]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_prot.c
d2408a2f3e3005e8df9c0dfcbc3d5c474e551da9
[apple/xnu.git] / bsd / kern / kern_prot.c
1 /*
2 * Copyright (c) 2000-2008 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 *
28 *
29 * Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved
30 *
31 *
32 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
33 * The Regents of the University of California. All rights reserved.
34 * (c) UNIX System Laboratories, Inc.
35 * All or some portions of this file are derived from material licensed
36 * to the University of California by American Telephone and Telegraph
37 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
38 * the permission of UNIX System Laboratories, Inc.
39 *
40 * Redistribution and use in source and binary forms, with or without
41 * modification, are permitted provided that the following conditions
42 * are met:
43 * 1. Redistributions of source code must retain the above copyright
44 * notice, this list of conditions and the following disclaimer.
45 * 2. Redistributions in binary form must reproduce the above copyright
46 * notice, this list of conditions and the following disclaimer in the
47 * documentation and/or other materials provided with the distribution.
48 * 3. All advertising materials mentioning features or use of this software
49 * must display the following acknowledgement:
50 * This product includes software developed by the University of
51 * California, Berkeley and its contributors.
52 * 4. Neither the name of the University nor the names of its contributors
53 * may be used to endorse or promote products derived from this software
54 * without specific prior written permission.
55 *
56 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
57 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
58 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
59 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
60 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
61 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
62 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
63 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
64 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
65 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
66 * SUCH DAMAGE.
67 *
68 * @(#)kern_prot.c 8.9 (Berkeley) 2/14/95
69 *
70 *
71 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
72 * support for mandatory and extensible security protections. This notice
73 * is included in support of clause 2.2 (b) of the Apple Public License,
74 * Version 2.0.
75 *
76 *
77 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
78 * support for mandatory and extensible security protections. This notice
79 * is included in support of clause 2.2 (b) of the Apple Public License,
80 * Version 2.0.
81 *
82 */
83
84 /*
85 * System calls related to processes and protection
86 */
87
88 #include <sys/param.h>
89 #include <sys/acct.h>
90 #include <sys/systm.h>
91 #include <sys/ucred.h>
92 #include <sys/proc_internal.h>
93 #include <sys/user.h>
94 #include <sys/kauth.h>
95 #include <sys/timeb.h>
96 #include <sys/times.h>
97 #include <sys/malloc.h>
98
99 #include <security/audit/audit.h>
100
101 #if CONFIG_LCTX
102 #include <sys/lctx.h>
103 #endif
104
105 #if CONFIG_MACF
106 #include <security/mac_framework.h>
107 #if CONFIG_MACF_MACH
108 #include <secuity/mac_mach_internal.h>
109 #endif
110 #endif
111
112 #include <sys/mount_internal.h>
113 #include <sys/sysproto.h>
114 #include <mach/message.h>
115 #include <mach/host_security.h>
116
117 #include <kern/host.h>
118 #include <kern/task.h> /* for current_task() */
119 #include <kern/assert.h>
120
121
122 /*
123 * Credential debugging; we can track entry into a function that might
124 * change a credential, and we can track actual credential changes that
125 * result.
126 *
127 * Note: Does *NOT* currently include per-thread credential changes
128 *
129 * We don't use kauth_cred_print() in current debugging, but it
130 * can be used if needed when debugging is active.
131 */
132 #if DEBUG_CRED
133 #define DEBUG_CRED_ENTER printf
134 #define DEBUG_CRED_CHANGE printf
135 extern void kauth_cred_print(kauth_cred_t cred);
136 #else /* !DEBUG_CRED */
137 #define DEBUG_CRED_ENTER(fmt, ...) do {} while (0)
138 #define DEBUG_CRED_CHANGE(fmt, ...) do {} while (0)
139 #endif /* !DEBUG_CRED */
140
141
142
143 /*
144 * setprivexec
145 *
146 * Description: (dis)allow this process to hold task, thread, or execption
147 * ports of processes about to exec.
148 *
149 * Parameters: uap->flag New value for flag
150 *
151 * Returns: int Previous value of flag
152 *
153 * XXX: Belongs in kern_proc.c
154 */
155 int
156 setprivexec(proc_t p, struct setprivexec_args *uap, int32_t *retval)
157 {
158 AUDIT_ARG(value32, uap->flag);
159 *retval = p->p_debugger;
160 p->p_debugger = (uap->flag != 0);
161 return(0);
162 }
163
164
165 /*
166 * getpid
167 *
168 * Description: get the process ID
169 *
170 * Parameters: (void)
171 *
172 * Returns: pid_t Current process ID
173 *
174 * XXX: Belongs in kern_proc.c
175 */
176 int
177 getpid(proc_t p, __unused struct getpid_args *uap, int32_t *retval)
178 {
179
180 *retval = p->p_pid;
181 return (0);
182 }
183
184
185 /*
186 * getppid
187 *
188 * Description: get the parent process ID
189 *
190 * Parameters: (void)
191 *
192 * Returns: pid_t Parent process ID
193 *
194 * XXX: Belongs in kern_proc.c
195 */
196 int
197 getppid(proc_t p, __unused struct getppid_args *uap, int32_t *retval)
198 {
199
200 *retval = p->p_ppid;
201 return (0);
202 }
203
204
205 /*
206 * getpgrp
207 *
208 * Description: get the process group ID of the calling process
209 *
210 * Parameters: (void)
211 *
212 * Returns: pid_t Process group ID
213 *
214 * XXX: Belongs in kern_proc.c
215 */
216 int
217 getpgrp(proc_t p, __unused struct getpgrp_args *uap, int32_t *retval)
218 {
219
220 *retval = p->p_pgrpid;
221 return (0);
222 }
223
224
225 /*
226 * getpgid
227 *
228 * Description: Get an arbitary pid's process group id
229 *
230 * Parameters: uap->pid The target pid
231 *
232 * Returns: 0 Success
233 * ESRCH No such process
234 *
235 * Notes: We are permitted to return EPERM in the case that the target
236 * process is not in the same session as the calling process,
237 * which could be a security consideration
238 *
239 * XXX: Belongs in kern_proc.c
240 */
241 int
242 getpgid(proc_t p, struct getpgid_args *uap, int32_t *retval)
243 {
244 proc_t pt;
245 int refheld = 0;
246
247 pt = p;
248 if (uap->pid == 0)
249 goto found;
250
251 if ((pt = proc_find(uap->pid)) == 0)
252 return (ESRCH);
253 refheld = 1;
254 found:
255 *retval = pt->p_pgrpid;
256 if (refheld != 0)
257 proc_rele(pt);
258 return (0);
259 }
260
261
262 /*
263 * getsid
264 *
265 * Description: Get an arbitary pid's session leaders process group ID
266 *
267 * Parameters: uap->pid The target pid
268 *
269 * Returns: 0 Success
270 * ESRCH No such process
271 *
272 * Notes: We are permitted to return EPERM in the case that the target
273 * process is not in the same session as the calling process,
274 * which could be a security consideration
275 *
276 * XXX: Belongs in kern_proc.c
277 */
278 int
279 getsid(proc_t p, struct getsid_args *uap, int32_t *retval)
280 {
281 proc_t pt;
282 int refheld = 0;
283 struct session * sessp;
284
285 pt = p;
286 if (uap->pid == 0)
287 goto found;
288
289 if ((pt = proc_find(uap->pid)) == 0)
290 return (ESRCH);
291 refheld = 1;
292 found:
293 sessp = proc_session(pt);
294 *retval = sessp->s_sid;
295 session_rele(sessp);
296
297 if (refheld != 0)
298 proc_rele(pt);
299 return (0);
300 }
301
302
303 /*
304 * getuid
305 *
306 * Description: get real user ID for caller
307 *
308 * Parameters: (void)
309 *
310 * Returns: uid_t The real uid of the caller
311 */
312 int
313 getuid(__unused proc_t p, __unused struct getuid_args *uap, int32_t *retval)
314 {
315
316 *retval = kauth_getruid();
317 return (0);
318 }
319
320
321 /*
322 * geteuid
323 *
324 * Description: get effective user ID for caller
325 *
326 * Parameters: (void)
327 *
328 * Returns: uid_t The effective uid of the caller
329 */
330 int
331 geteuid(__unused proc_t p, __unused struct geteuid_args *uap, int32_t *retval)
332 {
333
334 *retval = kauth_getuid();
335 return (0);
336 }
337
338
339 /*
340 * gettid
341 *
342 * Description: Return the per-thread override identity.
343 *
344 * Parameters: uap->uidp Address of uid_t to get uid
345 * uap->gidp Address of gid_t to get gid
346 *
347 * Returns: 0 Success
348 * ESRCH No per thread identity active
349 */
350 int
351 gettid(__unused proc_t p, struct gettid_args *uap, int32_t *retval)
352 {
353 struct uthread *uthread = get_bsdthread_info(current_thread());
354 int error;
355
356 /*
357 * If this thread is not running with an override identity, we can't
358 * return one to the caller, so return an error instead.
359 */
360 if (!(uthread->uu_flag & UT_SETUID))
361 return (ESRCH);
362
363 if ((error = suword(uap->uidp, kauth_cred_getruid(uthread->uu_ucred))))
364 return (error);
365 if ((error = suword(uap->gidp, kauth_cred_getrgid(uthread->uu_ucred))))
366 return (error);
367
368 *retval = 0;
369 return (0);
370 }
371
372
373 /*
374 * getgid
375 *
376 * Description: get the real group ID for the calling process
377 *
378 * Parameters: (void)
379 *
380 * Returns: gid_t The real gid of the caller
381 */
382 int
383 getgid(__unused proc_t p, __unused struct getgid_args *uap, int32_t *retval)
384 {
385
386 *retval = kauth_getrgid();
387 return (0);
388 }
389
390
391 /*
392 * getegid
393 *
394 * Description: get the effective group ID for the calling process
395 *
396 * Parameters: (void)
397 *
398 * Returns: gid_t The effective gid of the caller
399 *
400 * Notes: As an implementation detail, the effective gid is stored as
401 * the first element of the supplementary group list.
402 *
403 * This could be implemented in Libc instead because of the above
404 * detail.
405 */
406 int
407 getegid(__unused proc_t p, __unused struct getegid_args *uap, int32_t *retval)
408 {
409
410 *retval = kauth_getgid();
411 return (0);
412 }
413
414
415 /*
416 * getgroups
417 *
418 * Description: get the list of supplementary groups for the calling process
419 *
420 * Parameters: uap->gidsetsize # of gid_t's in user buffer
421 * uap->gidset Pointer to user buffer
422 *
423 * Returns: 0 Success
424 * EINVAL User buffer too small
425 * copyout:EFAULT User buffer invalid
426 *
427 * Retval: -1 Error
428 * !0 # of groups
429 *
430 * Notes: The caller may specify a 0 value for gidsetsize, and we will
431 * then return how large a buffer is required (in gid_t's) to
432 * contain the answer at the time of the call. Otherwise, we
433 * return the number of gid_t's catually copied to user space.
434 *
435 * When called with a 0 gidsetsize from a multithreaded program,
436 * there is no guarantee that another thread may not change the
437 * number of supplementary groups, and therefore a subsequent
438 * call could still fail, unless the maximum possible buffer
439 * size is supplied by the user.
440 *
441 * As an implementation detail, the effective gid is stored as
442 * the first element of the supplementary group list, and will
443 * be returned by this call.
444 */
445 int
446 getgroups(__unused proc_t p, struct getgroups_args *uap, int32_t *retval)
447 {
448 int ngrp;
449 int error;
450 kauth_cred_t cred;
451 posix_cred_t pcred;
452
453 /* grab reference while we muck around with the credential */
454 cred = kauth_cred_get_with_ref();
455 pcred = posix_cred_get(cred);
456
457 if ((ngrp = uap->gidsetsize) == 0) {
458 *retval = pcred->cr_ngroups;
459 kauth_cred_unref(&cred);
460 return (0);
461 }
462 if (ngrp < pcred->cr_ngroups) {
463 kauth_cred_unref(&cred);
464 return (EINVAL);
465 }
466 ngrp = pcred->cr_ngroups;
467 if ((error = copyout((caddr_t)pcred->cr_groups,
468 uap->gidset,
469 ngrp * sizeof(gid_t)))) {
470 kauth_cred_unref(&cred);
471 return (error);
472 }
473 kauth_cred_unref(&cred);
474 *retval = ngrp;
475 return (0);
476 }
477
478
479 /*
480 * Return the per-thread/per-process supplementary groups list.
481 *
482 * XXX implement getsgroups
483 *
484 */
485
486 int
487 getsgroups(__unused proc_t p, __unused struct getsgroups_args *uap, __unused int32_t *retval)
488 {
489 return(ENOTSUP);
490 }
491
492 /*
493 * Return the per-thread/per-process whiteout groups list.
494 *
495 * XXX implement getwgroups
496 *
497 */
498
499 int
500 getwgroups(__unused proc_t p, __unused struct getwgroups_args *uap, __unused int32_t *retval)
501 {
502 return(ENOTSUP);
503 }
504
505
506 /*
507 * setsid
508 *
509 * Description: Create a new session and set the process group ID to the
510 * session ID
511 *
512 * Parameters: (void)
513 *
514 * Returns: 0 Success
515 * EPERM Permission denied
516 *
517 * Notes: If the calling process is not the process group leader; there
518 * is no existing process group with its ID, and we are not
519 * currently in vfork, then this function will create a new
520 * session, a new process group, and put the caller in the
521 * process group (as the sole member) and make it the session
522 * leader (as the sole process in the session).
523 *
524 * The existing controlling tty (if any) will be dissociated
525 * from the process, and the next non-O_NOCTTY open of a tty
526 * will establish a new controlling tty.
527 *
528 * XXX: Belongs in kern_proc.c
529 */
530 int
531 setsid(proc_t p, __unused struct setsid_args *uap, int32_t *retval)
532 {
533 struct pgrp * pg = PGRP_NULL;
534
535 if (p->p_pgrpid == p->p_pid || (pg = pgfind(p->p_pid)) || p->p_lflag & P_LINVFORK) {
536 if (pg != PGRP_NULL)
537 pg_rele(pg);
538 return (EPERM);
539 } else {
540 /* enter pgrp works with its own pgrp refcount */
541 (void)enterpgrp(p, p->p_pid, 1);
542 *retval = p->p_pid;
543 return (0);
544 }
545 }
546
547
548 /*
549 * setpgid
550 *
551 * Description: set process group ID for job control
552 *
553 * Parameters: uap->pid Process to change
554 * uap->pgid Process group to join or create
555 *
556 * Returns: 0 Success
557 * ESRCH pid is not the caller or a child of
558 * the caller
559 * enterpgrp:ESRCH No such process
560 * EACCES Permission denied due to exec
561 * EINVAL Invalid argument
562 * EPERM The target process is not in the same
563 * session as the calling process
564 * EPERM The target process is a session leader
565 * EPERM pid and pgid are not the same, and
566 * there is no process in the calling
567 * process whose process group ID matches
568 * pgid
569 *
570 * Notes: This function will cause the target process to either join
571 * an existing process process group, or create a new process
572 * group in the session of the calling process. It cannot be
573 * used to change the process group ID of a process which is
574 * already a session leader.
575 *
576 * If the target pid is 0, the pid of the calling process is
577 * substituted as the new target; if pgid is 0, the target pid
578 * is used as the target process group ID.
579 *
580 * Legacy: This system call entry point is also used to implement the
581 * legacy library routine setpgrp(), which under POSIX
582 *
583 * XXX: Belongs in kern_proc.c
584 */
585 int
586 setpgid(proc_t curp, register struct setpgid_args *uap, __unused int32_t *retval)
587 {
588 proc_t targp = PROC_NULL; /* target process */
589 struct pgrp *pg = PGRP_NULL; /* target pgrp */
590 int error = 0;
591 int refheld = 0;
592 int samesess = 0;
593 struct session * curp_sessp = SESSION_NULL;
594 struct session * targp_sessp = SESSION_NULL;
595
596 curp_sessp = proc_session(curp);
597
598 if (uap->pid != 0 && uap->pid != curp->p_pid) {
599 if ((targp = proc_find(uap->pid)) == 0 || !inferior(targp)) {
600 if (targp != PROC_NULL)
601 refheld = 1;
602 error = ESRCH;
603 goto out;
604 }
605 refheld = 1;
606 targp_sessp = proc_session(targp);
607 if (targp_sessp != curp_sessp) {
608 error = EPERM;
609 goto out;
610 }
611 if (targp->p_flag & P_EXEC) {
612 error = EACCES;
613 goto out;
614 }
615 } else {
616 targp = curp;
617 targp_sessp = proc_session(targp);
618 }
619
620 if (SESS_LEADER(targp, targp_sessp)) {
621 error = EPERM;
622 goto out;
623 }
624 if (targp_sessp != SESSION_NULL) {
625 session_rele(targp_sessp);
626 targp_sessp = SESSION_NULL;
627 }
628
629 if (uap->pgid < 0) {
630 error = EINVAL;
631 goto out;
632 }
633 if (uap->pgid == 0)
634 uap->pgid = targp->p_pid;
635 else if (uap->pgid != targp->p_pid) {
636 if ((pg = pgfind(uap->pgid)) == 0){
637 error = EPERM;
638 goto out;
639 }
640 samesess = (pg->pg_session != curp_sessp);
641 pg_rele(pg);
642 if (samesess != 0) {
643 error = EPERM;
644 goto out;
645 }
646 }
647 error = enterpgrp(targp, uap->pgid, 0);
648 out:
649 if (targp_sessp != SESSION_NULL)
650 session_rele(targp_sessp);
651 if (curp_sessp != SESSION_NULL)
652 session_rele(curp_sessp);
653 if (refheld != 0)
654 proc_rele(targp);
655 return(error);
656 }
657
658
659 /*
660 * issetugid
661 *
662 * Description: Is current process tainted by uid or gid changes system call
663 *
664 * Parameters: (void)
665 *
666 * Returns: 0 Not tainted
667 * 1 Tainted
668 *
669 * Notes: A process is considered tainted if it was created as a retult
670 * of an execve call from an imnage that had either the SUID or
671 * SGID bit set on the executable, or if it has changed any of its
672 * real, effective, or saved user or group IDs since beginning
673 * execution.
674 */
675 int
676 issetugid(proc_t p, __unused struct issetugid_args *uap, int32_t *retval)
677 {
678 /*
679 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
680 * we use P_SUGID because we consider changing the owners as
681 * "tainting" as well.
682 * This is significant for procs that start as root and "become"
683 * a user without an exec - programs cannot know *everything*
684 * that libc *might* have put in their data segment.
685 */
686
687 *retval = (p->p_flag & P_SUGID) ? 1 : 0;
688 return (0);
689 }
690
691
692 /*
693 * setuid
694 *
695 * Description: Set user ID system call
696 *
697 * Parameters: uap->uid uid to set
698 *
699 * Returns: 0 Success
700 * suser:EPERM Permission denied
701 *
702 * Notes: If called by a privileged process, this function will set the
703 * real, effective, and saved uid to the requested value.
704 *
705 * If called from an unprivileged process, but uid is equal to the
706 * real or saved uid, then the effective uid will be set to the
707 * requested value, but the real and saved uid will not change.
708 *
709 * If the credential is changed as a result of this call, then we
710 * flag the process as having set privilege since the last exec.
711 */
712 int
713 setuid(proc_t p, struct setuid_args *uap, __unused int32_t *retval)
714 {
715 uid_t uid;
716 uid_t svuid = KAUTH_UID_NONE;
717 uid_t ruid = KAUTH_UID_NONE;
718 uid_t gmuid = KAUTH_UID_NONE;
719 int error;
720 kauth_cred_t my_cred, my_new_cred;
721 posix_cred_t my_pcred;
722
723
724 uid = uap->uid;
725
726 my_cred = kauth_cred_proc_ref(p);
727 my_pcred = posix_cred_get(my_cred);
728
729 DEBUG_CRED_ENTER("setuid (%d/%d): %p %d\n", p->p_pid, (p->p_pptr ? p->p_pptr->p_pid : 0), my_cred, uap->uid);
730 AUDIT_ARG(uid, uid);
731
732 if (uid != my_pcred->cr_ruid && /* allow setuid(getuid()) */
733 uid != my_pcred->cr_svuid && /* allow setuid(saved uid) */
734 (error = suser(my_cred, &p->p_acflag))) {
735 kauth_cred_unref(&my_cred);
736 return (error);
737 }
738 /*
739 * Everything's okay, do it.
740 */
741
742 /*
743 * If we are priviledged, then set the saved and real UID too;
744 * otherwise, just set the effective UID
745 */
746 if (suser(my_cred, &p->p_acflag) == 0) {
747 svuid = uid;
748 ruid = uid;
749 /*
750 * Transfer proc count to new user.
751 * chgproccnt uses list lock for protection
752 */
753 (void)chgproccnt(uid, 1);
754 (void)chgproccnt(my_pcred->cr_ruid, -1);
755 }
756
757 /* get current credential and take a reference while we muck with it */
758 for (;;) {
759 /*
760 * Only set the gmuid if the current cred has not opt'ed out;
761 * this normally only happens when calling setgroups() instead
762 * of initgroups() to set an explicit group list, or one of the
763 * other group manipulation functions is invoked and results in
764 * a dislocation (i.e. the credential group membership changes
765 * to something other than the default list for the user, as
766 * in entering a group or leaving an exclusion group).
767 */
768 if (!(my_pcred->cr_flags & CRF_NOMEMBERD))
769 gmuid = uid;
770
771 /*
772 * Set the credential with new info. If there is no change,
773 * we get back the same credential we passed in; if there is
774 * a change, we drop the reference on the credential we
775 * passed in. The subsequent compare is safe, because it is
776 * a pointer compare rather than a contents compare.
777 */
778 my_new_cred = kauth_cred_setresuid(my_cred, ruid, uid, svuid, gmuid);
779 if (my_cred != my_new_cred) {
780
781 DEBUG_CRED_CHANGE("setuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
782
783 proc_lock(p);
784 /*
785 * We need to protect for a race where another thread
786 * also changed the credential after we took our
787 * reference. If p_ucred has changed then we should
788 * restart this again with the new cred.
789 */
790 if (p->p_ucred != my_cred) {
791 proc_unlock(p);
792 kauth_cred_unref(&my_new_cred);
793 my_cred = kauth_cred_proc_ref(p);
794 /* try again */
795 continue;
796 }
797 p->p_ucred = my_new_cred;
798 /* update cred on proc */
799 PROC_UPDATE_CREDS_ONPROC(p);
800
801 OSBitOrAtomic(P_SUGID, &p->p_flag);
802 proc_unlock(p);
803 }
804 break;
805 }
806 /* Drop old proc reference or our extra reference */
807 kauth_cred_unref(&my_cred);
808
809 set_security_token(p);
810 return (0);
811 }
812
813
814 /*
815 * seteuid
816 *
817 * Description: Set effective user ID system call
818 *
819 * Parameters: uap->euid effective uid to set
820 *
821 * Returns: 0 Success
822 * suser:EPERM Permission denied
823 *
824 * Notes: If called by a privileged process, or called from an
825 * unprivileged process but euid is equal to the real or saved
826 * uid, then the effective uid will be set to the requested
827 * value, but the real and saved uid will not change.
828 *
829 * If the credential is changed as a result of this call, then we
830 * flag the process as having set privilege since the last exec.
831 */
832 int
833 seteuid(proc_t p, struct seteuid_args *uap, __unused int32_t *retval)
834 {
835 uid_t euid;
836 int error;
837 kauth_cred_t my_cred, my_new_cred;
838 posix_cred_t my_pcred;
839
840 DEBUG_CRED_ENTER("seteuid: %d\n", uap->euid);
841
842 euid = uap->euid;
843 AUDIT_ARG(euid, euid);
844
845 my_cred = kauth_cred_proc_ref(p);
846 my_pcred = posix_cred_get(my_cred);
847
848 if (euid != my_pcred->cr_ruid && euid != my_pcred->cr_svuid &&
849 (error = suser(my_cred, &p->p_acflag))) {
850 kauth_cred_unref(&my_cred);
851 return (error);
852 }
853
854 /*
855 * Everything's okay, do it. Copy credentials so other references do
856 * not see our changes. get current credential and take a reference
857 * while we muck with it
858 */
859 for (;;) {
860 /*
861 * Set the credential with new info. If there is no change,
862 * we get back the same credential we passed in; if there is
863 * a change, we drop the reference on the credential we
864 * passed in. The subsequent compare is safe, because it is
865 * a pointer compare rather than a contents compare.
866 */
867 my_new_cred = kauth_cred_setresuid(my_cred, KAUTH_UID_NONE, euid, KAUTH_UID_NONE, my_pcred->cr_gmuid);
868
869 if (my_cred != my_new_cred) {
870
871 DEBUG_CRED_CHANGE("seteuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
872
873 proc_lock(p);
874 /*
875 * We need to protect for a race where another thread
876 * also changed the credential after we took our
877 * reference. If p_ucred has changed then we
878 * should restart this again with the new cred.
879 */
880 if (p->p_ucred != my_cred) {
881 proc_unlock(p);
882 kauth_cred_unref(&my_new_cred);
883 my_cred = kauth_cred_proc_ref(p);
884 /* try again */
885 continue;
886 }
887 p->p_ucred = my_new_cred;
888 /* update cred on proc */
889 PROC_UPDATE_CREDS_ONPROC(p);
890 OSBitOrAtomic(P_SUGID, &p->p_flag);
891 proc_unlock(p);
892 }
893 break;
894 }
895 /* drop old proc reference or our extra reference */
896 kauth_cred_unref(&my_cred);
897
898 set_security_token(p);
899 return (0);
900 }
901
902
903 /*
904 * setreuid
905 *
906 * Description: Set real and effective user ID system call
907 *
908 * Parameters: uap->ruid real uid to set
909 * uap->euid effective uid to set
910 *
911 * Returns: 0 Success
912 * suser:EPERM Permission denied
913 *
914 * Notes: A value of -1 is a special case indicating that the uid for
915 * which that value is specified not be changed. If both values
916 * are specified as -1, no action is taken.
917 *
918 * If called by a privileged process, the real and effective uid
919 * will be set to the new value(s) specified.
920 *
921 * If called from an unprivileged process, the real uid may be
922 * set to the current value of the real uid, or to the current
923 * value of the saved uid. The effective uid may be set to the
924 * current value of any of the effective, real, or saved uid.
925 *
926 * If the newly requested real uid or effective uid does not
927 * match the saved uid, then set the saved uid to the new
928 * effective uid (potentially unrecoverably dropping saved
929 * privilege).
930 *
931 * If the credential is changed as a result of this call, then we
932 * flag the process as having set privilege since the last exec.
933 */
934 int
935 setreuid(proc_t p, struct setreuid_args *uap, __unused int32_t *retval)
936 {
937 uid_t ruid, euid;
938 int error;
939 kauth_cred_t my_cred, my_new_cred;
940 posix_cred_t my_pcred;
941
942 DEBUG_CRED_ENTER("setreuid %d %d\n", uap->ruid, uap->euid);
943
944 ruid = uap->ruid;
945 euid = uap->euid;
946 if (ruid == (uid_t)-1)
947 ruid = KAUTH_UID_NONE;
948 if (euid == (uid_t)-1)
949 euid = KAUTH_UID_NONE;
950 AUDIT_ARG(euid, euid);
951 AUDIT_ARG(ruid, ruid);
952
953 my_cred = kauth_cred_proc_ref(p);
954 my_pcred = posix_cred_get(my_cred);
955
956 if (((ruid != KAUTH_UID_NONE && /* allow no change of ruid */
957 ruid != my_pcred->cr_ruid && /* allow ruid = ruid */
958 ruid != my_pcred->cr_uid && /* allow ruid = euid */
959 ruid != my_pcred->cr_svuid) || /* allow ruid = svuid */
960 (euid != KAUTH_UID_NONE && /* allow no change of euid */
961 euid != my_pcred->cr_uid && /* allow euid = euid */
962 euid != my_pcred->cr_ruid && /* allow euid = ruid */
963 euid != my_pcred->cr_svuid)) && /* allow euid = svui */
964 (error = suser(my_cred, &p->p_acflag))) { /* allow root user any */
965 kauth_cred_unref(&my_cred);
966 return (error);
967 }
968
969 /*
970 * Everything's okay, do it. Copy credentials so other references do
971 * not see our changes. get current credential and take a reference
972 * while we muck with it
973 */
974 for (;;) {
975 uid_t new_euid;
976 uid_t new_ruid;
977 uid_t svuid = KAUTH_UID_NONE;
978
979 new_euid = my_pcred->cr_uid;
980 new_ruid = my_pcred->cr_ruid;
981
982 /*
983 * Set the credential with new info. If there is no change,
984 * we get back the same credential we passed in; if there is
985 * a change, we drop the reference on the credential we
986 * passed in. The subsequent compare is safe, because it is
987 * a pointer compare rather than a contents compare.
988 */
989 if (euid == KAUTH_UID_NONE && my_pcred->cr_uid != euid) {
990 /* changing the effective UID */
991 new_euid = euid;
992 OSBitOrAtomic(P_SUGID, &p->p_flag);
993 }
994 if (ruid != KAUTH_UID_NONE && my_pcred->cr_ruid != ruid) {
995 /* changing the real UID; must do user accounting */
996 /* chgproccnt uses list lock for protection */
997 (void)chgproccnt(ruid, 1);
998 (void)chgproccnt(my_pcred->cr_ruid, -1);
999 new_ruid = ruid;
1000 OSBitOrAtomic(P_SUGID, &p->p_flag);
1001 }
1002 /*
1003 * If the newly requested real uid or effective uid does
1004 * not match the saved uid, then set the saved uid to the
1005 * new effective uid. We are protected from escalation
1006 * by the prechecking.
1007 */
1008 if (my_pcred->cr_svuid != uap->ruid &&
1009 my_pcred->cr_svuid != uap->euid) {
1010 svuid = new_euid;
1011 OSBitOrAtomic(P_SUGID, &p->p_flag);
1012 }
1013
1014 my_new_cred = kauth_cred_setresuid(my_cred, ruid, euid, svuid, my_pcred->cr_gmuid);
1015
1016 if (my_cred != my_new_cred) {
1017
1018 DEBUG_CRED_CHANGE("setreuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
1019
1020 proc_lock(p);
1021 /*
1022 * We need to protect for a race where another thread
1023 * also changed the credential after we took our
1024 * reference. If p_ucred has changed then we should
1025 * restart this again with the new cred.
1026 */
1027 if (p->p_ucred != my_cred) {
1028 proc_unlock(p);
1029 kauth_cred_unref(&my_new_cred);
1030 my_cred = kauth_cred_proc_ref(p);
1031 /* try again */
1032 continue;
1033 }
1034 p->p_ucred = my_new_cred;
1035 /* update cred on proc */
1036 PROC_UPDATE_CREDS_ONPROC(p);
1037 OSBitOrAtomic(P_SUGID, &p->p_flag); /* XXX redundant? */
1038 proc_unlock(p);
1039 }
1040 break;
1041 }
1042 /* drop old proc reference or our extra reference */
1043 kauth_cred_unref(&my_cred);
1044
1045 set_security_token(p);
1046 return (0);
1047 }
1048
1049
1050 /*
1051 * setgid
1052 *
1053 * Description: Set group ID system call
1054 *
1055 * Parameters: uap->gid gid to set
1056 *
1057 * Returns: 0 Success
1058 * suser:EPERM Permission denied
1059 *
1060 * Notes: If called by a privileged process, this function will set the
1061 * real, effective, and saved gid to the requested value.
1062 *
1063 * If called from an unprivileged process, but gid is equal to the
1064 * real or saved gid, then the effective gid will be set to the
1065 * requested value, but the real and saved gid will not change.
1066 *
1067 * If the credential is changed as a result of this call, then we
1068 * flag the process as having set privilege since the last exec.
1069 *
1070 * As an implementation detail, the effective gid is stored as
1071 * the first element of the supplementary group list, and
1072 * therefore the effective group list may be reordered to keep
1073 * the supplementary group list unchanged.
1074 */
1075 int
1076 setgid(proc_t p, struct setgid_args *uap, __unused int32_t *retval)
1077 {
1078 gid_t gid;
1079 gid_t rgid = KAUTH_GID_NONE;
1080 gid_t svgid = KAUTH_GID_NONE;
1081 int error;
1082 kauth_cred_t my_cred, my_new_cred;
1083 posix_cred_t my_pcred;
1084
1085 DEBUG_CRED_ENTER("setgid(%d/%d): %d\n", p->p_pid, (p->p_pptr ? p->p_pptr->p_pid : 0), uap->gid);
1086
1087 gid = uap->gid;
1088 AUDIT_ARG(gid, gid);
1089
1090 my_cred = kauth_cred_proc_ref(p);
1091 my_pcred = posix_cred_get(my_cred);
1092
1093 if (gid != my_pcred->cr_rgid && /* allow setgid(getgid()) */
1094 gid != my_pcred->cr_svgid && /* allow setgid(saved gid) */
1095 (error = suser(my_cred, &p->p_acflag))) {
1096 kauth_cred_unref(&my_cred);
1097 return (error);
1098 }
1099
1100 /*
1101 * If we are priviledged, then set the saved and real GID too;
1102 * otherwise, just set the effective GID
1103 */
1104 if (suser(my_cred, &p->p_acflag) == 0) {
1105 svgid = gid;
1106 rgid = gid;
1107 }
1108
1109 /* get current credential and take a reference while we muck with it */
1110 for (;;) {
1111
1112 /*
1113 * Set the credential with new info. If there is no change,
1114 * we get back the same credential we passed in; if there is
1115 * a change, we drop the reference on the credential we
1116 * passed in. The subsequent compare is safe, because it is
1117 * a pointer compare rather than a contents compare.
1118 */
1119 my_new_cred = kauth_cred_setresgid(my_cred, rgid, gid, svgid);
1120 if (my_cred != my_new_cred) {
1121
1122 DEBUG_CRED_CHANGE("setgid(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
1123
1124 proc_lock(p);
1125 /*
1126 * We need to protect for a race where another thread
1127 * also changed the credential after we took our
1128 * reference. If p_ucred has changed then we
1129 * should restart this again with the new cred.
1130 */
1131 if (p->p_ucred != my_cred) {
1132 proc_unlock(p);
1133 kauth_cred_unref(&my_new_cred);
1134 /* try again */
1135 my_cred = kauth_cred_proc_ref(p);
1136 continue;
1137 }
1138 p->p_ucred = my_new_cred;
1139 /* update cred on proc */
1140 PROC_UPDATE_CREDS_ONPROC(p);
1141 OSBitOrAtomic(P_SUGID, &p->p_flag);
1142 proc_unlock(p);
1143 }
1144 break;
1145 }
1146 /* Drop old proc reference or our extra reference */
1147 kauth_cred_unref(&my_cred);
1148
1149 set_security_token(p);
1150 return (0);
1151 }
1152
1153
1154 /*
1155 * setegid
1156 *
1157 * Description: Set effective group ID system call
1158 *
1159 * Parameters: uap->egid effective gid to set
1160 *
1161 * Returns: 0 Success
1162 * suser:EPERM
1163 *
1164 * Notes: If called by a privileged process, or called from an
1165 * unprivileged process but egid is equal to the real or saved
1166 * gid, then the effective gid will be set to the requested
1167 * value, but the real and saved gid will not change.
1168 *
1169 * If the credential is changed as a result of this call, then we
1170 * flag the process as having set privilege since the last exec.
1171 *
1172 * As an implementation detail, the effective gid is stored as
1173 * the first element of the supplementary group list, and
1174 * therefore the effective group list may be reordered to keep
1175 * the supplementary group list unchanged.
1176 */
1177 int
1178 setegid(proc_t p, struct setegid_args *uap, __unused int32_t *retval)
1179 {
1180 gid_t egid;
1181 int error;
1182 kauth_cred_t my_cred, my_new_cred;
1183 posix_cred_t my_pcred;
1184
1185 DEBUG_CRED_ENTER("setegid %d\n", uap->egid);
1186
1187 egid = uap->egid;
1188 AUDIT_ARG(egid, egid);
1189
1190 my_cred = kauth_cred_proc_ref(p);
1191 my_pcred = posix_cred_get(my_cred);
1192
1193 if (egid != my_pcred->cr_rgid &&
1194 egid != my_pcred->cr_svgid &&
1195 (error = suser(my_cred, &p->p_acflag))) {
1196 kauth_cred_unref(&my_cred);
1197 return (error);
1198 }
1199
1200 /* get current credential and take a reference while we muck with it */
1201 for (;;) {
1202 /*
1203 * Set the credential with new info. If there is no change,
1204 * we get back the same credential we passed in; if there is
1205 * a change, we drop the reference on the credential we
1206 * passed in. The subsequent compare is safe, because it is
1207 * a pointer compare rather than a contents compare.
1208 */
1209 my_new_cred = kauth_cred_setresgid(my_cred, KAUTH_GID_NONE, egid, KAUTH_GID_NONE);
1210 if (my_cred != my_new_cred) {
1211
1212 DEBUG_CRED_CHANGE("setegid(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
1213
1214 proc_lock(p);
1215 /*
1216 * We need to protect for a race where another thread
1217 * also changed the credential after we took our
1218 * reference. If p_ucred has changed then we
1219 * should restart this again with the new cred.
1220 */
1221 if (p->p_ucred != my_cred) {
1222 proc_unlock(p);
1223 kauth_cred_unref(&my_new_cred);
1224 /* try again */
1225 my_cred = kauth_cred_proc_ref(p);
1226 continue;
1227 }
1228 p->p_ucred = my_new_cred;
1229 /* update cred on proc */
1230 PROC_UPDATE_CREDS_ONPROC(p);
1231 OSBitOrAtomic(P_SUGID, &p->p_flag);
1232 proc_unlock(p);
1233 }
1234 break;
1235 }
1236
1237 /* Drop old proc reference or our extra reference */
1238 kauth_cred_unref(&my_cred);
1239
1240 set_security_token(p);
1241 return (0);
1242 }
1243
1244 /*
1245 * setregid
1246 *
1247 * Description: Set real and effective group ID system call
1248 *
1249 * Parameters: uap->rgid real gid to set
1250 * uap->egid effective gid to set
1251 *
1252 * Returns: 0 Success
1253 * suser:EPERM Permission denied
1254 *
1255 * Notes: A value of -1 is a special case indicating that the gid for
1256 * which that value is specified not be changed. If both values
1257 * are specified as -1, no action is taken.
1258 *
1259 * If called by a privileged process, the real and effective gid
1260 * will be set to the new value(s) specified.
1261 *
1262 * If called from an unprivileged process, the real gid may be
1263 * set to the current value of the real gid, or to the current
1264 * value of the saved gid. The effective gid may be set to the
1265 * current value of any of the effective, real, or saved gid.
1266 *
1267 * If the new real and effective gid will not be equal, or the
1268 * new real or effective gid is not the same as the saved gid,
1269 * then the saved gid will be updated to reflect the new
1270 * effective gid (potentially unrecoverably dropping saved
1271 * privilege).
1272 *
1273 * If the credential is changed as a result of this call, then we
1274 * flag the process as having set privilege since the last exec.
1275 *
1276 * As an implementation detail, the effective gid is stored as
1277 * the first element of the supplementary group list, and
1278 * therefore the effective group list may be reordered to keep
1279 * the supplementary group list unchanged.
1280 */
1281 int
1282 setregid(proc_t p, struct setregid_args *uap, __unused int32_t *retval)
1283 {
1284 gid_t rgid, egid;
1285 int error;
1286 kauth_cred_t my_cred, my_new_cred;
1287 posix_cred_t my_pcred;
1288
1289 DEBUG_CRED_ENTER("setregid %d %d\n", uap->rgid, uap->egid);
1290
1291 rgid = uap->rgid;
1292 egid = uap->egid;
1293
1294 if (rgid == (uid_t)-1)
1295 rgid = KAUTH_GID_NONE;
1296 if (egid == (uid_t)-1)
1297 egid = KAUTH_GID_NONE;
1298 AUDIT_ARG(egid, egid);
1299 AUDIT_ARG(rgid, rgid);
1300
1301 my_cred = kauth_cred_proc_ref(p);
1302 my_pcred = posix_cred_get(my_cred);
1303
1304 if (((rgid != KAUTH_UID_NONE && /* allow no change of rgid */
1305 rgid != my_pcred->cr_rgid && /* allow rgid = rgid */
1306 rgid != my_pcred->cr_gid && /* allow rgid = egid */
1307 rgid != my_pcred->cr_svgid) || /* allow rgid = svgid */
1308 (egid != KAUTH_UID_NONE && /* allow no change of egid */
1309 egid != my_pcred->cr_groups[0] && /* allow no change of egid */
1310 egid != my_pcred->cr_gid && /* allow egid = egid */
1311 egid != my_pcred->cr_rgid && /* allow egid = rgid */
1312 egid != my_pcred->cr_svgid)) && /* allow egid = svgid */
1313 (error = suser(my_cred, &p->p_acflag))) { /* allow root user any */
1314 kauth_cred_unref(&my_cred);
1315 return (error);
1316 }
1317
1318 /* get current credential and take a reference while we muck with it */
1319 for (;;) {
1320 uid_t new_egid = my_pcred->cr_gid;
1321 uid_t new_rgid = my_pcred->cr_rgid;
1322 uid_t svgid = KAUTH_UID_NONE;
1323
1324
1325 /*
1326 * Set the credential with new info. If there is no change,
1327 * we get back the same credential we passed in; if there is
1328 * a change, we drop the reference on the credential we
1329 * passed in. The subsequent compare is safe, because it is
1330 * a pointer compare rather than a contents compare.
1331 */
1332 if (egid == KAUTH_UID_NONE && my_pcred->cr_gid != egid) {
1333 /* changing the effective GID */
1334 new_egid = egid;
1335 OSBitOrAtomic(P_SUGID, &p->p_flag);
1336 }
1337 if (rgid != KAUTH_UID_NONE && my_pcred->cr_rgid != rgid) {
1338 /* changing the real GID */
1339 new_rgid = rgid;
1340 OSBitOrAtomic(P_SUGID, &p->p_flag);
1341 }
1342 /*
1343 * If the newly requested real gid or effective gid does
1344 * not match the saved gid, then set the saved gid to the
1345 * new effective gid. We are protected from escalation
1346 * by the prechecking.
1347 */
1348 if (my_pcred->cr_svgid != uap->rgid &&
1349 my_pcred->cr_svgid != uap->egid) {
1350 svgid = new_egid;
1351 OSBitOrAtomic(P_SUGID, &p->p_flag);
1352 }
1353
1354 my_new_cred = kauth_cred_setresgid(my_cred, rgid, egid, svgid);
1355 if (my_cred != my_new_cred) {
1356
1357 DEBUG_CRED_CHANGE("setregid(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
1358
1359 proc_lock(p);
1360 /* need to protect for a race where another thread
1361 * also changed the credential after we took our
1362 * reference. If p_ucred has changed then we
1363 * should restart this again with the new cred.
1364 */
1365 if (p->p_ucred != my_cred) {
1366 proc_unlock(p);
1367 kauth_cred_unref(&my_new_cred);
1368 /* try again */
1369 my_cred = kauth_cred_proc_ref(p);
1370 continue;
1371 }
1372 p->p_ucred = my_new_cred;
1373 /* update cred on proc */
1374 PROC_UPDATE_CREDS_ONPROC(p);
1375 OSBitOrAtomic(P_SUGID, &p->p_flag); /* XXX redundant? */
1376 proc_unlock(p);
1377 }
1378 break;
1379 }
1380 /* Drop old proc reference or our extra reference */
1381 kauth_cred_unref(&my_cred);
1382
1383 set_security_token(p);
1384 return (0);
1385 }
1386
1387
1388 /*
1389 * Set the per-thread override identity. The first parameter can be the
1390 * current real UID, KAUTH_UID_NONE, or, if the caller is priviledged, it
1391 * can be any UID. If it is KAUTH_UID_NONE, then as a special case, this
1392 * means "revert to the per process credential"; otherwise, if permitted,
1393 * it changes the effective, real, and saved UIDs and GIDs for the current
1394 * thread to the requested UID and single GID, and clears all other GIDs.
1395 */
1396 int
1397 settid(proc_t p, struct settid_args *uap, __unused int32_t *retval)
1398 {
1399 kauth_cred_t uc;
1400 struct uthread *uthread = get_bsdthread_info(current_thread());
1401 uid_t uid;
1402 gid_t gid;
1403
1404 uid = uap->uid;
1405 gid = uap->gid;
1406 AUDIT_ARG(uid, uid);
1407 AUDIT_ARG(gid, gid);
1408
1409 if (proc_suser(p) != 0)
1410 return (EPERM);
1411
1412 if (uid == KAUTH_UID_NONE) {
1413
1414 /* must already be assuming another identity in order to revert back */
1415 if ((uthread->uu_flag & UT_SETUID) == 0)
1416 return (EPERM);
1417
1418 /* revert to delayed binding of process credential */
1419 uc = kauth_cred_proc_ref(p);
1420 kauth_cred_unref(&uthread->uu_ucred);
1421 uthread->uu_ucred = uc;
1422 uthread->uu_flag &= ~UT_SETUID;
1423 } else {
1424 kauth_cred_t my_cred, my_new_cred;
1425
1426 /* cannot already be assuming another identity */
1427 if ((uthread->uu_flag & UT_SETUID) != 0) {
1428 return (EPERM);
1429 }
1430
1431 /*
1432 * Get a new credential instance from the old if this one
1433 * changes; otherwise kauth_cred_setuidgid() returns the
1434 * same credential. We take an extra reference on the
1435 * current credential while we muck with it, so we can do
1436 * the post-compare for changes by pointer.
1437 */
1438 kauth_cred_ref(uthread->uu_ucred);
1439 my_cred = uthread->uu_ucred;
1440 my_new_cred = kauth_cred_setuidgid(my_cred, uid, gid);
1441 if (my_cred != my_new_cred)
1442 uthread->uu_ucred = my_new_cred;
1443 uthread->uu_flag |= UT_SETUID;
1444
1445 /* Drop old uthread reference or our extra reference */
1446 kauth_cred_unref(&my_cred);
1447 }
1448 /*
1449 * XXX should potentially set per thread security token (there is
1450 * XXX none).
1451 * XXX it is unclear whether P_SUGID should be st at this point;
1452 * XXX in theory, it is being deprecated.
1453 */
1454 return (0);
1455 }
1456
1457
1458 /*
1459 * Set the per-thread override identity. Use this system call for a thread to
1460 * assume the identity of another process or to revert back to normal identity
1461 * of the current process.
1462 *
1463 * When the "assume" argument is non zero the current thread will assume the
1464 * identity of the process represented by the pid argument.
1465 *
1466 * When the assume argument is zero we revert back to our normal identity.
1467 */
1468 int
1469 settid_with_pid(proc_t p, struct settid_with_pid_args *uap, __unused int32_t *retval)
1470 {
1471 proc_t target_proc;
1472 struct uthread *uthread = get_bsdthread_info(current_thread());
1473 kauth_cred_t my_cred, my_target_cred, my_new_cred;
1474 posix_cred_t my_target_pcred;
1475
1476 AUDIT_ARG(pid, uap->pid);
1477 AUDIT_ARG(value32, uap->assume);
1478
1479 if (proc_suser(p) != 0) {
1480 return (EPERM);
1481 }
1482
1483 /*
1484 * XXX should potentially set per thread security token (there is
1485 * XXX none).
1486 * XXX it is unclear whether P_SUGID should be st at this point;
1487 * XXX in theory, it is being deprecated.
1488 */
1489
1490 /*
1491 * assume argument tells us to assume the identity of the process with the
1492 * id passed in the pid argument.
1493 */
1494 if (uap->assume != 0) {
1495 /* can't do this if we have already assumed an identity */
1496 if ((uthread->uu_flag & UT_SETUID) != 0)
1497 return (EPERM);
1498
1499 target_proc = proc_find(uap->pid);
1500 /* can't assume the identity of the kernel process */
1501 if (target_proc == NULL || target_proc == kernproc) {
1502 if (target_proc!= NULL)
1503 proc_rele(target_proc);
1504 return (ESRCH);
1505 }
1506
1507 /*
1508 * Take a reference on the credential used in our target
1509 * process then use it as the identity for our current
1510 * thread. We take an extra reference on the current
1511 * credential while we muck with it, so we can do the
1512 * post-compare for changes by pointer.
1513 *
1514 * The post-compare is needed for the case that our process
1515 * credential has been changed to be identical to our thread
1516 * credential following our assumption of a per-thread one,
1517 * since the credential cache will maintain a unique instance.
1518 */
1519 kauth_cred_ref(uthread->uu_ucred);
1520 my_cred = uthread->uu_ucred;
1521 my_target_cred = kauth_cred_proc_ref(target_proc);
1522 my_target_pcred = posix_cred_get(my_target_cred);
1523 my_new_cred = kauth_cred_setuidgid(my_cred, my_target_pcred->cr_uid, my_target_pcred->cr_gid);
1524 if (my_cred != my_new_cred)
1525 uthread->uu_ucred = my_new_cred;
1526
1527 uthread->uu_flag |= UT_SETUID;
1528
1529 /* Drop old uthread reference or our extra reference */
1530 proc_rele(target_proc);
1531 kauth_cred_unref(&my_cred);
1532 kauth_cred_unref(&my_target_cred);
1533
1534 return (0);
1535 }
1536
1537 /*
1538 * Otherwise, we are reverting back to normal mode of operation where
1539 * delayed binding of the process credential sets the credential in
1540 * the thread (uu_ucred)
1541 */
1542 if ((uthread->uu_flag & UT_SETUID) == 0)
1543 return (EPERM);
1544
1545 /* revert to delayed binding of process credential */
1546 my_new_cred = kauth_cred_proc_ref(p);
1547 kauth_cred_unref(&uthread->uu_ucred);
1548 uthread->uu_ucred = my_new_cred;
1549 uthread->uu_flag &= ~UT_SETUID;
1550
1551 return (0);
1552 }
1553
1554
1555 /*
1556 * setgroups1
1557 *
1558 * Description: Internal implementation for both the setgroups and initgroups
1559 * system calls
1560 *
1561 * Parameters: gidsetsize Number of groups in set
1562 * gidset Pointer to group list
1563 * gmuid Base gid (initgroups only!)
1564 *
1565 * Returns: 0 Success
1566 * suser:EPERM Permision denied
1567 * EINVAL Invalid gidsetsize value
1568 * copyin:EFAULT Bad gidset or gidsetsize is
1569 * too large
1570 *
1571 * Notes: When called from a thread running under an assumed per-thread
1572 * identity, this function will operate against the per-thread
1573 * credential, rather than against the process credential. In
1574 * this specific case, the process credential is verified to
1575 * still be privileged at the time of the call, rather than the
1576 * per-thread credential for this operation to be permitted.
1577 *
1578 * This effectively means that setgroups/initigroups calls in
1579 * a thread running a per-thread credential should occur *after*
1580 * the settid call that created it, not before (unlike setuid,
1581 * which must be called after, since it will result in privilege
1582 * being dropped).
1583 *
1584 * When called normally (i.e. no per-thread assumed identity),
1585 * the per process credential is updated per POSIX.
1586 *
1587 * If the credential is changed as a result of this call, then we
1588 * flag the process as having set privilege since the last exec.
1589 */
1590 static int
1591 setgroups1(proc_t p, u_int gidsetsize, user_addr_t gidset, uid_t gmuid, __unused int32_t *retval)
1592 {
1593 u_int ngrp;
1594 gid_t newgroups[NGROUPS] = { 0 };
1595 int error;
1596 kauth_cred_t my_cred, my_new_cred;
1597 struct uthread *uthread = get_bsdthread_info(current_thread());
1598
1599 DEBUG_CRED_ENTER("setgroups1 (%d/%d): %d 0x%016x %d\n", p->p_pid, (p->p_pptr ? p->p_pptr->p_pid : 0), gidsetsize, gidset, gmuid);
1600
1601 ngrp = gidsetsize;
1602 if (ngrp > NGROUPS)
1603 return (EINVAL);
1604
1605 if ( ngrp < 1 ) {
1606 ngrp = 1;
1607 } else {
1608 error = copyin(gidset,
1609 (caddr_t)newgroups, ngrp * sizeof(gid_t));
1610 if (error) {
1611 return (error);
1612 }
1613 }
1614
1615 my_cred = kauth_cred_proc_ref(p);
1616 if ((error = suser(my_cred, &p->p_acflag))) {
1617 kauth_cred_unref(&my_cred);
1618 return (error);
1619 }
1620
1621 if ((uthread->uu_flag & UT_SETUID) != 0) {
1622 #if DEBUG_CRED
1623 int my_cred_flags = uthread->uu_ucred->cr_flags;
1624 #endif /* DEBUG_CRED */
1625 kauth_cred_unref(&my_cred);
1626
1627 /*
1628 * If this thread is under an assumed identity, set the
1629 * supplementary grouplist on the thread credential instead
1630 * of the process one. If we were the only reference holder,
1631 * the credential is updated in place, otherwise, our reference
1632 * is dropped and we get back a different cred with a reference
1633 * already held on it. Because this is per-thread, we don't
1634 * need the referencing/locking/retry required for per-process.
1635 */
1636 my_cred = uthread->uu_ucred;
1637 uthread->uu_ucred = kauth_cred_setgroups(my_cred, &newgroups[0], ngrp, gmuid);
1638 #if DEBUG_CRED
1639 if (my_cred != uthread->uu_ucred) {
1640 DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred_flags, uthread->uu_ucred , uthread->uu_ucred ->cr_flags);
1641 }
1642 #endif /* DEBUG_CRED */
1643 } else {
1644
1645 /*
1646 * get current credential and take a reference while we muck
1647 * with it
1648 */
1649 for (;;) {
1650 /*
1651 * Set the credential with new info. If there is no
1652 * change, we get back the same credential we passed
1653 * in; if there is a change, we drop the reference on
1654 * the credential we passed in. The subsequent
1655 * compare is safe, because it is a pointer compare
1656 * rather than a contents compare.
1657 */
1658 my_new_cred = kauth_cred_setgroups(my_cred, &newgroups[0], ngrp, gmuid);
1659 if (my_cred != my_new_cred) {
1660
1661 DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
1662
1663 proc_lock(p);
1664 /*
1665 * We need to protect for a race where another
1666 * thread also changed the credential after we
1667 * took our reference. If p_ucred has
1668 * changed then we should restart this again
1669 * with the new cred.
1670 */
1671 if (p->p_ucred != my_cred) {
1672 proc_unlock(p);
1673 kauth_cred_unref(&my_new_cred);
1674 my_cred = kauth_cred_proc_ref(p);
1675 /* try again */
1676 continue;
1677 }
1678 p->p_ucred = my_new_cred;
1679 /* update cred on proc */
1680 PROC_UPDATE_CREDS_ONPROC(p);
1681 OSBitOrAtomic(P_SUGID, &p->p_flag);
1682 proc_unlock(p);
1683 }
1684 break;
1685 }
1686 /* Drop old proc reference or our extra reference */
1687 AUDIT_ARG(groupset, posix_cred_get(my_cred)->cr_groups, ngrp);
1688 kauth_cred_unref(&my_cred);
1689
1690
1691 set_security_token(p);
1692 }
1693
1694 return (0);
1695 }
1696
1697
1698 /*
1699 * initgroups
1700 *
1701 * Description: Initialize the default supplementary groups list and set the
1702 * gmuid for use by the external group resolver (if any)
1703 *
1704 * Parameters: uap->gidsetsize Number of groups in set
1705 * uap->gidset Pointer to group list
1706 * uap->gmuid Base gid
1707 *
1708 * Returns: 0 Success
1709 * setgroups1:EPERM Permision denied
1710 * setgroups1:EINVAL Invalid gidsetsize value
1711 * setgroups1:EFAULT Bad gidset or gidsetsize is
1712 *
1713 * Notes: This function opts *IN* to memberd participation
1714 *
1715 * The normal purpose of this function is for a privileged
1716 * process to indicate supplementary groups and identity for
1717 * participation in extended group membership resolution prior
1718 * to dropping privilege by assuming a specific user identity.
1719 *
1720 * It is the first half of the primary mechanism whereby user
1721 * identity is established to the system by programs such as
1722 * /usr/bin/login. The second half is the drop of uid privilege
1723 * for a specific uid corresponding to the user.
1724 *
1725 * See also: setgroups1()
1726 */
1727 int
1728 initgroups(proc_t p, struct initgroups_args *uap, __unused int32_t *retval)
1729 {
1730 DEBUG_CRED_ENTER("initgroups\n");
1731
1732 return(setgroups1(p, uap->gidsetsize, uap->gidset, uap->gmuid, retval));
1733 }
1734
1735
1736 /*
1737 * setgroups
1738 *
1739 * Description: Initialize the default supplementary groups list
1740 *
1741 * Parameters: gidsetsize Number of groups in set
1742 * gidset Pointer to group list
1743 *
1744 * Returns: 0 Success
1745 * setgroups1:EPERM Permision denied
1746 * setgroups1:EINVAL Invalid gidsetsize value
1747 * setgroups1:EFAULT Bad gidset or gidsetsize is
1748 *
1749 * Notes: This functions opts *OUT* of memberd participation.
1750 *
1751 * This function exists for compatibility with POSIX. Most user
1752 * programs should use initgroups() instead to ensure correct
1753 * participation in group membership resolution when utilizing
1754 * a directory service for authentication.
1755 *
1756 * It is identical to an initgroups() call with a gmuid argument
1757 * of KAUTH_UID_NONE.
1758 *
1759 * See also: setgroups1()
1760 */
1761 int
1762 setgroups(proc_t p, struct setgroups_args *uap, __unused int32_t *retval)
1763 {
1764 DEBUG_CRED_ENTER("setgroups\n");
1765
1766 return(setgroups1(p, uap->gidsetsize, uap->gidset, KAUTH_UID_NONE, retval));
1767 }
1768
1769
1770 /*
1771 * Set the per-thread/per-process supplementary groups list.
1772 *
1773 * XXX implement setsgroups
1774 *
1775 */
1776
1777 int
1778 setsgroups(__unused proc_t p, __unused struct setsgroups_args *uap, __unused int32_t *retval)
1779 {
1780 return(ENOTSUP);
1781 }
1782
1783 /*
1784 * Set the per-thread/per-process whiteout groups list.
1785 *
1786 * XXX implement setwgroups
1787 *
1788 */
1789
1790 int
1791 setwgroups(__unused proc_t p, __unused struct setwgroups_args *uap, __unused int32_t *retval)
1792 {
1793 return(ENOTSUP);
1794 }
1795
1796
1797 /*
1798 * Check if gid is a member of the group set.
1799 *
1800 * XXX This interface is going away; use kauth_cred_ismember_gid() directly
1801 * XXX instead.
1802 */
1803 int
1804 groupmember(gid_t gid, kauth_cred_t cred)
1805 {
1806 int is_member;
1807
1808 if (kauth_cred_ismember_gid(cred, gid, &is_member) == 0 && is_member)
1809 return (1);
1810 return (0);
1811 }
1812
1813
1814 /*
1815 * Test whether the specified credentials imply "super-user"
1816 * privilege; if so, and we have accounting info, set the flag
1817 * indicating use of super-powers.
1818 * Returns 0 or error.
1819 *
1820 * XXX This interface is going away; use kauth_cred_issuser() directly
1821 * XXX instead.
1822 *
1823 * Note: This interface exists to implement the "has used privilege"
1824 * bit (ASU) in the p_acflags field of the process, which is
1825 * only externalized via private sysctl and in process accounting
1826 * records. The flag is technically not required in either case.
1827 */
1828 int
1829 suser(kauth_cred_t cred, u_short *acflag)
1830 {
1831 #if DIAGNOSTIC
1832 if (!IS_VALID_CRED(cred))
1833 panic("suser");
1834 #endif
1835 if (kauth_cred_getuid(cred) == 0) {
1836 if (acflag)
1837 *acflag |= ASU;
1838 return (0);
1839 }
1840 return (EPERM);
1841 }
1842
1843
1844 /*
1845 * XXX This interface is going away; use kauth_cred_issuser() directly
1846 * XXX instead.
1847 */
1848 int
1849 is_suser(void)
1850 {
1851 proc_t p = current_proc();
1852
1853 if (!p)
1854 return (0);
1855
1856 return (proc_suser(p) == 0);
1857 }
1858
1859
1860 /*
1861 * XXX This interface is going away; use kauth_cred_issuser() directly
1862 * XXX instead.
1863 */
1864 int
1865 is_suser1(void)
1866 {
1867 proc_t p = current_proc();
1868 kauth_cred_t my_cred;
1869 posix_cred_t my_pcred;
1870 int err;
1871
1872 if (!p)
1873 return (0);
1874
1875 my_cred = kauth_cred_proc_ref(p);
1876 my_pcred = posix_cred_get(my_cred);
1877
1878 err = (suser(my_cred, &p->p_acflag) == 0 ||
1879 my_pcred->cr_ruid == 0 || my_pcred->cr_svuid == 0);
1880 kauth_cred_unref(&my_cred);
1881 return(err);
1882 }
1883
1884
1885 /*
1886 * getlogin
1887 *
1888 * Description: Get login name, if available.
1889 *
1890 * Parameters: uap->namebuf User buffer for return
1891 * uap->namelen User buffer length
1892 *
1893 * Returns: 0 Success
1894 * copyout:EFAULT
1895 *
1896 * Notes: Intended to obtain a string containing the user name of the
1897 * user associated with the controlling terminal for the calling
1898 * process.
1899 *
1900 * Not very useful on modern systems, due to inherent length
1901 * limitations for the static array in the session structure
1902 * which is used to store the login name.
1903 *
1904 * Permitted to return NULL
1905 *
1906 * XXX: Belongs in kern_proc.c
1907 */
1908 int
1909 getlogin(proc_t p, struct getlogin_args *uap, __unused int32_t *retval)
1910 {
1911 char buffer[MAXLOGNAME+1];
1912 struct session * sessp;
1913
1914 bzero(buffer, MAXLOGNAME+1);
1915
1916 sessp = proc_session(p);
1917
1918 if (uap->namelen > MAXLOGNAME)
1919 uap->namelen = MAXLOGNAME;
1920
1921 if(sessp != SESSION_NULL) {
1922 session_lock(sessp);
1923 bcopy( sessp->s_login, buffer, uap->namelen);
1924 session_unlock(sessp);
1925 }
1926 session_rele(sessp);
1927
1928 return (copyout((caddr_t)buffer, uap->namebuf, uap->namelen));
1929 }
1930
1931
1932 /*
1933 * setlogin
1934 *
1935 * Description: Set login name.
1936 *
1937 * Parameters: uap->namebuf User buffer containing name
1938 *
1939 * Returns: 0 Success
1940 * suser:EPERM Permission denied
1941 * copyinstr:EFAULT User buffer invalid
1942 * copyinstr:EINVAL Supplied name was too long
1943 *
1944 * Notes: This is a utility system call to support getlogin().
1945 *
1946 * XXX: Belongs in kern_proc.c
1947 */
1948 int
1949 setlogin(proc_t p, struct setlogin_args *uap, __unused int32_t *retval)
1950 {
1951 int error;
1952 size_t dummy=0;
1953 char buffer[MAXLOGNAME+1];
1954 struct session * sessp;
1955
1956 if ((error = proc_suser(p)))
1957 return (error);
1958
1959 bzero(&buffer[0], MAXLOGNAME+1);
1960
1961
1962 error = copyinstr(uap->namebuf,
1963 (caddr_t) &buffer[0],
1964 MAXLOGNAME - 1, (size_t *)&dummy);
1965
1966 sessp = proc_session(p);
1967
1968 if (sessp != SESSION_NULL) {
1969 session_lock(sessp);
1970 bcopy(buffer, sessp->s_login, MAXLOGNAME);
1971 session_unlock(sessp);
1972 session_rele(sessp);
1973 }
1974
1975
1976 if (!error) {
1977 AUDIT_ARG(text, buffer);
1978 } else if (error == ENAMETOOLONG)
1979 error = EINVAL;
1980 return (error);
1981 }
1982
1983
1984 /* Set the secrity token of the task with current euid and eguid */
1985 /*
1986 * XXX This needs to change to give the task a reference and/or an opaque
1987 * XXX identifier.
1988 */
1989 int
1990 set_security_token(proc_t p)
1991 {
1992 security_token_t sec_token;
1993 audit_token_t audit_token;
1994 kauth_cred_t my_cred;
1995 posix_cred_t my_pcred;
1996 host_priv_t host_priv;
1997
1998 /*
1999 * Don't allow a vfork child to override the parent's token settings
2000 * (since they share a task). Instead, the child will just have to
2001 * suffer along using the parent's token until the exec(). It's all
2002 * undefined behavior anyway, right?
2003 */
2004 if (p->task == current_task()) {
2005 uthread_t uthread;
2006 uthread = (uthread_t)get_bsdthread_info(current_thread());
2007 if (uthread->uu_flag & UT_VFORK)
2008 return (1);
2009 }
2010
2011 my_cred = kauth_cred_proc_ref(p);
2012 my_pcred = posix_cred_get(my_cred);
2013
2014 /* XXX mach_init doesn't have a p_ucred when it calls this function */
2015 if (IS_VALID_CRED(my_cred)) {
2016 sec_token.val[0] = kauth_cred_getuid(my_cred);
2017 sec_token.val[1] = kauth_cred_getgid(my_cred);
2018 } else {
2019 sec_token.val[0] = 0;
2020 sec_token.val[1] = 0;
2021 }
2022
2023 /*
2024 * The current layout of the Mach audit token explicitly
2025 * adds these fields. But nobody should rely on such
2026 * a literal representation. Instead, the BSM library
2027 * provides a function to convert an audit token into
2028 * a BSM subject. Use of that mechanism will isolate
2029 * the user of the trailer from future representation
2030 * changes.
2031 */
2032 audit_token.val[0] = my_cred->cr_audit.as_aia_p->ai_auid;
2033 audit_token.val[1] = my_pcred->cr_uid;
2034 audit_token.val[2] = my_pcred->cr_gid;
2035 audit_token.val[3] = my_pcred->cr_ruid;
2036 audit_token.val[4] = my_pcred->cr_rgid;
2037 audit_token.val[5] = p->p_pid;
2038 audit_token.val[6] = my_cred->cr_audit.as_aia_p->ai_asid;
2039 audit_token.val[7] = p->p_idversion;
2040
2041 #if CONFIG_MACF_MACH
2042 mac_task_label_update_cred(my_cred, p->task);
2043 #endif
2044
2045 host_priv = (sec_token.val[0]) ? HOST_PRIV_NULL : host_priv_self();
2046 #if CONFIG_MACF
2047 if (host_priv != HOST_PRIV_NULL && mac_system_check_host_priv(my_cred))
2048 host_priv = HOST_PRIV_NULL;
2049 #endif
2050 kauth_cred_unref(&my_cred);
2051
2052 return (host_security_set_task_token(host_security_self(),
2053 p->task,
2054 sec_token,
2055 audit_token,
2056 host_priv) != KERN_SUCCESS);
2057 }
2058
2059
2060 /*
2061 * Fill in a struct xucred based on a kauth_cred_t.
2062 */
2063 __private_extern__
2064 void
2065 cru2x(kauth_cred_t cr, struct xucred *xcr)
2066 {
2067 posix_cred_t pcr = posix_cred_get(cr);
2068
2069 bzero(xcr, sizeof(*xcr));
2070 xcr->cr_version = XUCRED_VERSION;
2071 xcr->cr_uid = kauth_cred_getuid(cr);
2072 xcr->cr_ngroups = pcr->cr_ngroups;
2073 bcopy(pcr->cr_groups, xcr->cr_groups, sizeof(xcr->cr_groups));
2074 }
2075
2076 #if CONFIG_LCTX
2077
2078 /*
2079 * Set Login Context ID
2080 */
2081 /*
2082 * MPSAFE - assignment of (visible) process to context protected by ALLLCTX_LOCK,
2083 * LCTX by its own locks.
2084 */
2085 int
2086 setlcid(proc_t p0, struct setlcid_args *uap, __unused int32_t *retval)
2087 {
2088 proc_t p;
2089 struct lctx *l;
2090 int error = 0;
2091 int refheld = 0;
2092
2093 AUDIT_ARG(pid, uap->pid);
2094 AUDIT_ARG(value32, uap->lcid);
2095 if (uap->pid == LCID_PROC_SELF) { /* Create/Join/Leave */
2096 p = p0;
2097 } else { /* Adopt/Orphan */
2098 p = proc_find(uap->pid);
2099 if (p == NULL)
2100 return (ESRCH);
2101 refheld = 1;
2102 }
2103
2104 #if CONFIG_MACF
2105 error = mac_proc_check_setlcid(p0, p, uap->pid, uap->lcid);
2106 if (error)
2107 goto out;
2108 #endif
2109
2110 switch (uap->lcid) {
2111 /* Leave/Orphan */
2112 case LCID_REMOVE:
2113
2114 /* Only root may Leave/Orphan. */
2115 if (!is_suser1()) {
2116 error = EPERM;
2117 goto out;
2118 }
2119
2120 /* Process not in login context. */
2121 if (p->p_lctx == NULL) {
2122 error = ENOATTR;
2123 goto out;
2124 }
2125
2126 l = NULL;
2127
2128 break;
2129
2130 /* Create */
2131 case LCID_CREATE:
2132
2133 /* Create only valid for self! */
2134 if (uap->pid != LCID_PROC_SELF) {
2135 error = EPERM;
2136 goto out;
2137 }
2138
2139 /* Already in a login context. */
2140 if (p->p_lctx != NULL) {
2141 error = EPERM;
2142 goto out;
2143 }
2144
2145 l = lccreate();
2146 if (l == NULL) {
2147 error = ENOMEM;
2148 goto out;
2149 }
2150
2151 LCTX_LOCK(l);
2152
2153 break;
2154
2155 /* Join/Adopt */
2156 default:
2157
2158 /* Only root may Join/Adopt. */
2159 if (!is_suser1()) {
2160 error = EPERM;
2161 goto out;
2162 }
2163
2164 l = lcfind(uap->lcid);
2165 if (l == NULL) {
2166 error = ENOATTR;
2167 goto out;
2168 }
2169
2170 break;
2171 }
2172
2173 ALLLCTX_LOCK;
2174 leavelctx(p);
2175 enterlctx(p, l, (uap->lcid == LCID_CREATE) ? 1 : 0);
2176 ALLLCTX_UNLOCK;
2177
2178 out:
2179 if (refheld != 0)
2180 proc_rele(p);
2181 return (error);
2182 }
2183
2184 /*
2185 * Get Login Context ID
2186 */
2187 /*
2188 * MPSAFE - membership of (visible) process in a login context
2189 * protected by the all-context lock.
2190 */
2191 int
2192 getlcid(proc_t p0, struct getlcid_args *uap, int32_t *retval)
2193 {
2194 proc_t p;
2195 int error = 0;
2196 int refheld = 0;
2197
2198 AUDIT_ARG(pid, uap->pid);
2199 if (uap->pid == LCID_PROC_SELF) {
2200 p = p0;
2201 } else {
2202 p = proc_find(uap->pid);
2203 if (p == NULL)
2204 return (ESRCH);
2205 refheld = 1;
2206 }
2207
2208 #if CONFIG_MACF
2209 error = mac_proc_check_getlcid(p0, p, uap->pid);
2210 if (error)
2211 goto out;
2212 #endif
2213 ALLLCTX_LOCK;
2214 if (p->p_lctx == NULL) {
2215 error = ENOATTR;
2216 ALLLCTX_UNLOCK;
2217 goto out;
2218 }
2219 *retval = p->p_lctx->lc_id;
2220 ALLLCTX_UNLOCK;
2221 out:
2222 if (refheld != 0)
2223 proc_rele(p);
2224
2225 return (error);
2226 }
2227 #else /* LCTX */
2228 int
2229 setlcid(proc_t p0, struct setlcid_args *uap, int32_t *retval)
2230 {
2231
2232 return (ENOSYS);
2233 }
2234
2235 int
2236 getlcid(proc_t p0, struct getlcid_args *uap, int32_t *retval)
2237 {
2238
2239 return (ENOSYS);
2240 }
2241 #endif /* !LCTX */