]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_prot.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-4903.221.2.tar.gz
[apple/xnu.git] / bsd / kern / kern_prot.c
1 /*
2 * Copyright (c) 2000-2008 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 *
28 *
29 * Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved
30 *
31 *
32 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
33 * The Regents of the University of California. All rights reserved.
34 * (c) UNIX System Laboratories, Inc.
35 * All or some portions of this file are derived from material licensed
36 * to the University of California by American Telephone and Telegraph
37 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
38 * the permission of UNIX System Laboratories, Inc.
39 *
40 * Redistribution and use in source and binary forms, with or without
41 * modification, are permitted provided that the following conditions
42 * are met:
43 * 1. Redistributions of source code must retain the above copyright
44 * notice, this list of conditions and the following disclaimer.
45 * 2. Redistributions in binary form must reproduce the above copyright
46 * notice, this list of conditions and the following disclaimer in the
47 * documentation and/or other materials provided with the distribution.
48 * 3. All advertising materials mentioning features or use of this software
49 * must display the following acknowledgement:
50 * This product includes software developed by the University of
51 * California, Berkeley and its contributors.
52 * 4. Neither the name of the University nor the names of its contributors
53 * may be used to endorse or promote products derived from this software
54 * without specific prior written permission.
55 *
56 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
57 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
58 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
59 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
60 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
61 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
62 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
63 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
64 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
65 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
66 * SUCH DAMAGE.
67 *
68 * @(#)kern_prot.c 8.9 (Berkeley) 2/14/95
69 *
70 *
71 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
72 * support for mandatory and extensible security protections. This notice
73 * is included in support of clause 2.2 (b) of the Apple Public License,
74 * Version 2.0.
75 *
76 *
77 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
78 * support for mandatory and extensible security protections. This notice
79 * is included in support of clause 2.2 (b) of the Apple Public License,
80 * Version 2.0.
81 *
82 */
83
84 /*
85 * System calls related to processes and protection
86 */
87
88 #include <sys/param.h>
89 #include <sys/acct.h>
90 #include <sys/systm.h>
91 #include <sys/ucred.h>
92 #include <sys/proc_internal.h>
93 #include <sys/user.h>
94 #include <sys/kauth.h>
95 #include <sys/timeb.h>
96 #include <sys/times.h>
97 #include <sys/malloc.h>
98 #include <sys/persona.h>
99
100 #include <security/audit/audit.h>
101
102 #if CONFIG_MACF
103 #include <security/mac_framework.h>
104 #endif
105
106 #include <sys/mount_internal.h>
107 #include <sys/sysproto.h>
108 #include <mach/message.h>
109 #include <mach/host_security.h>
110
111 #include <kern/host.h>
112 #include <kern/task.h> /* for current_task() */
113 #include <kern/assert.h>
114
115
116 /*
117 * Credential debugging; we can track entry into a function that might
118 * change a credential, and we can track actual credential changes that
119 * result.
120 *
121 * Note: Does *NOT* currently include per-thread credential changes
122 *
123 * We don't use kauth_cred_print() in current debugging, but it
124 * can be used if needed when debugging is active.
125 */
126 #if DEBUG_CRED
127 #define DEBUG_CRED_ENTER printf
128 #define DEBUG_CRED_CHANGE printf
129 extern void kauth_cred_print(kauth_cred_t cred);
130 #else /* !DEBUG_CRED */
131 #define DEBUG_CRED_ENTER(fmt, ...) do {} while (0)
132 #define DEBUG_CRED_CHANGE(fmt, ...) do {} while (0)
133 #endif /* !DEBUG_CRED */
134
135 #if DEVELOPMENT || DEBUG
136 extern void task_importance_update_owner_info(task_t);
137 #endif
138
139
140 /*
141 * setprivexec
142 *
143 * Description: (dis)allow this process to hold task, thread, or execption
144 * ports of processes about to exec.
145 *
146 * Parameters: uap->flag New value for flag
147 *
148 * Returns: int Previous value of flag
149 *
150 * XXX: Belongs in kern_proc.c
151 */
152 int
153 setprivexec(proc_t p, struct setprivexec_args *uap, int32_t *retval)
154 {
155 AUDIT_ARG(value32, uap->flag);
156 *retval = p->p_debugger;
157 p->p_debugger = (uap->flag != 0);
158 return(0);
159 }
160
161
162 /*
163 * getpid
164 *
165 * Description: get the process ID
166 *
167 * Parameters: (void)
168 *
169 * Returns: pid_t Current process ID
170 *
171 * XXX: Belongs in kern_proc.c
172 */
173 int
174 getpid(proc_t p, __unused struct getpid_args *uap, int32_t *retval)
175 {
176
177 *retval = p->p_pid;
178 return (0);
179 }
180
181
182 /*
183 * getppid
184 *
185 * Description: get the parent process ID
186 *
187 * Parameters: (void)
188 *
189 * Returns: pid_t Parent process ID
190 *
191 * XXX: Belongs in kern_proc.c
192 */
193 int
194 getppid(proc_t p, __unused struct getppid_args *uap, int32_t *retval)
195 {
196
197 *retval = p->p_ppid;
198 return (0);
199 }
200
201
202 /*
203 * getpgrp
204 *
205 * Description: get the process group ID of the calling process
206 *
207 * Parameters: (void)
208 *
209 * Returns: pid_t Process group ID
210 *
211 * XXX: Belongs in kern_proc.c
212 */
213 int
214 getpgrp(proc_t p, __unused struct getpgrp_args *uap, int32_t *retval)
215 {
216
217 *retval = p->p_pgrpid;
218 return (0);
219 }
220
221
222 /*
223 * getpgid
224 *
225 * Description: Get an arbitary pid's process group id
226 *
227 * Parameters: uap->pid The target pid
228 *
229 * Returns: 0 Success
230 * ESRCH No such process
231 *
232 * Notes: We are permitted to return EPERM in the case that the target
233 * process is not in the same session as the calling process,
234 * which could be a security consideration
235 *
236 * XXX: Belongs in kern_proc.c
237 */
238 int
239 getpgid(proc_t p, struct getpgid_args *uap, int32_t *retval)
240 {
241 proc_t pt;
242 int refheld = 0;
243
244 pt = p;
245 if (uap->pid == 0)
246 goto found;
247
248 if ((pt = proc_find(uap->pid)) == 0)
249 return (ESRCH);
250 refheld = 1;
251 found:
252 *retval = pt->p_pgrpid;
253 if (refheld != 0)
254 proc_rele(pt);
255 return (0);
256 }
257
258
259 /*
260 * getsid
261 *
262 * Description: Get an arbitary pid's session leaders process group ID
263 *
264 * Parameters: uap->pid The target pid
265 *
266 * Returns: 0 Success
267 * ESRCH No such process
268 *
269 * Notes: We are permitted to return EPERM in the case that the target
270 * process is not in the same session as the calling process,
271 * which could be a security consideration
272 *
273 * XXX: Belongs in kern_proc.c
274 */
275 int
276 getsid(proc_t p, struct getsid_args *uap, int32_t *retval)
277 {
278 proc_t pt;
279 int refheld = 0;
280 struct session * sessp;
281
282 pt = p;
283 if (uap->pid == 0)
284 goto found;
285
286 if ((pt = proc_find(uap->pid)) == 0)
287 return (ESRCH);
288 refheld = 1;
289 found:
290 sessp = proc_session(pt);
291 *retval = sessp->s_sid;
292 session_rele(sessp);
293
294 if (refheld != 0)
295 proc_rele(pt);
296 return (0);
297 }
298
299
300 /*
301 * getuid
302 *
303 * Description: get real user ID for caller
304 *
305 * Parameters: (void)
306 *
307 * Returns: uid_t The real uid of the caller
308 */
309 int
310 getuid(__unused proc_t p, __unused struct getuid_args *uap, int32_t *retval)
311 {
312
313 *retval = kauth_getruid();
314 return (0);
315 }
316
317
318 /*
319 * geteuid
320 *
321 * Description: get effective user ID for caller
322 *
323 * Parameters: (void)
324 *
325 * Returns: uid_t The effective uid of the caller
326 */
327 int
328 geteuid(__unused proc_t p, __unused struct geteuid_args *uap, int32_t *retval)
329 {
330
331 *retval = kauth_getuid();
332 return (0);
333 }
334
335
336 /*
337 * gettid
338 *
339 * Description: Return the per-thread override identity.
340 *
341 * Parameters: uap->uidp Address of uid_t to get uid
342 * uap->gidp Address of gid_t to get gid
343 *
344 * Returns: 0 Success
345 * ESRCH No per thread identity active
346 */
347 int
348 gettid(__unused proc_t p, struct gettid_args *uap, int32_t *retval)
349 {
350 struct uthread *uthread = get_bsdthread_info(current_thread());
351 int error;
352
353 /*
354 * If this thread is not running with an override identity, we can't
355 * return one to the caller, so return an error instead.
356 */
357 if (!(uthread->uu_flag & UT_SETUID))
358 return (ESRCH);
359
360 if ((error = suword(uap->uidp, kauth_cred_getruid(uthread->uu_ucred))))
361 return (error);
362 if ((error = suword(uap->gidp, kauth_cred_getrgid(uthread->uu_ucred))))
363 return (error);
364
365 *retval = 0;
366 return (0);
367 }
368
369
370 /*
371 * getgid
372 *
373 * Description: get the real group ID for the calling process
374 *
375 * Parameters: (void)
376 *
377 * Returns: gid_t The real gid of the caller
378 */
379 int
380 getgid(__unused proc_t p, __unused struct getgid_args *uap, int32_t *retval)
381 {
382
383 *retval = kauth_getrgid();
384 return (0);
385 }
386
387
388 /*
389 * getegid
390 *
391 * Description: get the effective group ID for the calling process
392 *
393 * Parameters: (void)
394 *
395 * Returns: gid_t The effective gid of the caller
396 *
397 * Notes: As an implementation detail, the effective gid is stored as
398 * the first element of the supplementary group list.
399 *
400 * This could be implemented in Libc instead because of the above
401 * detail.
402 */
403 int
404 getegid(__unused proc_t p, __unused struct getegid_args *uap, int32_t *retval)
405 {
406
407 *retval = kauth_getgid();
408 return (0);
409 }
410
411
412 /*
413 * getgroups
414 *
415 * Description: get the list of supplementary groups for the calling process
416 *
417 * Parameters: uap->gidsetsize # of gid_t's in user buffer
418 * uap->gidset Pointer to user buffer
419 *
420 * Returns: 0 Success
421 * EINVAL User buffer too small
422 * copyout:EFAULT User buffer invalid
423 *
424 * Retval: -1 Error
425 * !0 # of groups
426 *
427 * Notes: The caller may specify a 0 value for gidsetsize, and we will
428 * then return how large a buffer is required (in gid_t's) to
429 * contain the answer at the time of the call. Otherwise, we
430 * return the number of gid_t's catually copied to user space.
431 *
432 * When called with a 0 gidsetsize from a multithreaded program,
433 * there is no guarantee that another thread may not change the
434 * number of supplementary groups, and therefore a subsequent
435 * call could still fail, unless the maximum possible buffer
436 * size is supplied by the user.
437 *
438 * As an implementation detail, the effective gid is stored as
439 * the first element of the supplementary group list, and will
440 * be returned by this call.
441 */
442 int
443 getgroups(__unused proc_t p, struct getgroups_args *uap, int32_t *retval)
444 {
445 int ngrp;
446 int error;
447 kauth_cred_t cred;
448 posix_cred_t pcred;
449
450 /* grab reference while we muck around with the credential */
451 cred = kauth_cred_get_with_ref();
452 pcred = posix_cred_get(cred);
453
454 if ((ngrp = uap->gidsetsize) == 0) {
455 *retval = pcred->cr_ngroups;
456 kauth_cred_unref(&cred);
457 return (0);
458 }
459 if (ngrp < pcred->cr_ngroups) {
460 kauth_cred_unref(&cred);
461 return (EINVAL);
462 }
463 ngrp = pcred->cr_ngroups;
464 if ((error = copyout((caddr_t)pcred->cr_groups,
465 uap->gidset,
466 ngrp * sizeof(gid_t)))) {
467 kauth_cred_unref(&cred);
468 return (error);
469 }
470 kauth_cred_unref(&cred);
471 *retval = ngrp;
472 return (0);
473 }
474
475
476 /*
477 * Return the per-thread/per-process supplementary groups list.
478 *
479 * XXX implement getsgroups
480 *
481 */
482
483 int
484 getsgroups(__unused proc_t p, __unused struct getsgroups_args *uap, __unused int32_t *retval)
485 {
486 return(ENOTSUP);
487 }
488
489 /*
490 * Return the per-thread/per-process whiteout groups list.
491 *
492 * XXX implement getwgroups
493 *
494 */
495
496 int
497 getwgroups(__unused proc_t p, __unused struct getwgroups_args *uap, __unused int32_t *retval)
498 {
499 return(ENOTSUP);
500 }
501
502
503 /*
504 * setsid
505 *
506 * Description: Create a new session and set the process group ID to the
507 * session ID
508 *
509 * Parameters: (void)
510 *
511 * Returns: 0 Success
512 * EPERM Permission denied
513 *
514 * Notes: If the calling process is not the process group leader; there
515 * is no existing process group with its ID, and we are not
516 * currently in vfork, then this function will create a new
517 * session, a new process group, and put the caller in the
518 * process group (as the sole member) and make it the session
519 * leader (as the sole process in the session).
520 *
521 * The existing controlling tty (if any) will be dissociated
522 * from the process, and the next non-O_NOCTTY open of a tty
523 * will establish a new controlling tty.
524 *
525 * XXX: Belongs in kern_proc.c
526 */
527 int
528 setsid(proc_t p, __unused struct setsid_args *uap, int32_t *retval)
529 {
530 struct pgrp * pg = PGRP_NULL;
531
532 if (p->p_pgrpid == p->p_pid || (pg = pgfind(p->p_pid)) || p->p_lflag & P_LINVFORK) {
533 if (pg != PGRP_NULL)
534 pg_rele(pg);
535 return (EPERM);
536 } else {
537 /* enter pgrp works with its own pgrp refcount */
538 (void)enterpgrp(p, p->p_pid, 1);
539 *retval = p->p_pid;
540 return (0);
541 }
542 }
543
544
545 /*
546 * setpgid
547 *
548 * Description: set process group ID for job control
549 *
550 * Parameters: uap->pid Process to change
551 * uap->pgid Process group to join or create
552 *
553 * Returns: 0 Success
554 * ESRCH pid is not the caller or a child of
555 * the caller
556 * enterpgrp:ESRCH No such process
557 * EACCES Permission denied due to exec
558 * EINVAL Invalid argument
559 * EPERM The target process is not in the same
560 * session as the calling process
561 * EPERM The target process is a session leader
562 * EPERM pid and pgid are not the same, and
563 * there is no process in the calling
564 * process whose process group ID matches
565 * pgid
566 *
567 * Notes: This function will cause the target process to either join
568 * an existing process process group, or create a new process
569 * group in the session of the calling process. It cannot be
570 * used to change the process group ID of a process which is
571 * already a session leader.
572 *
573 * If the target pid is 0, the pid of the calling process is
574 * substituted as the new target; if pgid is 0, the target pid
575 * is used as the target process group ID.
576 *
577 * Legacy: This system call entry point is also used to implement the
578 * legacy library routine setpgrp(), which under POSIX
579 *
580 * XXX: Belongs in kern_proc.c
581 */
582 int
583 setpgid(proc_t curp, struct setpgid_args *uap, __unused int32_t *retval)
584 {
585 proc_t targp = PROC_NULL; /* target process */
586 struct pgrp *pg = PGRP_NULL; /* target pgrp */
587 int error = 0;
588 int refheld = 0;
589 int samesess = 0;
590 struct session * curp_sessp = SESSION_NULL;
591 struct session * targp_sessp = SESSION_NULL;
592
593 curp_sessp = proc_session(curp);
594
595 if (uap->pid != 0 && uap->pid != curp->p_pid) {
596 if ((targp = proc_find(uap->pid)) == 0 || !inferior(targp)) {
597 if (targp != PROC_NULL)
598 refheld = 1;
599 error = ESRCH;
600 goto out;
601 }
602 refheld = 1;
603 targp_sessp = proc_session(targp);
604 if (targp_sessp != curp_sessp) {
605 error = EPERM;
606 goto out;
607 }
608 if (targp->p_flag & P_EXEC) {
609 error = EACCES;
610 goto out;
611 }
612 } else {
613 targp = curp;
614 targp_sessp = proc_session(targp);
615 }
616
617 if (SESS_LEADER(targp, targp_sessp)) {
618 error = EPERM;
619 goto out;
620 }
621 if (targp_sessp != SESSION_NULL) {
622 session_rele(targp_sessp);
623 targp_sessp = SESSION_NULL;
624 }
625
626 if (uap->pgid < 0) {
627 error = EINVAL;
628 goto out;
629 }
630 if (uap->pgid == 0)
631 uap->pgid = targp->p_pid;
632 else if (uap->pgid != targp->p_pid) {
633 if ((pg = pgfind(uap->pgid)) == 0){
634 error = EPERM;
635 goto out;
636 }
637 samesess = (pg->pg_session != curp_sessp);
638 pg_rele(pg);
639 if (samesess != 0) {
640 error = EPERM;
641 goto out;
642 }
643 }
644 error = enterpgrp(targp, uap->pgid, 0);
645 out:
646 if (targp_sessp != SESSION_NULL)
647 session_rele(targp_sessp);
648 if (curp_sessp != SESSION_NULL)
649 session_rele(curp_sessp);
650 if (refheld != 0)
651 proc_rele(targp);
652 return(error);
653 }
654
655
656 /*
657 * issetugid
658 *
659 * Description: Is current process tainted by uid or gid changes system call
660 *
661 * Parameters: (void)
662 *
663 * Returns: 0 Not tainted
664 * 1 Tainted
665 *
666 * Notes: A process is considered tainted if it was created as a retult
667 * of an execve call from an imnage that had either the SUID or
668 * SGID bit set on the executable, or if it has changed any of its
669 * real, effective, or saved user or group IDs since beginning
670 * execution.
671 */
672 int
673 proc_issetugid (proc_t p)
674 {
675 return (p->p_flag & P_SUGID) ? 1 : 0;
676 }
677
678 int
679 issetugid(proc_t p, __unused struct issetugid_args *uap, int32_t *retval)
680 {
681 /*
682 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
683 * we use P_SUGID because we consider changing the owners as
684 * "tainting" as well.
685 * This is significant for procs that start as root and "become"
686 * a user without an exec - programs cannot know *everything*
687 * that libc *might* have put in their data segment.
688 */
689
690 *retval = proc_issetugid(p);
691 return (0);
692 }
693
694
695 /*
696 * setuid
697 *
698 * Description: Set user ID system call
699 *
700 * Parameters: uap->uid uid to set
701 *
702 * Returns: 0 Success
703 * suser:EPERM Permission denied
704 *
705 * Notes: If called by a privileged process, this function will set the
706 * real, effective, and saved uid to the requested value.
707 *
708 * If called from an unprivileged process, but uid is equal to the
709 * real or saved uid, then the effective uid will be set to the
710 * requested value, but the real and saved uid will not change.
711 *
712 * If the credential is changed as a result of this call, then we
713 * flag the process as having set privilege since the last exec.
714 */
715 int
716 setuid(proc_t p, struct setuid_args *uap, __unused int32_t *retval)
717 {
718 uid_t uid;
719 uid_t svuid = KAUTH_UID_NONE;
720 uid_t ruid = KAUTH_UID_NONE;
721 uid_t gmuid = KAUTH_UID_NONE;
722 int error;
723 kauth_cred_t my_cred, my_new_cred;
724 posix_cred_t my_pcred;
725
726 uid = uap->uid;
727
728 /* get current credential and take a reference while we muck with it */
729 my_cred = kauth_cred_proc_ref(p);
730 my_pcred = posix_cred_get(my_cred);
731
732 DEBUG_CRED_ENTER("setuid (%d/%d): %p %d\n", p->p_pid, (p->p_pptr ? p->p_pptr->p_pid : 0), my_cred, uap->uid);
733 AUDIT_ARG(uid, uid);
734
735 for (;;) {
736 if (uid != my_pcred->cr_ruid && /* allow setuid(getuid()) */
737 uid != my_pcred->cr_svuid && /* allow setuid(saved uid) */
738 (error = suser(my_cred, &p->p_acflag))) {
739 kauth_cred_unref(&my_cred);
740 return (error);
741 }
742
743 /*
744 * If we are privileged, then set the saved and real UID too;
745 * otherwise, just set the effective UID
746 */
747 if (suser(my_cred, &p->p_acflag) == 0) {
748 svuid = uid;
749 ruid = uid;
750 } else {
751 svuid = KAUTH_UID_NONE;
752 ruid = KAUTH_UID_NONE;
753 }
754 /*
755 * Only set the gmuid if the current cred has not opt'ed out;
756 * this normally only happens when calling setgroups() instead
757 * of initgroups() to set an explicit group list, or one of the
758 * other group manipulation functions is invoked and results in
759 * a dislocation (i.e. the credential group membership changes
760 * to something other than the default list for the user, as
761 * in entering a group or leaving an exclusion group).
762 */
763 if (!(my_pcred->cr_flags & CRF_NOMEMBERD))
764 gmuid = uid;
765
766 /*
767 * Set the credential with new info. If there is no change,
768 * we get back the same credential we passed in; if there is
769 * a change, we drop the reference on the credential we
770 * passed in. The subsequent compare is safe, because it is
771 * a pointer compare rather than a contents compare.
772 */
773 my_new_cred = kauth_cred_setresuid(my_cred, ruid, uid, svuid, gmuid);
774 if (my_cred != my_new_cred) {
775
776 DEBUG_CRED_CHANGE("setuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
777
778 /*
779 * If we're changing the ruid from A to B, we might race with another thread that's setting ruid from B to A.
780 * The current locking mechanisms don't allow us to make the entire credential switch operation atomic,
781 * thus we may be able to change the process credentials from ruid A to B, but get preempted before incrementing the proc
782 * count of B. If a second thread sees the new process credentials and switches back to ruid A, that other thread
783 * may be able to decrement the proc count of B before we can increment it. This results in a panic.
784 * Incrementing the proc count of the target ruid, B, before setting the process credentials prevents this race.
785 */
786 if (ruid != KAUTH_UID_NONE && !proc_has_persona(p)) {
787 (void)chgproccnt(ruid, 1);
788 }
789
790 proc_ucred_lock(p);
791 /*
792 * We need to protect for a race where another thread
793 * also changed the credential after we took our
794 * reference. If p_ucred has changed then we should
795 * restart this again with the new cred.
796 *
797 * Note: the kauth_cred_setresuid has consumed a reference to my_cred, it p_ucred != my_cred, then my_cred must not be dereferenced!
798 */
799 if (p->p_ucred != my_cred) {
800 proc_ucred_unlock(p);
801 /*
802 * We didn't successfully switch to the new ruid, so decrement
803 * the procs/uid count that we incremented above.
804 */
805 if (ruid != KAUTH_UID_NONE && !proc_has_persona(p)) {
806 (void)chgproccnt(ruid, -1);
807 }
808 kauth_cred_unref(&my_new_cred);
809 my_cred = kauth_cred_proc_ref(p);
810 my_pcred = posix_cred_get(my_cred);
811 /* try again */
812 continue;
813 }
814 p->p_ucred = my_new_cred;
815 /* update cred on proc */
816 PROC_UPDATE_CREDS_ONPROC(p);
817
818 OSBitOrAtomic(P_SUGID, &p->p_flag);
819 proc_ucred_unlock(p);
820 /*
821 * If we've updated the ruid, decrement the count of procs running
822 * under the previous ruid
823 */
824 if (ruid != KAUTH_UID_NONE && !proc_has_persona(p)) {
825 (void)chgproccnt(my_pcred->cr_ruid, -1);
826 }
827 }
828 break;
829 }
830 /* Drop old proc reference or our extra reference */
831 kauth_cred_unref(&my_cred);
832
833 set_security_token(p);
834 return (0);
835 }
836
837
838 /*
839 * seteuid
840 *
841 * Description: Set effective user ID system call
842 *
843 * Parameters: uap->euid effective uid to set
844 *
845 * Returns: 0 Success
846 * suser:EPERM Permission denied
847 *
848 * Notes: If called by a privileged process, or called from an
849 * unprivileged process but euid is equal to the real or saved
850 * uid, then the effective uid will be set to the requested
851 * value, but the real and saved uid will not change.
852 *
853 * If the credential is changed as a result of this call, then we
854 * flag the process as having set privilege since the last exec.
855 */
856 int
857 seteuid(proc_t p, struct seteuid_args *uap, __unused int32_t *retval)
858 {
859 uid_t euid;
860 int error;
861 kauth_cred_t my_cred, my_new_cred;
862 posix_cred_t my_pcred;
863
864 DEBUG_CRED_ENTER("seteuid: %d\n", uap->euid);
865
866 euid = uap->euid;
867 AUDIT_ARG(euid, euid);
868
869 my_cred = kauth_cred_proc_ref(p);
870 my_pcred = posix_cred_get(my_cred);
871
872 for (;;) {
873
874 if (euid != my_pcred->cr_ruid && euid != my_pcred->cr_svuid &&
875 (error = suser(my_cred, &p->p_acflag))) {
876 kauth_cred_unref(&my_cred);
877 return (error);
878 }
879
880 /*
881 * Set the credential with new info. If there is no change,
882 * we get back the same credential we passed in; if there is
883 * a change, we drop the reference on the credential we
884 * passed in. The subsequent compare is safe, because it is
885 * a pointer compare rather than a contents compare.
886 */
887 my_new_cred = kauth_cred_setresuid(my_cred, KAUTH_UID_NONE, euid, KAUTH_UID_NONE, my_pcred->cr_gmuid);
888
889 if (my_cred != my_new_cred) {
890
891 DEBUG_CRED_CHANGE("seteuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
892
893 proc_ucred_lock(p);
894 /*
895 * We need to protect for a race where another thread
896 * also changed the credential after we took our
897 * reference. If p_ucred has changed then we
898 * should restart this again with the new cred.
899 */
900 if (p->p_ucred != my_cred) {
901 proc_ucred_unlock(p);
902 kauth_cred_unref(&my_new_cred);
903 my_cred = kauth_cred_proc_ref(p);
904 my_pcred = posix_cred_get(my_cred);
905 /* try again */
906 continue;
907 }
908 p->p_ucred = my_new_cred;
909 /* update cred on proc */
910 PROC_UPDATE_CREDS_ONPROC(p);
911 OSBitOrAtomic(P_SUGID, &p->p_flag);
912 proc_ucred_unlock(p);
913 }
914 break;
915 }
916 /* drop old proc reference or our extra reference */
917 kauth_cred_unref(&my_cred);
918
919 set_security_token(p);
920 return (0);
921 }
922
923
924 /*
925 * setreuid
926 *
927 * Description: Set real and effective user ID system call
928 *
929 * Parameters: uap->ruid real uid to set
930 * uap->euid effective uid to set
931 *
932 * Returns: 0 Success
933 * suser:EPERM Permission denied
934 *
935 * Notes: A value of -1 is a special case indicating that the uid for
936 * which that value is specified not be changed. If both values
937 * are specified as -1, no action is taken.
938 *
939 * If called by a privileged process, the real and effective uid
940 * will be set to the new value(s) specified.
941 *
942 * If called from an unprivileged process, the real uid may be
943 * set to the current value of the real uid, or to the current
944 * value of the saved uid. The effective uid may be set to the
945 * current value of any of the effective, real, or saved uid.
946 *
947 * If the newly requested real uid or effective uid does not
948 * match the saved uid, then set the saved uid to the new
949 * effective uid (potentially unrecoverably dropping saved
950 * privilege).
951 *
952 * If the credential is changed as a result of this call, then we
953 * flag the process as having set privilege since the last exec.
954 */
955 int
956 setreuid(proc_t p, struct setreuid_args *uap, __unused int32_t *retval)
957 {
958 uid_t ruid, euid;
959 int error;
960 kauth_cred_t my_cred, my_new_cred;
961 posix_cred_t my_pcred;
962
963 DEBUG_CRED_ENTER("setreuid %d %d\n", uap->ruid, uap->euid);
964
965 ruid = uap->ruid;
966 euid = uap->euid;
967 if (ruid == (uid_t)-1)
968 ruid = KAUTH_UID_NONE;
969 if (euid == (uid_t)-1)
970 euid = KAUTH_UID_NONE;
971 AUDIT_ARG(euid, euid);
972 AUDIT_ARG(ruid, ruid);
973
974 my_cred = kauth_cred_proc_ref(p);
975 my_pcred = posix_cred_get(my_cred);
976
977 for (;;) {
978
979 if (((ruid != KAUTH_UID_NONE && /* allow no change of ruid */
980 ruid != my_pcred->cr_ruid && /* allow ruid = ruid */
981 ruid != my_pcred->cr_uid && /* allow ruid = euid */
982 ruid != my_pcred->cr_svuid) || /* allow ruid = svuid */
983 (euid != KAUTH_UID_NONE && /* allow no change of euid */
984 euid != my_pcred->cr_uid && /* allow euid = euid */
985 euid != my_pcred->cr_ruid && /* allow euid = ruid */
986 euid != my_pcred->cr_svuid)) && /* allow euid = svuid */
987 (error = suser(my_cred, &p->p_acflag))) { /* allow root user any */
988 kauth_cred_unref(&my_cred);
989 return (error);
990 }
991
992 uid_t new_euid;
993 uid_t svuid = KAUTH_UID_NONE;
994
995 new_euid = my_pcred->cr_uid;
996 /*
997 * Set the credential with new info. If there is no change,
998 * we get back the same credential we passed in; if there is
999 * a change, we drop the reference on the credential we
1000 * passed in. The subsequent compare is safe, because it is
1001 * a pointer compare rather than a contents compare.
1002 */
1003 if (euid != KAUTH_UID_NONE && my_pcred->cr_uid != euid) {
1004 /* changing the effective UID */
1005 new_euid = euid;
1006 OSBitOrAtomic(P_SUGID, &p->p_flag);
1007 }
1008 /*
1009 * If the newly requested real uid or effective uid does
1010 * not match the saved uid, then set the saved uid to the
1011 * new effective uid. We are protected from escalation
1012 * by the prechecking.
1013 */
1014 if (my_pcred->cr_svuid != uap->ruid &&
1015 my_pcred->cr_svuid != uap->euid) {
1016 svuid = new_euid;
1017 OSBitOrAtomic(P_SUGID, &p->p_flag);
1018 }
1019
1020 my_new_cred = kauth_cred_setresuid(my_cred, ruid, euid, svuid, my_pcred->cr_gmuid);
1021
1022 if (my_cred != my_new_cred) {
1023
1024 DEBUG_CRED_CHANGE("setreuid CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
1025
1026 /*
1027 * If we're changing the ruid from A to B, we might race with another thread that's setting ruid from B to A.
1028 * The current locking mechanisms don't allow us to make the entire credential switch operation atomic,
1029 * thus we may be able to change the process credentials from ruid A to B, but get preempted before incrementing the proc
1030 * count of B. If a second thread sees the new process credentials and switches back to ruid A, that other thread
1031 * may be able to decrement the proc count of B before we can increment it. This results in a panic.
1032 * Incrementing the proc count of the target ruid, B, before setting the process credentials prevents this race.
1033 */
1034 if (ruid != KAUTH_UID_NONE && !proc_has_persona(p)) {
1035 (void)chgproccnt(ruid, 1);
1036 }
1037
1038 proc_ucred_lock(p);
1039 /*
1040 * We need to protect for a race where another thread
1041 * also changed the credential after we took our
1042 * reference. If p_ucred has changed then we should
1043 * restart this again with the new cred.
1044 *
1045 * Note: the kauth_cred_setresuid has consumed a reference to my_cred, it p_ucred != my_cred, then my_cred must not be dereferenced!
1046 */
1047 if (p->p_ucred != my_cred) {
1048 proc_ucred_unlock(p);
1049 if (ruid != KAUTH_UID_NONE && !proc_has_persona(p)) {
1050 /*
1051 * We didn't successfully switch to the new ruid, so decrement
1052 * the procs/uid count that we incremented above.
1053 */
1054 (void)chgproccnt(ruid, -1);
1055 }
1056 kauth_cred_unref(&my_new_cred);
1057 my_cred = kauth_cred_proc_ref(p);
1058 my_pcred = posix_cred_get(my_cred);
1059 /* try again */
1060 continue;
1061 }
1062
1063 p->p_ucred = my_new_cred;
1064 /* update cred on proc */
1065 PROC_UPDATE_CREDS_ONPROC(p);
1066 OSBitOrAtomic(P_SUGID, &p->p_flag);
1067 proc_ucred_unlock(p);
1068
1069 if (ruid != KAUTH_UID_NONE && !proc_has_persona(p)) {
1070 /*
1071 * We switched to a new ruid, so decrement the count of procs running
1072 * under the previous ruid
1073 */
1074 (void)chgproccnt(my_pcred->cr_ruid, -1);
1075 }
1076 }
1077 break;
1078 }
1079 /* drop old proc reference or our extra reference */
1080 kauth_cred_unref(&my_cred);
1081
1082 set_security_token(p);
1083 return (0);
1084 }
1085
1086
1087 /*
1088 * setgid
1089 *
1090 * Description: Set group ID system call
1091 *
1092 * Parameters: uap->gid gid to set
1093 *
1094 * Returns: 0 Success
1095 * suser:EPERM Permission denied
1096 *
1097 * Notes: If called by a privileged process, this function will set the
1098 * real, effective, and saved gid to the requested value.
1099 *
1100 * If called from an unprivileged process, but gid is equal to the
1101 * real or saved gid, then the effective gid will be set to the
1102 * requested value, but the real and saved gid will not change.
1103 *
1104 * If the credential is changed as a result of this call, then we
1105 * flag the process as having set privilege since the last exec.
1106 *
1107 * As an implementation detail, the effective gid is stored as
1108 * the first element of the supplementary group list, and
1109 * therefore the effective group list may be reordered to keep
1110 * the supplementary group list unchanged.
1111 */
1112 int
1113 setgid(proc_t p, struct setgid_args *uap, __unused int32_t *retval)
1114 {
1115 gid_t gid;
1116 gid_t rgid = KAUTH_GID_NONE;
1117 gid_t svgid = KAUTH_GID_NONE;
1118 int error;
1119 kauth_cred_t my_cred, my_new_cred;
1120 posix_cred_t my_pcred;
1121
1122 DEBUG_CRED_ENTER("setgid(%d/%d): %d\n", p->p_pid, (p->p_pptr ? p->p_pptr->p_pid : 0), uap->gid);
1123
1124 gid = uap->gid;
1125 AUDIT_ARG(gid, gid);
1126
1127 /* get current credential and take a reference while we muck with it */
1128 my_cred = kauth_cred_proc_ref(p);
1129 my_pcred = posix_cred_get(my_cred);
1130
1131 for (;;) {
1132 if (gid != my_pcred->cr_rgid && /* allow setgid(getgid()) */
1133 gid != my_pcred->cr_svgid && /* allow setgid(saved gid) */
1134 (error = suser(my_cred, &p->p_acflag))) {
1135 kauth_cred_unref(&my_cred);
1136 return (error);
1137 }
1138
1139 /*
1140 * If we are privileged, then set the saved and real GID too;
1141 * otherwise, just set the effective GID
1142 */
1143 if (suser(my_cred, &p->p_acflag) == 0) {
1144 svgid = gid;
1145 rgid = gid;
1146 } else {
1147 svgid = KAUTH_GID_NONE;
1148 rgid = KAUTH_GID_NONE;
1149 }
1150
1151 /*
1152 * Set the credential with new info. If there is no change,
1153 * we get back the same credential we passed in; if there is
1154 * a change, we drop the reference on the credential we
1155 * passed in. The subsequent compare is safe, because it is
1156 * a pointer compare rather than a contents compare.
1157 */
1158 my_new_cred = kauth_cred_setresgid(my_cred, rgid, gid, svgid);
1159 if (my_cred != my_new_cred) {
1160
1161 DEBUG_CRED_CHANGE("setgid(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
1162
1163 proc_ucred_lock(p);
1164 /*
1165 * We need to protect for a race where another thread
1166 * also changed the credential after we took our
1167 * reference. If p_ucred has changed then we
1168 * should restart this again with the new cred.
1169 */
1170 if (p->p_ucred != my_cred) {
1171 proc_ucred_unlock(p);
1172 kauth_cred_unref(&my_new_cred);
1173 /* try again */
1174 my_cred = kauth_cred_proc_ref(p);
1175 my_pcred = posix_cred_get(my_cred);
1176 continue;
1177 }
1178 p->p_ucred = my_new_cred;
1179 /* update cred on proc */
1180 PROC_UPDATE_CREDS_ONPROC(p);
1181 OSBitOrAtomic(P_SUGID, &p->p_flag);
1182 proc_ucred_unlock(p);
1183 }
1184 break;
1185 }
1186 /* Drop old proc reference or our extra reference */
1187 kauth_cred_unref(&my_cred);
1188
1189 set_security_token(p);
1190 return (0);
1191 }
1192
1193
1194 /*
1195 * setegid
1196 *
1197 * Description: Set effective group ID system call
1198 *
1199 * Parameters: uap->egid effective gid to set
1200 *
1201 * Returns: 0 Success
1202 * suser:EPERM
1203 *
1204 * Notes: If called by a privileged process, or called from an
1205 * unprivileged process but egid is equal to the real or saved
1206 * gid, then the effective gid will be set to the requested
1207 * value, but the real and saved gid will not change.
1208 *
1209 * If the credential is changed as a result of this call, then we
1210 * flag the process as having set privilege since the last exec.
1211 *
1212 * As an implementation detail, the effective gid is stored as
1213 * the first element of the supplementary group list, and
1214 * therefore the effective group list may be reordered to keep
1215 * the supplementary group list unchanged.
1216 */
1217 int
1218 setegid(proc_t p, struct setegid_args *uap, __unused int32_t *retval)
1219 {
1220 gid_t egid;
1221 int error;
1222 kauth_cred_t my_cred, my_new_cred;
1223 posix_cred_t my_pcred;
1224
1225 DEBUG_CRED_ENTER("setegid %d\n", uap->egid);
1226
1227 egid = uap->egid;
1228 AUDIT_ARG(egid, egid);
1229
1230 /* get current credential and take a reference while we muck with it */
1231 my_cred = kauth_cred_proc_ref(p);
1232 my_pcred = posix_cred_get(my_cred);
1233
1234
1235 for (;;) {
1236 if (egid != my_pcred->cr_rgid &&
1237 egid != my_pcred->cr_svgid &&
1238 (error = suser(my_cred, &p->p_acflag))) {
1239 kauth_cred_unref(&my_cred);
1240 return (error);
1241 }
1242 /*
1243 * Set the credential with new info. If there is no change,
1244 * we get back the same credential we passed in; if there is
1245 * a change, we drop the reference on the credential we
1246 * passed in. The subsequent compare is safe, because it is
1247 * a pointer compare rather than a contents compare.
1248 */
1249 my_new_cred = kauth_cred_setresgid(my_cred, KAUTH_GID_NONE, egid, KAUTH_GID_NONE);
1250 if (my_cred != my_new_cred) {
1251
1252 DEBUG_CRED_CHANGE("setegid(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
1253
1254 proc_ucred_lock(p);
1255 /*
1256 * We need to protect for a race where another thread
1257 * also changed the credential after we took our
1258 * reference. If p_ucred has changed then we
1259 * should restart this again with the new cred.
1260 */
1261 if (p->p_ucred != my_cred) {
1262 proc_ucred_unlock(p);
1263 kauth_cred_unref(&my_new_cred);
1264 /* try again */
1265 my_cred = kauth_cred_proc_ref(p);
1266 my_pcred = posix_cred_get(my_cred);
1267 continue;
1268 }
1269 p->p_ucred = my_new_cred;
1270 /* update cred on proc */
1271 PROC_UPDATE_CREDS_ONPROC(p);
1272 OSBitOrAtomic(P_SUGID, &p->p_flag);
1273 proc_ucred_unlock(p);
1274 }
1275 break;
1276 }
1277
1278 /* Drop old proc reference or our extra reference */
1279 kauth_cred_unref(&my_cred);
1280
1281 set_security_token(p);
1282 return (0);
1283 }
1284
1285 /*
1286 * setregid
1287 *
1288 * Description: Set real and effective group ID system call
1289 *
1290 * Parameters: uap->rgid real gid to set
1291 * uap->egid effective gid to set
1292 *
1293 * Returns: 0 Success
1294 * suser:EPERM Permission denied
1295 *
1296 * Notes: A value of -1 is a special case indicating that the gid for
1297 * which that value is specified not be changed. If both values
1298 * are specified as -1, no action is taken.
1299 *
1300 * If called by a privileged process, the real and effective gid
1301 * will be set to the new value(s) specified.
1302 *
1303 * If called from an unprivileged process, the real gid may be
1304 * set to the current value of the real gid, or to the current
1305 * value of the saved gid. The effective gid may be set to the
1306 * current value of any of the effective, real, or saved gid.
1307 *
1308 * If the new real and effective gid will not be equal, or the
1309 * new real or effective gid is not the same as the saved gid,
1310 * then the saved gid will be updated to reflect the new
1311 * effective gid (potentially unrecoverably dropping saved
1312 * privilege).
1313 *
1314 * If the credential is changed as a result of this call, then we
1315 * flag the process as having set privilege since the last exec.
1316 *
1317 * As an implementation detail, the effective gid is stored as
1318 * the first element of the supplementary group list, and
1319 * therefore the effective group list may be reordered to keep
1320 * the supplementary group list unchanged.
1321 */
1322 int
1323 setregid(proc_t p, struct setregid_args *uap, __unused int32_t *retval)
1324 {
1325 gid_t rgid, egid;
1326 int error;
1327 kauth_cred_t my_cred, my_new_cred;
1328 posix_cred_t my_pcred;
1329
1330 DEBUG_CRED_ENTER("setregid %d %d\n", uap->rgid, uap->egid);
1331
1332 rgid = uap->rgid;
1333 egid = uap->egid;
1334
1335 if (rgid == (uid_t)-1)
1336 rgid = KAUTH_GID_NONE;
1337 if (egid == (uid_t)-1)
1338 egid = KAUTH_GID_NONE;
1339 AUDIT_ARG(egid, egid);
1340 AUDIT_ARG(rgid, rgid);
1341
1342 /* get current credential and take a reference while we muck with it */
1343 my_cred = kauth_cred_proc_ref(p);
1344 my_pcred = posix_cred_get(my_cred);
1345
1346 for (;;) {
1347
1348 if (((rgid != KAUTH_UID_NONE && /* allow no change of rgid */
1349 rgid != my_pcred->cr_rgid && /* allow rgid = rgid */
1350 rgid != my_pcred->cr_gid && /* allow rgid = egid */
1351 rgid != my_pcred->cr_svgid) || /* allow rgid = svgid */
1352 (egid != KAUTH_UID_NONE && /* allow no change of egid */
1353 egid != my_pcred->cr_groups[0] && /* allow no change of egid */
1354 egid != my_pcred->cr_gid && /* allow egid = egid */
1355 egid != my_pcred->cr_rgid && /* allow egid = rgid */
1356 egid != my_pcred->cr_svgid)) && /* allow egid = svgid */
1357 (error = suser(my_cred, &p->p_acflag))) { /* allow root user any */
1358 kauth_cred_unref(&my_cred);
1359 return (error);
1360 }
1361
1362 uid_t new_egid = my_pcred->cr_gid;
1363 uid_t new_rgid = my_pcred->cr_rgid;
1364 uid_t svgid = KAUTH_UID_NONE;
1365
1366
1367 /*
1368 * Set the credential with new info. If there is no change,
1369 * we get back the same credential we passed in; if there is
1370 * a change, we drop the reference on the credential we
1371 * passed in. The subsequent compare is safe, because it is
1372 * a pointer compare rather than a contents compare.
1373 */
1374 if (egid != KAUTH_UID_NONE && my_pcred->cr_gid != egid) {
1375 /* changing the effective GID */
1376 new_egid = egid;
1377 OSBitOrAtomic(P_SUGID, &p->p_flag);
1378 }
1379 if (rgid != KAUTH_UID_NONE && my_pcred->cr_rgid != rgid) {
1380 /* changing the real GID */
1381 new_rgid = rgid;
1382 OSBitOrAtomic(P_SUGID, &p->p_flag);
1383 }
1384 /*
1385 * If the newly requested real gid or effective gid does
1386 * not match the saved gid, then set the saved gid to the
1387 * new effective gid. We are protected from escalation
1388 * by the prechecking.
1389 */
1390 if (my_pcred->cr_svgid != uap->rgid &&
1391 my_pcred->cr_svgid != uap->egid) {
1392 svgid = new_egid;
1393 OSBitOrAtomic(P_SUGID, &p->p_flag);
1394 }
1395
1396 my_new_cred = kauth_cred_setresgid(my_cred, rgid, egid, svgid);
1397 if (my_cred != my_new_cred) {
1398
1399 DEBUG_CRED_CHANGE("setregid(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_pcred->cr_flags, my_new_cred, posix_cred_get(my_new_cred)->cr_flags);
1400
1401 proc_ucred_lock(p);
1402 /* need to protect for a race where another thread
1403 * also changed the credential after we took our
1404 * reference. If p_ucred has changed then we
1405 * should restart this again with the new cred.
1406 */
1407 if (p->p_ucred != my_cred) {
1408 proc_ucred_unlock(p);
1409 kauth_cred_unref(&my_new_cred);
1410 /* try again */
1411 my_cred = kauth_cred_proc_ref(p);
1412 my_pcred = posix_cred_get(my_cred);
1413 continue;
1414 }
1415 p->p_ucred = my_new_cred;
1416 /* update cred on proc */
1417 PROC_UPDATE_CREDS_ONPROC(p);
1418 OSBitOrAtomic(P_SUGID, &p->p_flag); /* XXX redundant? */
1419 proc_ucred_unlock(p);
1420 }
1421 break;
1422 }
1423 /* Drop old proc reference or our extra reference */
1424 kauth_cred_unref(&my_cred);
1425
1426 set_security_token(p);
1427 return (0);
1428 }
1429
1430
1431 /*
1432 * Set the per-thread override identity. The first parameter can be the
1433 * current real UID, KAUTH_UID_NONE, or, if the caller is privileged, it
1434 * can be any UID. If it is KAUTH_UID_NONE, then as a special case, this
1435 * means "revert to the per process credential"; otherwise, if permitted,
1436 * it changes the effective, real, and saved UIDs and GIDs for the current
1437 * thread to the requested UID and single GID, and clears all other GIDs.
1438 */
1439 int
1440 settid(proc_t p, struct settid_args *uap, __unused int32_t *retval)
1441 {
1442 kauth_cred_t uc;
1443 struct uthread *uthread = get_bsdthread_info(current_thread());
1444 uid_t uid;
1445 gid_t gid;
1446
1447 uid = uap->uid;
1448 gid = uap->gid;
1449 AUDIT_ARG(uid, uid);
1450 AUDIT_ARG(gid, gid);
1451
1452 if (proc_suser(p) != 0)
1453 return (EPERM);
1454
1455 if (uid == KAUTH_UID_NONE) {
1456
1457 /* must already be assuming another identity in order to revert back */
1458 if ((uthread->uu_flag & UT_SETUID) == 0)
1459 return (EPERM);
1460
1461 /* revert to delayed binding of process credential */
1462 uc = kauth_cred_proc_ref(p);
1463 kauth_cred_unref(&uthread->uu_ucred);
1464 uthread->uu_ucred = uc;
1465 uthread->uu_flag &= ~UT_SETUID;
1466 } else {
1467 kauth_cred_t my_cred, my_new_cred;
1468
1469 /* cannot already be assuming another identity */
1470 if ((uthread->uu_flag & UT_SETUID) != 0) {
1471 return (EPERM);
1472 }
1473
1474 /*
1475 * Get a new credential instance from the old if this one
1476 * changes; otherwise kauth_cred_setuidgid() returns the
1477 * same credential. We take an extra reference on the
1478 * current credential while we muck with it, so we can do
1479 * the post-compare for changes by pointer.
1480 */
1481 kauth_cred_ref(uthread->uu_ucred);
1482 my_cred = uthread->uu_ucred;
1483 my_new_cred = kauth_cred_setuidgid(my_cred, uid, gid);
1484 if (my_cred != my_new_cred)
1485 uthread->uu_ucred = my_new_cred;
1486 uthread->uu_flag |= UT_SETUID;
1487
1488 /* Drop old uthread reference or our extra reference */
1489 kauth_cred_unref(&my_cred);
1490 }
1491 /*
1492 * XXX should potentially set per thread security token (there is
1493 * XXX none).
1494 * XXX it is unclear whether P_SUGID should be st at this point;
1495 * XXX in theory, it is being deprecated.
1496 */
1497 return (0);
1498 }
1499
1500
1501 /*
1502 * Set the per-thread override identity. Use this system call for a thread to
1503 * assume the identity of another process or to revert back to normal identity
1504 * of the current process.
1505 *
1506 * When the "assume" argument is non zero the current thread will assume the
1507 * identity of the process represented by the pid argument.
1508 *
1509 * When the assume argument is zero we revert back to our normal identity.
1510 */
1511 int
1512 settid_with_pid(proc_t p, struct settid_with_pid_args *uap, __unused int32_t *retval)
1513 {
1514 proc_t target_proc;
1515 struct uthread *uthread = get_bsdthread_info(current_thread());
1516 kauth_cred_t my_cred, my_target_cred, my_new_cred;
1517 posix_cred_t my_target_pcred;
1518
1519 AUDIT_ARG(pid, uap->pid);
1520 AUDIT_ARG(value32, uap->assume);
1521
1522 if (proc_suser(p) != 0) {
1523 return (EPERM);
1524 }
1525
1526 /*
1527 * XXX should potentially set per thread security token (there is
1528 * XXX none).
1529 * XXX it is unclear whether P_SUGID should be st at this point;
1530 * XXX in theory, it is being deprecated.
1531 */
1532
1533 /*
1534 * assume argument tells us to assume the identity of the process with the
1535 * id passed in the pid argument.
1536 */
1537 if (uap->assume != 0) {
1538 /* can't do this if we have already assumed an identity */
1539 if ((uthread->uu_flag & UT_SETUID) != 0)
1540 return (EPERM);
1541
1542 target_proc = proc_find(uap->pid);
1543 /* can't assume the identity of the kernel process */
1544 if (target_proc == NULL || target_proc == kernproc) {
1545 if (target_proc!= NULL)
1546 proc_rele(target_proc);
1547 return (ESRCH);
1548 }
1549
1550 /*
1551 * Take a reference on the credential used in our target
1552 * process then use it as the identity for our current
1553 * thread. We take an extra reference on the current
1554 * credential while we muck with it, so we can do the
1555 * post-compare for changes by pointer.
1556 *
1557 * The post-compare is needed for the case that our process
1558 * credential has been changed to be identical to our thread
1559 * credential following our assumption of a per-thread one,
1560 * since the credential cache will maintain a unique instance.
1561 */
1562 kauth_cred_ref(uthread->uu_ucred);
1563 my_cred = uthread->uu_ucred;
1564 my_target_cred = kauth_cred_proc_ref(target_proc);
1565 my_target_pcred = posix_cred_get(my_target_cred);
1566 my_new_cred = kauth_cred_setuidgid(my_cred, my_target_pcred->cr_uid, my_target_pcred->cr_gid);
1567 if (my_cred != my_new_cred)
1568 uthread->uu_ucred = my_new_cred;
1569
1570 uthread->uu_flag |= UT_SETUID;
1571
1572 /* Drop old uthread reference or our extra reference */
1573 proc_rele(target_proc);
1574 kauth_cred_unref(&my_cred);
1575 kauth_cred_unref(&my_target_cred);
1576
1577 return (0);
1578 }
1579
1580 /*
1581 * Otherwise, we are reverting back to normal mode of operation where
1582 * delayed binding of the process credential sets the credential in
1583 * the thread (uu_ucred)
1584 */
1585 if ((uthread->uu_flag & UT_SETUID) == 0)
1586 return (EPERM);
1587
1588 /* revert to delayed binding of process credential */
1589 my_new_cred = kauth_cred_proc_ref(p);
1590 kauth_cred_unref(&uthread->uu_ucred);
1591 uthread->uu_ucred = my_new_cred;
1592 uthread->uu_flag &= ~UT_SETUID;
1593
1594 return (0);
1595 }
1596
1597
1598 /*
1599 * setgroups1
1600 *
1601 * Description: Internal implementation for both the setgroups and initgroups
1602 * system calls
1603 *
1604 * Parameters: gidsetsize Number of groups in set
1605 * gidset Pointer to group list
1606 * gmuid Base gid (initgroups only!)
1607 *
1608 * Returns: 0 Success
1609 * suser:EPERM Permision denied
1610 * EINVAL Invalid gidsetsize value
1611 * copyin:EFAULT Bad gidset or gidsetsize is
1612 * too large
1613 *
1614 * Notes: When called from a thread running under an assumed per-thread
1615 * identity, this function will operate against the per-thread
1616 * credential, rather than against the process credential. In
1617 * this specific case, the process credential is verified to
1618 * still be privileged at the time of the call, rather than the
1619 * per-thread credential for this operation to be permitted.
1620 *
1621 * This effectively means that setgroups/initigroups calls in
1622 * a thread running a per-thread credential should occur *after*
1623 * the settid call that created it, not before (unlike setuid,
1624 * which must be called after, since it will result in privilege
1625 * being dropped).
1626 *
1627 * When called normally (i.e. no per-thread assumed identity),
1628 * the per process credential is updated per POSIX.
1629 *
1630 * If the credential is changed as a result of this call, then we
1631 * flag the process as having set privilege since the last exec.
1632 */
1633 static int
1634 setgroups1(proc_t p, u_int gidsetsize, user_addr_t gidset, uid_t gmuid, __unused int32_t *retval)
1635 {
1636 u_int ngrp;
1637 gid_t newgroups[NGROUPS] = { 0 };
1638 int error;
1639 kauth_cred_t my_cred, my_new_cred;
1640 struct uthread *uthread = get_bsdthread_info(current_thread());
1641
1642 DEBUG_CRED_ENTER("setgroups1 (%d/%d): %d 0x%016x %d\n", p->p_pid, (p->p_pptr ? p->p_pptr->p_pid : 0), gidsetsize, gidset, gmuid);
1643
1644 ngrp = gidsetsize;
1645 if (ngrp > NGROUPS)
1646 return (EINVAL);
1647
1648 if ( ngrp < 1 ) {
1649 ngrp = 1;
1650 } else {
1651 error = copyin(gidset,
1652 (caddr_t)newgroups, ngrp * sizeof(gid_t));
1653 if (error) {
1654 return (error);
1655 }
1656 }
1657
1658 my_cred = kauth_cred_proc_ref(p);
1659 if ((error = suser(my_cred, &p->p_acflag))) {
1660 kauth_cred_unref(&my_cred);
1661 return (error);
1662 }
1663
1664 if ((uthread->uu_flag & UT_SETUID) != 0) {
1665 #if DEBUG_CRED
1666 int my_cred_flags = uthread->uu_ucred->cr_flags;
1667 #endif /* DEBUG_CRED */
1668 kauth_cred_unref(&my_cred);
1669
1670 /*
1671 * If this thread is under an assumed identity, set the
1672 * supplementary grouplist on the thread credential instead
1673 * of the process one. If we were the only reference holder,
1674 * the credential is updated in place, otherwise, our reference
1675 * is dropped and we get back a different cred with a reference
1676 * already held on it. Because this is per-thread, we don't
1677 * need the referencing/locking/retry required for per-process.
1678 */
1679 my_cred = uthread->uu_ucred;
1680 uthread->uu_ucred = kauth_cred_setgroups(my_cred, &newgroups[0], ngrp, gmuid);
1681 #if DEBUG_CRED
1682 if (my_cred != uthread->uu_ucred) {
1683 DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred_flags, uthread->uu_ucred , uthread->uu_ucred ->cr_flags);
1684 }
1685 #endif /* DEBUG_CRED */
1686 } else {
1687
1688 /*
1689 * get current credential and take a reference while we muck
1690 * with it
1691 */
1692 for (;;) {
1693 /*
1694 * Set the credential with new info. If there is no
1695 * change, we get back the same credential we passed
1696 * in; if there is a change, we drop the reference on
1697 * the credential we passed in. The subsequent
1698 * compare is safe, because it is a pointer compare
1699 * rather than a contents compare.
1700 */
1701 my_new_cred = kauth_cred_setgroups(my_cred, &newgroups[0], ngrp, gmuid);
1702 if (my_cred != my_new_cred) {
1703
1704 DEBUG_CRED_CHANGE("setgroups1(CH)%d: %p/0x%08x->%p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
1705
1706 proc_ucred_lock(p);
1707 /*
1708 * We need to protect for a race where another
1709 * thread also changed the credential after we
1710 * took our reference. If p_ucred has
1711 * changed then we should restart this again
1712 * with the new cred.
1713 */
1714 if (p->p_ucred != my_cred) {
1715 proc_ucred_unlock(p);
1716 kauth_cred_unref(&my_new_cred);
1717 my_cred = kauth_cred_proc_ref(p);
1718 /* try again */
1719 continue;
1720 }
1721 p->p_ucred = my_new_cred;
1722 /* update cred on proc */
1723 PROC_UPDATE_CREDS_ONPROC(p);
1724 OSBitOrAtomic(P_SUGID, &p->p_flag);
1725 proc_ucred_unlock(p);
1726 }
1727 break;
1728 }
1729 /* Drop old proc reference or our extra reference */
1730 AUDIT_ARG(groupset, posix_cred_get(my_cred)->cr_groups, ngrp);
1731 kauth_cred_unref(&my_cred);
1732
1733
1734 set_security_token(p);
1735 }
1736
1737 return (0);
1738 }
1739
1740
1741 /*
1742 * initgroups
1743 *
1744 * Description: Initialize the default supplementary groups list and set the
1745 * gmuid for use by the external group resolver (if any)
1746 *
1747 * Parameters: uap->gidsetsize Number of groups in set
1748 * uap->gidset Pointer to group list
1749 * uap->gmuid Base gid
1750 *
1751 * Returns: 0 Success
1752 * setgroups1:EPERM Permision denied
1753 * setgroups1:EINVAL Invalid gidsetsize value
1754 * setgroups1:EFAULT Bad gidset or gidsetsize is
1755 *
1756 * Notes: This function opts *IN* to memberd participation
1757 *
1758 * The normal purpose of this function is for a privileged
1759 * process to indicate supplementary groups and identity for
1760 * participation in extended group membership resolution prior
1761 * to dropping privilege by assuming a specific user identity.
1762 *
1763 * It is the first half of the primary mechanism whereby user
1764 * identity is established to the system by programs such as
1765 * /usr/bin/login. The second half is the drop of uid privilege
1766 * for a specific uid corresponding to the user.
1767 *
1768 * See also: setgroups1()
1769 */
1770 int
1771 initgroups(proc_t p, struct initgroups_args *uap, __unused int32_t *retval)
1772 {
1773 DEBUG_CRED_ENTER("initgroups\n");
1774
1775 return(setgroups1(p, uap->gidsetsize, uap->gidset, uap->gmuid, retval));
1776 }
1777
1778
1779 /*
1780 * setgroups
1781 *
1782 * Description: Initialize the default supplementary groups list
1783 *
1784 * Parameters: gidsetsize Number of groups in set
1785 * gidset Pointer to group list
1786 *
1787 * Returns: 0 Success
1788 * setgroups1:EPERM Permision denied
1789 * setgroups1:EINVAL Invalid gidsetsize value
1790 * setgroups1:EFAULT Bad gidset or gidsetsize is
1791 *
1792 * Notes: This functions opts *OUT* of memberd participation.
1793 *
1794 * This function exists for compatibility with POSIX. Most user
1795 * programs should use initgroups() instead to ensure correct
1796 * participation in group membership resolution when utilizing
1797 * a directory service for authentication.
1798 *
1799 * It is identical to an initgroups() call with a gmuid argument
1800 * of KAUTH_UID_NONE.
1801 *
1802 * See also: setgroups1()
1803 */
1804 int
1805 setgroups(proc_t p, struct setgroups_args *uap, __unused int32_t *retval)
1806 {
1807 DEBUG_CRED_ENTER("setgroups\n");
1808
1809 return(setgroups1(p, uap->gidsetsize, uap->gidset, KAUTH_UID_NONE, retval));
1810 }
1811
1812
1813 /*
1814 * Set the per-thread/per-process supplementary groups list.
1815 *
1816 * XXX implement setsgroups
1817 *
1818 */
1819
1820 int
1821 setsgroups(__unused proc_t p, __unused struct setsgroups_args *uap, __unused int32_t *retval)
1822 {
1823 return(ENOTSUP);
1824 }
1825
1826 /*
1827 * Set the per-thread/per-process whiteout groups list.
1828 *
1829 * XXX implement setwgroups
1830 *
1831 */
1832
1833 int
1834 setwgroups(__unused proc_t p, __unused struct setwgroups_args *uap, __unused int32_t *retval)
1835 {
1836 return(ENOTSUP);
1837 }
1838
1839
1840 /*
1841 * Check if gid is a member of the group set.
1842 *
1843 * XXX This interface is going away; use kauth_cred_ismember_gid() directly
1844 * XXX instead.
1845 */
1846 int
1847 groupmember(gid_t gid, kauth_cred_t cred)
1848 {
1849 int is_member;
1850
1851 if (kauth_cred_ismember_gid(cred, gid, &is_member) == 0 && is_member)
1852 return (1);
1853 return (0);
1854 }
1855
1856
1857 /*
1858 * Test whether the specified credentials imply "super-user"
1859 * privilege; if so, and we have accounting info, set the flag
1860 * indicating use of super-powers.
1861 * Returns 0 or error.
1862 *
1863 * XXX This interface is going away; use kauth_cred_issuser() directly
1864 * XXX instead.
1865 *
1866 * Note: This interface exists to implement the "has used privilege"
1867 * bit (ASU) in the p_acflags field of the process, which is
1868 * only externalized via private sysctl and in process accounting
1869 * records. The flag is technically not required in either case.
1870 */
1871 int
1872 suser(kauth_cred_t cred, u_short *acflag)
1873 {
1874 #if DIAGNOSTIC
1875 if (!IS_VALID_CRED(cred))
1876 panic("suser");
1877 #endif
1878 if (kauth_cred_getuid(cred) == 0) {
1879 if (acflag)
1880 *acflag |= ASU;
1881 return (0);
1882 }
1883 return (EPERM);
1884 }
1885
1886
1887 /*
1888 * getlogin
1889 *
1890 * Description: Get login name, if available.
1891 *
1892 * Parameters: uap->namebuf User buffer for return
1893 * uap->namelen User buffer length
1894 *
1895 * Returns: 0 Success
1896 * copyout:EFAULT
1897 *
1898 * Notes: Intended to obtain a string containing the user name of the
1899 * user associated with the controlling terminal for the calling
1900 * process.
1901 *
1902 * Not very useful on modern systems, due to inherent length
1903 * limitations for the static array in the session structure
1904 * which is used to store the login name.
1905 *
1906 * Permitted to return NULL
1907 *
1908 * XXX: Belongs in kern_proc.c
1909 */
1910 int
1911 getlogin(proc_t p, struct getlogin_args *uap, __unused int32_t *retval)
1912 {
1913 char buffer[MAXLOGNAME+1];
1914 struct session * sessp;
1915
1916 bzero(buffer, MAXLOGNAME+1);
1917
1918 sessp = proc_session(p);
1919
1920 if (uap->namelen > MAXLOGNAME)
1921 uap->namelen = MAXLOGNAME;
1922
1923 if(sessp != SESSION_NULL) {
1924 session_lock(sessp);
1925 bcopy( sessp->s_login, buffer, uap->namelen);
1926 session_unlock(sessp);
1927 }
1928 session_rele(sessp);
1929
1930 return (copyout((caddr_t)buffer, uap->namebuf, uap->namelen));
1931 }
1932
1933
1934 /*
1935 * setlogin
1936 *
1937 * Description: Set login name.
1938 *
1939 * Parameters: uap->namebuf User buffer containing name
1940 *
1941 * Returns: 0 Success
1942 * suser:EPERM Permission denied
1943 * copyinstr:EFAULT User buffer invalid
1944 * copyinstr:EINVAL Supplied name was too long
1945 *
1946 * Notes: This is a utility system call to support getlogin().
1947 *
1948 * XXX: Belongs in kern_proc.c
1949 */
1950 int
1951 setlogin(proc_t p, struct setlogin_args *uap, __unused int32_t *retval)
1952 {
1953 int error;
1954 size_t dummy=0;
1955 char buffer[MAXLOGNAME+1];
1956 struct session * sessp;
1957
1958 if ((error = proc_suser(p)))
1959 return (error);
1960
1961 bzero(&buffer[0], MAXLOGNAME+1);
1962
1963
1964 error = copyinstr(uap->namebuf,
1965 (caddr_t) &buffer[0],
1966 MAXLOGNAME - 1, (size_t *)&dummy);
1967
1968 sessp = proc_session(p);
1969
1970 if (sessp != SESSION_NULL) {
1971 session_lock(sessp);
1972 bcopy(buffer, sessp->s_login, MAXLOGNAME);
1973 session_unlock(sessp);
1974 session_rele(sessp);
1975 }
1976
1977
1978 if (!error) {
1979 AUDIT_ARG(text, buffer);
1980 } else if (error == ENAMETOOLONG)
1981 error = EINVAL;
1982 return (error);
1983 }
1984
1985
1986 /* Set the secrity token of the task with current euid and eguid */
1987 /*
1988 * XXX This needs to change to give the task a reference and/or an opaque
1989 * XXX identifier.
1990 */
1991 int
1992 set_security_token(proc_t p)
1993 {
1994 return set_security_token_task_internal(p, p->task);
1995 }
1996
1997 /*
1998 * Set the secrity token of the task with current euid and eguid
1999 * The function takes a proc and a task, where proc->task might point to a
2000 * different task if called from exec.
2001 */
2002
2003 int
2004 set_security_token_task_internal(proc_t p, void *t)
2005 {
2006 security_token_t sec_token;
2007 audit_token_t audit_token;
2008 kauth_cred_t my_cred;
2009 posix_cred_t my_pcred;
2010 host_priv_t host_priv;
2011 task_t task = t;
2012
2013 /*
2014 * Don't allow a vfork child to override the parent's token settings
2015 * (since they share a task). Instead, the child will just have to
2016 * suffer along using the parent's token until the exec(). It's all
2017 * undefined behavior anyway, right?
2018 */
2019 if (task == current_task()) {
2020 uthread_t uthread;
2021 uthread = (uthread_t)get_bsdthread_info(current_thread());
2022 if (uthread->uu_flag & UT_VFORK)
2023 return (1);
2024 }
2025
2026 my_cred = kauth_cred_proc_ref(p);
2027 my_pcred = posix_cred_get(my_cred);
2028
2029 /* XXX mach_init doesn't have a p_ucred when it calls this function */
2030 if (IS_VALID_CRED(my_cred)) {
2031 sec_token.val[0] = kauth_cred_getuid(my_cred);
2032 sec_token.val[1] = kauth_cred_getgid(my_cred);
2033 } else {
2034 sec_token.val[0] = 0;
2035 sec_token.val[1] = 0;
2036 }
2037
2038 /*
2039 * The current layout of the Mach audit token explicitly
2040 * adds these fields. But nobody should rely on such
2041 * a literal representation. Instead, the BSM library
2042 * provides a function to convert an audit token into
2043 * a BSM subject. Use of that mechanism will isolate
2044 * the user of the trailer from future representation
2045 * changes.
2046 */
2047 audit_token.val[0] = my_cred->cr_audit.as_aia_p->ai_auid;
2048 audit_token.val[1] = my_pcred->cr_uid;
2049 audit_token.val[2] = my_pcred->cr_gid;
2050 audit_token.val[3] = my_pcred->cr_ruid;
2051 audit_token.val[4] = my_pcred->cr_rgid;
2052 audit_token.val[5] = p->p_pid;
2053 audit_token.val[6] = my_cred->cr_audit.as_aia_p->ai_asid;
2054 audit_token.val[7] = p->p_idversion;
2055
2056 host_priv = (sec_token.val[0]) ? HOST_PRIV_NULL : host_priv_self();
2057 #if CONFIG_MACF
2058 if (host_priv != HOST_PRIV_NULL && mac_system_check_host_priv(my_cred))
2059 host_priv = HOST_PRIV_NULL;
2060 #endif
2061 kauth_cred_unref(&my_cred);
2062
2063 #if DEVELOPMENT || DEBUG
2064 /*
2065 * Update the pid an proc name for importance base if any
2066 */
2067 task_importance_update_owner_info(task);
2068 #endif
2069
2070 return (host_security_set_task_token(host_security_self(),
2071 task,
2072 sec_token,
2073 audit_token,
2074 host_priv) != KERN_SUCCESS);
2075 }
2076
2077
2078 int get_audit_token_pid(audit_token_t *audit_token);
2079
2080 int
2081 get_audit_token_pid(audit_token_t *audit_token)
2082 {
2083 /* keep in-sync with set_security_token (above) */
2084 if (audit_token)
2085 return (int)audit_token->val[5];
2086 return -1;
2087 }
2088
2089
2090 /*
2091 * Fill in a struct xucred based on a kauth_cred_t.
2092 */
2093 __private_extern__
2094 void
2095 cru2x(kauth_cred_t cr, struct xucred *xcr)
2096 {
2097 posix_cred_t pcr = posix_cred_get(cr);
2098
2099 bzero(xcr, sizeof(*xcr));
2100 xcr->cr_version = XUCRED_VERSION;
2101 xcr->cr_uid = kauth_cred_getuid(cr);
2102 xcr->cr_ngroups = pcr->cr_ngroups;
2103 bcopy(pcr->cr_groups, xcr->cr_groups, sizeof(xcr->cr_groups));
2104 }
mirror of XNU