1920 if(sessp
!= SESSION_NULL
) {
1921 session_lock(sessp
);
1922 bcopy( sessp
->s_login
, buffer
, uap
->namelen
);
1923 session_unlock(sessp
);
1925 session_rele(sessp
);
1927 return (copyout((caddr_t
)buffer
, uap
->namebuf
, uap
->namelen
));
1934 * Description: Set login name.
1936 * Parameters: uap->namebuf User buffer containing name
1938 * Returns: 0 Success
1939 * suser:EPERM Permission denied
1940 * copyinstr:EFAULT User buffer invalid
1941 * copyinstr:EINVAL Supplied name was too long
1943 * Notes: This is a utility system call to support getlogin().
1945 * XXX: Belongs in kern_proc.c
1948 setlogin(proc_t p
, struct setlogin_args
*uap
, __unused
int32_t *retval
)
1952 char buffer
[MAXLOGNAME
+1];
1953 struct session
* sessp
;
1955 if ((error
= proc_suser(p
)))
1958 bzero(&buffer
[0], MAXLOGNAME
+1);
1961 error
= copyinstr(uap
->namebuf
,
1962 (caddr_t
) &buffer
[0],
1963 MAXLOGNAME
- 1, (size_t *)&dummy
);
1965 sessp
= proc_session(p
);
1967 if (sessp
!= SESSION_NULL
) {
1968 session_lock(sessp
);
1969 bcopy(buffer
, sessp
->s_login
, MAXLOGNAME
);
1970 session_unlock(sessp
);
1971 session_rele(sessp
);
1976 AUDIT_ARG(text
, buffer
);
1977 } else if (error
== ENAMETOOLONG
)
1983 /* Set the secrity token of the task with current euid and eguid */
1985 * XXX This needs to change to give the task a reference and/or an opaque
1989 set_security_token(proc_t p
)
1991 security_token_t sec_token
;
1992 audit_token_t audit_token
;
1993 kauth_cred_t my_cred
;
1994 posix_cred_t my_pcred
;
1995 host_priv_t host_priv
;
1998 * Don't allow a vfork child to override the parent's token settings
1999 * (since they share a task). Instead, the child will just have to
2000 * suffer along using the parent's token until the exec(). It's all
2001 * undefined behavior anyway, right?
2003 if (p
->task
== current_task()) {
2005 uthread
= (uthread_t
)get_bsdthread_info(current_thread());
2006 if (uthread
->uu_flag
& UT_VFORK
)
2010 my_cred
= kauth_cred_proc_ref(p
);
2011 my_pcred
= posix_cred_get(my_cred
);
2013 /* XXX mach_init doesn't have a p_ucred when it calls this function */
2014 if (IS_VALID_CRED(my_cred
)) {
2015 sec_token
.val
[0] = kauth_cred_getuid(my_cred
);
2016 sec_token
.val
[1] = kauth_cred_getgid(my_cred
);
2018 sec_token
.val
[0] = 0;
2019 sec_token
.val
[1] = 0;
2023 * The current layout of the Mach audit token explicitly
2024 * adds these fields. But nobody should rely on such
2025 * a literal representation. Instead, the BSM library
2026 * provides a function to convert an audit token into
2027 * a BSM subject. Use of that mechanism will isolate
2028 * the user of the trailer from future representation
2031 audit_token
.val
[0] = my_cred
->cr_audit
.as_aia_p
->ai_auid
;
2032 audit_token
.val
[1] = my_pcred
->cr_uid
;
2033 audit_token
.val
[2] = my_pcred
->cr_gid
;
2034 audit_token
.val
[3] = my_pcred
->cr_ruid
;
2035 audit_token
.val
[4] = my_pcred
->cr_rgid
;
2036 audit_token
.val
[5] = p
->p_pid
;
2037 audit_token
.val
[6] = my_cred
->cr_audit
.as_aia_p
->ai_asid
;
2038 audit_token
.val
[7] = p
->p_idversion
;
2040 host_priv
= (sec_token
.val
[0]) ? HOST_PRIV_NULL
: host_priv_self();
2042 if (host_priv
!= HOST_PRIV_NULL
&& mac_system_check_host_priv(my_cred
))
2043 host_priv
= HOST_PRIV_NULL
;
2045 kauth_cred_unref(&my_cred
);
2047 #if DEVELOPMENT || DEBUG
2049 * Update the pid an proc name for importance base if any
2051 task_importance_update_owner_info(p
->task
);
2054 return (host_security_set_task_token(host_security_self(),
2058 host_priv
) != KERN_SUCCESS
);
2063 * Fill in a struct xucred based on a kauth_cred_t.
2067 cru2x(kauth_cred_t cr
, struct xucred
*xcr
)
2069 posix_cred_t pcr
= posix_cred_get(cr
);
2071 bzero(xcr
, sizeof(*xcr
));
2072 xcr
->cr_version
= XUCRED_VERSION
;
2073 xcr
->cr_uid
= kauth_cred_getuid(cr
);
2074 xcr
->cr_ngroups
= pcr
->cr_ngroups
;
2075 bcopy(pcr
->cr_groups
, xcr
->cr_groups
, sizeof(xcr
->cr_groups
));
2081 * Set Login Context ID
2084 * MPSAFE - assignment of (visible) process to context protected by ALLLCTX_LOCK,
2085 * LCTX by its own locks.
2088 setlcid(proc_t p0
, struct setlcid_args
*uap
, __unused
int32_t *retval
)
2095 AUDIT_ARG(pid
, uap
->pid
);
2096 AUDIT_ARG(value32
, uap
->lcid
);
2097 if (uap
->pid
== LCID_PROC_SELF
) { /* Create/Join/Leave */
2099 } else { /* Adopt/Orphan */
2100 p
= proc_find(uap
->pid
);
2107 error
= mac_proc_check_setlcid(p0
, p
, uap
->pid
, uap
->lcid
);
2112 switch (uap
->lcid
) {
2116 /* Only root may Leave/Orphan. */
2117 if (!kauth_cred_issuser(kauth_cred_get())) {
2122 /* Process not in login context. */
2123 if (p
->p_lctx
== NULL
) {
2135 /* Create only valid for self! */
2136 if (uap
->pid
!= LCID_PROC_SELF
) {
2141 /* Already in a login context. */
2142 if (p
->p_lctx
!= NULL
) {
2160 /* Only root may Join/Adopt. */
2161 if (!kauth_cred_issuser(kauth_cred_get())) {
2166 l
= lcfind(uap
->lcid
);
2177 enterlctx(p
, l
, (uap
->lcid
== LCID_CREATE
) ? 1 : 0);
2187 * Get Login Context ID
2190 * MPSAFE - membership of (visible) process in a login context
2191 * protected by the all-context lock.
2194 getlcid(proc_t p0
, struct getlcid_args
*uap
, int32_t *retval
)
2200 AUDIT_ARG(pid
, uap
->pid
);
2201 if (uap
->pid
== LCID_PROC_SELF
) {
2204 p
= proc_find(uap
->pid
);
2211 error
= mac_proc_check_getlcid(p0
, p
, uap
->pid
);
2216 if (p
->p_lctx
== NULL
) {
2221 *retval
= p
->p_lctx
->lc_id
;
2231 setlcid(proc_t p0
, struct setlcid_args
*uap
, int32_t *retval
)
2238 getlcid(proc_t p0
, struct getlcid_args
*uap
, int32_t *retval
)