1752 lines
45 KiB
C
1752 lines
45 KiB
C
/*
|
|
* Copyright (c) 2000-2008 Apple Inc. All rights reserved.
|
|
*
|
|
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
|
|
*
|
|
* This file contains Original Code and/or Modifications of Original Code
|
|
* as defined in and that are subject to the Apple Public Source License
|
|
* Version 2.0 (the 'License'). You may not use this file except in
|
|
* compliance with the License. The rights granted to you under the License
|
|
* may not be used to create, or enable the creation or redistribution of,
|
|
* unlawful or unlicensed copies of an Apple operating system, or to
|
|
* circumvent, violate, or enable the circumvention or violation of, any
|
|
* terms of an Apple operating system software license agreement.
|
|
*
|
|
* Please obtain a copy of the License at
|
|
* http://www.opensource.apple.com/apsl/ and read it before using this file.
|
|
*
|
|
* The Original Code and all software distributed under the License are
|
|
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
|
|
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
|
|
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
|
|
* Please see the License for the specific language governing rights and
|
|
* limitations under the License.
|
|
*
|
|
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
|
|
*
|
|
*
|
|
* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved
|
|
*
|
|
*
|
|
* Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
|
|
* The Regents of the University of California. All rights reserved.
|
|
* (c) UNIX System Laboratories, Inc.
|
|
* All or some portions of this file are derived from material licensed
|
|
* to the University of California by American Telephone and Telegraph
|
|
* Co. or Unix System Laboratories, Inc. and are reproduced herein with
|
|
* the permission of UNIX System Laboratories, Inc.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
* must display the following acknowledgement:
|
|
* This product includes software developed by the University of
|
|
* California, Berkeley and its contributors.
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* @(#)kern_prot.c 8.9 (Berkeley) 2/14/95
|
|
*
|
|
*
|
|
* NOTICE: This file was modified by McAfee Research in 2004 to introduce
|
|
* support for mandatory and extensible security protections. This notice
|
|
* is included in support of clause 2.2 (b) of the Apple Public License,
|
|
* Version 2.0.
|
|
*
|
|
*
|
|
* NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
|
|
* support for mandatory and extensible security protections. This notice
|
|
* is included in support of clause 2.2 (b) of the Apple Public License,
|
|
* Version 2.0.
|
|
*
|
|
*/
|
|
|
|
/*
|
|
* System calls related to processes and protection
|
|
*/
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/acct.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/ucred.h>
|
|
#include <sys/proc_internal.h>
|
|
#include <sys/user.h>
|
|
#include <sys/kauth.h>
|
|
#include <sys/timeb.h>
|
|
#include <sys/times.h>
|
|
#include <sys/malloc.h>
|
|
#include <sys/persona.h>
|
|
|
|
#include <security/audit/audit.h>
|
|
|
|
#if CONFIG_MACF
|
|
#include <security/mac_framework.h>
|
|
#endif
|
|
|
|
#include <sys/mount_internal.h>
|
|
#include <sys/sysproto.h>
|
|
#include <mach/message.h>
|
|
|
|
#include <kern/host.h>
|
|
#include <kern/task.h> /* for current_task() */
|
|
#include <kern/assert.h>
|
|
|
|
#if DEVELOPMENT || DEBUG
|
|
extern void task_importance_update_owner_info(task_t);
|
|
#endif
|
|
|
|
/* Used by pmap.c to copy kauth_cred_t structs */
|
|
void kauth_cred_copy(const uintptr_t kv, const uintptr_t new_data);
|
|
|
|
/*
|
|
* setprivexec
|
|
*
|
|
* Description: (dis)allow this process to hold task, thread, or execption
|
|
* ports of processes about to exec.
|
|
*
|
|
* Parameters: uap->flag New value for flag
|
|
*
|
|
* Returns: int Previous value of flag
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
setprivexec(proc_t p, struct setprivexec_args *uap, int32_t *retval)
|
|
{
|
|
AUDIT_ARG(value32, uap->flag);
|
|
*retval = p->p_debugger;
|
|
p->p_debugger = (uap->flag != 0);
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* getpid
|
|
*
|
|
* Description: get the process ID
|
|
*
|
|
* Parameters: (void)
|
|
*
|
|
* Returns: pid_t Current process ID
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
getpid(proc_t p, __unused struct getpid_args *uap, int32_t *retval)
|
|
{
|
|
*retval = proc_getpid(p);
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* getppid
|
|
*
|
|
* Description: get the parent process ID
|
|
*
|
|
* Parameters: (void)
|
|
*
|
|
* Returns: pid_t Parent process ID
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
getppid(proc_t p, __unused struct getppid_args *uap, int32_t *retval)
|
|
{
|
|
*retval = p->p_ppid;
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* getpgrp
|
|
*
|
|
* Description: get the process group ID of the calling process
|
|
*
|
|
* Parameters: (void)
|
|
*
|
|
* Returns: pid_t Process group ID
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
getpgrp(proc_t p, __unused struct getpgrp_args *uap, int32_t *retval)
|
|
{
|
|
*retval = p->p_pgrpid;
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* getpgid
|
|
*
|
|
* Description: Get an arbitary pid's process group id
|
|
*
|
|
* Parameters: uap->pid The target pid
|
|
*
|
|
* Returns: 0 Success
|
|
* ESRCH No such process
|
|
*
|
|
* Notes: We are permitted to return EPERM in the case that the target
|
|
* process is not in the same session as the calling process,
|
|
* which could be a security consideration
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
getpgid(proc_t p, struct getpgid_args *uap, int32_t *retval)
|
|
{
|
|
proc_t pt;
|
|
int refheld = 0;
|
|
|
|
pt = p;
|
|
if (uap->pid == 0) {
|
|
goto found;
|
|
}
|
|
|
|
if ((pt = proc_find(uap->pid)) == 0) {
|
|
return ESRCH;
|
|
}
|
|
refheld = 1;
|
|
found:
|
|
*retval = pt->p_pgrpid;
|
|
if (refheld != 0) {
|
|
proc_rele(pt);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* getsid
|
|
*
|
|
* Description: Get an arbitary pid's session leaders process group ID
|
|
*
|
|
* Parameters: uap->pid The target pid
|
|
*
|
|
* Returns: 0 Success
|
|
* ESRCH No such process
|
|
*
|
|
* Notes: We are permitted to return EPERM in the case that the target
|
|
* process is not in the same session as the calling process,
|
|
* which could be a security consideration
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
getsid(proc_t p, struct getsid_args *uap, int32_t *retval)
|
|
{
|
|
proc_t pt;
|
|
|
|
if (uap->pid == 0) {
|
|
*retval = proc_sessionid(p);
|
|
return 0;
|
|
}
|
|
|
|
if ((pt = proc_find(uap->pid)) != PROC_NULL) {
|
|
*retval = proc_sessionid(pt);
|
|
proc_rele(pt);
|
|
return 0;
|
|
}
|
|
|
|
return ESRCH;
|
|
}
|
|
|
|
|
|
/*
|
|
* getuid
|
|
*
|
|
* Description: get real user ID for caller
|
|
*
|
|
* Parameters: (void)
|
|
*
|
|
* Returns: uid_t The real uid of the caller
|
|
*/
|
|
int
|
|
getuid(__unused proc_t p, __unused struct getuid_args *uap, int32_t *retval)
|
|
{
|
|
*retval = kauth_getruid();
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* geteuid
|
|
*
|
|
* Description: get effective user ID for caller
|
|
*
|
|
* Parameters: (void)
|
|
*
|
|
* Returns: uid_t The effective uid of the caller
|
|
*/
|
|
int
|
|
geteuid(__unused proc_t p, __unused struct geteuid_args *uap, int32_t *retval)
|
|
{
|
|
*retval = kauth_getuid();
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* gettid
|
|
*
|
|
* Description: Return the per-thread override identity.
|
|
*
|
|
* Parameters: uap->uidp Address of uid_t to get uid
|
|
* uap->gidp Address of gid_t to get gid
|
|
*
|
|
* Returns: 0 Success
|
|
* ESRCH No per thread identity active
|
|
*/
|
|
int
|
|
gettid(__unused proc_t p, struct gettid_args *uap, int32_t *retval)
|
|
{
|
|
thread_ro_t tro = current_thread_ro();
|
|
kauth_cred_t tro_cred = tro->tro_cred;
|
|
int error;
|
|
|
|
/*
|
|
* If this thread is not running with an override identity, we can't
|
|
* return one to the caller, so return an error instead.
|
|
*/
|
|
if (tro->tro_realcred == tro->tro_cred) {
|
|
return ESRCH;
|
|
}
|
|
|
|
if ((error = suword(uap->uidp, kauth_cred_getruid(tro_cred)))) {
|
|
return error;
|
|
}
|
|
if ((error = suword(uap->gidp, kauth_cred_getrgid(tro_cred)))) {
|
|
return error;
|
|
}
|
|
|
|
*retval = 0;
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* getgid
|
|
*
|
|
* Description: get the real group ID for the calling process
|
|
*
|
|
* Parameters: (void)
|
|
*
|
|
* Returns: gid_t The real gid of the caller
|
|
*/
|
|
int
|
|
getgid(__unused proc_t p, __unused struct getgid_args *uap, int32_t *retval)
|
|
{
|
|
*retval = kauth_getrgid();
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* getegid
|
|
*
|
|
* Description: get the effective group ID for the calling process
|
|
*
|
|
* Parameters: (void)
|
|
*
|
|
* Returns: gid_t The effective gid of the caller
|
|
*
|
|
* Notes: As an implementation detail, the effective gid is stored as
|
|
* the first element of the supplementary group list.
|
|
*
|
|
* This could be implemented in Libc instead because of the above
|
|
* detail.
|
|
*/
|
|
int
|
|
getegid(__unused proc_t p, __unused struct getegid_args *uap, int32_t *retval)
|
|
{
|
|
*retval = kauth_getgid();
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* getgroups
|
|
*
|
|
* Description: get the list of supplementary groups for the calling process
|
|
*
|
|
* Parameters: uap->gidsetsize # of gid_t's in user buffer
|
|
* uap->gidset Pointer to user buffer
|
|
*
|
|
* Returns: 0 Success
|
|
* EINVAL User buffer too small
|
|
* copyout:EFAULT User buffer invalid
|
|
*
|
|
* Retval: -1 Error
|
|
* !0 # of groups
|
|
*
|
|
* Notes: The caller may specify a 0 value for gidsetsize, and we will
|
|
* then return how large a buffer is required (in gid_t's) to
|
|
* contain the answer at the time of the call. Otherwise, we
|
|
* return the number of gid_t's catually copied to user space.
|
|
*
|
|
* When called with a 0 gidsetsize from a multithreaded program,
|
|
* there is no guarantee that another thread may not change the
|
|
* number of supplementary groups, and therefore a subsequent
|
|
* call could still fail, unless the maximum possible buffer
|
|
* size is supplied by the user.
|
|
*
|
|
* As an implementation detail, the effective gid is stored as
|
|
* the first element of the supplementary group list, and will
|
|
* be returned by this call.
|
|
*/
|
|
int
|
|
getgroups(__unused proc_t p, struct getgroups_args *uap, int32_t *retval)
|
|
{
|
|
int ngrp;
|
|
int error;
|
|
kauth_cred_t cred;
|
|
posix_cred_t pcred;
|
|
|
|
/* grab reference while we muck around with the credential */
|
|
cred = kauth_cred_get_with_ref();
|
|
pcred = posix_cred_get(cred);
|
|
|
|
if ((ngrp = uap->gidsetsize) == 0) {
|
|
*retval = pcred->cr_ngroups;
|
|
kauth_cred_unref(&cred);
|
|
return 0;
|
|
}
|
|
if (ngrp < pcred->cr_ngroups) {
|
|
kauth_cred_unref(&cred);
|
|
return EINVAL;
|
|
}
|
|
ngrp = pcred->cr_ngroups;
|
|
if ((error = copyout((caddr_t)pcred->cr_groups,
|
|
uap->gidset,
|
|
ngrp * sizeof(gid_t)))) {
|
|
kauth_cred_unref(&cred);
|
|
return error;
|
|
}
|
|
kauth_cred_unref(&cred);
|
|
*retval = ngrp;
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* Return the per-thread/per-process supplementary groups list.
|
|
*
|
|
* XXX implement getsgroups
|
|
*
|
|
*/
|
|
|
|
int
|
|
getsgroups(__unused proc_t p, __unused struct getsgroups_args *uap, __unused int32_t *retval)
|
|
{
|
|
return ENOTSUP;
|
|
}
|
|
|
|
/*
|
|
* Return the per-thread/per-process whiteout groups list.
|
|
*
|
|
* XXX implement getwgroups
|
|
*
|
|
*/
|
|
|
|
int
|
|
getwgroups(__unused proc_t p, __unused struct getwgroups_args *uap, __unused int32_t *retval)
|
|
{
|
|
return ENOTSUP;
|
|
}
|
|
|
|
/*
|
|
* setsid_internal
|
|
*
|
|
* Description: Core implementation of setsid().
|
|
*/
|
|
int
|
|
setsid_internal(proc_t p)
|
|
{
|
|
struct pgrp * pg = PGRP_NULL;
|
|
|
|
if (p->p_pgrpid == proc_getpid(p) ||
|
|
(pg = pgrp_find(proc_getpid(p)))) {
|
|
pgrp_rele(pg);
|
|
return EPERM;
|
|
}
|
|
|
|
/* enter pgrp works with its own pgrp refcount */
|
|
(void)enterpgrp(p, proc_getpid(p), 1);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* setsid
|
|
*
|
|
* Description: Create a new session and set the process group ID to the
|
|
* session ID
|
|
*
|
|
* Parameters: (void)
|
|
*
|
|
* Returns: 0 Success
|
|
* EPERM Permission denied
|
|
*
|
|
* Notes: If the calling process is not the process group leader; there
|
|
* is no existing process group with its ID, then this function will
|
|
* create a new session, a new process group, and put the caller in the
|
|
* process group (as the sole member) and make it the session
|
|
* leader (as the sole process in the session).
|
|
*
|
|
* The existing controlling tty (if any) will be dissociated
|
|
* from the process, and the next non-O_NOCTTY open of a tty
|
|
* will establish a new controlling tty.
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
setsid(proc_t p, __unused struct setsid_args *uap, int32_t *retval)
|
|
{
|
|
int rc = setsid_internal(p);
|
|
if (rc == 0) {
|
|
*retval = proc_getpid(p);
|
|
}
|
|
return rc;
|
|
}
|
|
|
|
|
|
/*
|
|
* setpgid
|
|
*
|
|
* Description: set process group ID for job control
|
|
*
|
|
* Parameters: uap->pid Process to change
|
|
* uap->pgid Process group to join or create
|
|
*
|
|
* Returns: 0 Success
|
|
* ESRCH pid is not the caller or a child of
|
|
* the caller
|
|
* enterpgrp:ESRCH No such process
|
|
* EACCES Permission denied due to exec
|
|
* EINVAL Invalid argument
|
|
* EPERM The target process is not in the same
|
|
* session as the calling process
|
|
* EPERM The target process is a session leader
|
|
* EPERM pid and pgid are not the same, and
|
|
* there is no process in the calling
|
|
* process whose process group ID matches
|
|
* pgid
|
|
*
|
|
* Notes: This function will cause the target process to either join
|
|
* an existing process process group, or create a new process
|
|
* group in the session of the calling process. It cannot be
|
|
* used to change the process group ID of a process which is
|
|
* already a session leader.
|
|
*
|
|
* If the target pid is 0, the pid of the calling process is
|
|
* substituted as the new target; if pgid is 0, the target pid
|
|
* is used as the target process group ID.
|
|
*
|
|
* Legacy: This system call entry point is also used to implement the
|
|
* legacy library routine setpgrp(), which under POSIX
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
setpgid(proc_t curp, struct setpgid_args *uap, __unused int32_t *retval)
|
|
{
|
|
proc_t targp = PROC_NULL; /* target process */
|
|
struct pgrp *curp_pg = PGRP_NULL;
|
|
struct pgrp *targp_pg = PGRP_NULL;
|
|
int error = 0;
|
|
int refheld = 0;
|
|
int samesess = 0;
|
|
|
|
curp_pg = proc_pgrp(curp, NULL);
|
|
|
|
if (uap->pid != 0 && uap->pid != proc_getpid(curp)) {
|
|
if ((targp = proc_find(uap->pid)) == 0 || !inferior(targp)) {
|
|
if (targp != PROC_NULL) {
|
|
refheld = 1;
|
|
}
|
|
error = ESRCH;
|
|
goto out;
|
|
}
|
|
refheld = 1;
|
|
targp_pg = proc_pgrp(targp, NULL);
|
|
if (targp_pg->pg_session != curp_pg->pg_session) {
|
|
error = EPERM;
|
|
goto out;
|
|
}
|
|
if (targp->p_flag & P_EXEC) {
|
|
error = EACCES;
|
|
goto out;
|
|
}
|
|
} else {
|
|
targp = curp;
|
|
targp_pg = proc_pgrp(targp, NULL);
|
|
}
|
|
|
|
if (SESS_LEADER(targp, targp_pg->pg_session)) {
|
|
error = EPERM;
|
|
goto out;
|
|
}
|
|
|
|
if (uap->pgid < 0) {
|
|
error = EINVAL;
|
|
goto out;
|
|
}
|
|
if (uap->pgid == 0) {
|
|
uap->pgid = proc_getpid(targp);
|
|
} else if (uap->pgid != proc_getpid(targp)) {
|
|
struct pgrp *pg = PGRP_NULL;
|
|
|
|
if ((pg = pgrp_find(uap->pgid)) == PGRP_NULL) {
|
|
error = EPERM;
|
|
goto out;
|
|
}
|
|
samesess = (pg->pg_session != curp_pg->pg_session);
|
|
pgrp_rele(pg);
|
|
if (samesess != 0) {
|
|
error = EPERM;
|
|
goto out;
|
|
}
|
|
}
|
|
error = enterpgrp(targp, uap->pgid, 0);
|
|
out:
|
|
pgrp_rele(curp_pg);
|
|
pgrp_rele(targp_pg);
|
|
if (refheld != 0) {
|
|
proc_rele(targp);
|
|
}
|
|
return error;
|
|
}
|
|
|
|
|
|
/*
|
|
* issetugid
|
|
*
|
|
* Description: Is current process tainted by uid or gid changes system call
|
|
*
|
|
* Parameters: (void)
|
|
*
|
|
* Returns: 0 Not tainted
|
|
* 1 Tainted
|
|
*
|
|
* Notes: A process is considered tainted if it was created as a retult
|
|
* of an execve call from an imnage that had either the SUID or
|
|
* SGID bit set on the executable, or if it has changed any of its
|
|
* real, effective, or saved user or group IDs since beginning
|
|
* execution.
|
|
*/
|
|
int
|
|
proc_issetugid(proc_t p)
|
|
{
|
|
return (p->p_flag & P_SUGID) ? 1 : 0;
|
|
}
|
|
|
|
int
|
|
issetugid(proc_t p, __unused struct issetugid_args *uap, int32_t *retval)
|
|
{
|
|
/*
|
|
* Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
|
|
* we use P_SUGID because we consider changing the owners as
|
|
* "tainting" as well.
|
|
* This is significant for procs that start as root and "become"
|
|
* a user without an exec - programs cannot know *everything*
|
|
* that libc *might* have put in their data segment.
|
|
*/
|
|
|
|
*retval = proc_issetugid(p);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* setuid
|
|
*
|
|
* Description: Set user ID system call
|
|
*
|
|
* Parameters: uap->uid uid to set
|
|
*
|
|
* Returns: 0 Success
|
|
* suser:EPERM Permission denied
|
|
*
|
|
* Notes: If called by a privileged process, this function will set the
|
|
* real, effective, and saved uid to the requested value.
|
|
*
|
|
* If called from an unprivileged process, but uid is equal to the
|
|
* real or saved uid, then the effective uid will be set to the
|
|
* requested value, but the real and saved uid will not change.
|
|
*
|
|
* If the credential is changed as a result of this call, then we
|
|
* flag the process as having set privilege since the last exec.
|
|
*/
|
|
int
|
|
setuid(proc_t p, struct setuid_args *uap, __unused int32_t *retval)
|
|
{
|
|
__block int error = 0;
|
|
__block uid_t old_ruid;
|
|
__block uid_t ruid;
|
|
uid_t want_uid;
|
|
bool changed;
|
|
|
|
want_uid = uap->uid;
|
|
AUDIT_ARG(uid, want_uid);
|
|
|
|
changed = kauth_cred_proc_update(p, PROC_SETTOKEN_SETUGID,
|
|
^bool (kauth_cred_t parent, kauth_cred_t model) {
|
|
posix_cred_t cur_pcred = posix_cred_get(parent);
|
|
uid_t svuid = KAUTH_UID_NONE;
|
|
uid_t gmuid = KAUTH_UID_NONE;
|
|
|
|
ruid = KAUTH_UID_NONE;
|
|
old_ruid = cur_pcred->cr_ruid;
|
|
|
|
#if CONFIG_MACF
|
|
if ((error = mac_proc_check_setuid(p, parent, want_uid)) != 0) {
|
|
return false;
|
|
}
|
|
#endif
|
|
|
|
if (want_uid != cur_pcred->cr_ruid && /* allow setuid(getuid()) */
|
|
want_uid != cur_pcred->cr_svuid && /* allow setuid(saved uid) */
|
|
(error = suser(parent, &p->p_acflag))) {
|
|
return false;
|
|
}
|
|
|
|
/*
|
|
* If we are privileged, then set the saved and real UID too;
|
|
* otherwise, just set the effective UID
|
|
*/
|
|
if (suser(parent, &p->p_acflag) == 0) {
|
|
svuid = want_uid;
|
|
ruid = want_uid;
|
|
}
|
|
|
|
/*
|
|
* Only set the gmuid if the current cred has not opt'ed out;
|
|
* this normally only happens when calling setgroups() instead
|
|
* of initgroups() to set an explicit group list, or one of the
|
|
* other group manipulation functions is invoked and results in
|
|
* a dislocation (i.e. the credential group membership changes
|
|
* to something other than the default list for the user, as
|
|
* in entering a group or leaving an exclusion group).
|
|
*/
|
|
if (!(cur_pcred->cr_flags & CRF_NOMEMBERD)) {
|
|
gmuid = want_uid;
|
|
}
|
|
|
|
return kauth_cred_model_setresuid(model,
|
|
ruid, want_uid, svuid, gmuid);
|
|
});
|
|
|
|
if (changed && ruid != KAUTH_UID_NONE && old_ruid != ruid &&
|
|
!proc_has_persona(p)) {
|
|
(void)chgproccnt(ruid, 1);
|
|
(void)chgproccnt(old_ruid, -1);
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
|
|
/*
|
|
* seteuid
|
|
*
|
|
* Description: Set effective user ID system call
|
|
*
|
|
* Parameters: uap->euid effective uid to set
|
|
*
|
|
* Returns: 0 Success
|
|
* suser:EPERM Permission denied
|
|
*
|
|
* Notes: If called by a privileged process, or called from an
|
|
* unprivileged process but euid is equal to the real or saved
|
|
* uid, then the effective uid will be set to the requested
|
|
* value, but the real and saved uid will not change.
|
|
*
|
|
* If the credential is changed as a result of this call, then we
|
|
* flag the process as having set privilege since the last exec.
|
|
*/
|
|
int
|
|
seteuid(proc_t p, struct seteuid_args *uap, __unused int32_t *retval)
|
|
{
|
|
__block int error = 0;
|
|
uid_t want_euid;
|
|
|
|
want_euid = uap->euid;
|
|
AUDIT_ARG(euid, want_euid);
|
|
|
|
kauth_cred_proc_update(p, PROC_SETTOKEN_SETUGID,
|
|
^bool (kauth_cred_t parent, kauth_cred_t model) {
|
|
posix_cred_t cur_pcred = posix_cred_get(parent);
|
|
|
|
#if CONFIG_MACF
|
|
if ((error = mac_proc_check_seteuid(p, parent, want_euid)) != 0) {
|
|
return false;
|
|
}
|
|
#endif
|
|
|
|
if (want_euid != cur_pcred->cr_ruid && want_euid != cur_pcred->cr_svuid &&
|
|
(error = suser(parent, &p->p_acflag))) {
|
|
return false;
|
|
}
|
|
|
|
return kauth_cred_model_setresuid(model,
|
|
KAUTH_UID_NONE, want_euid,
|
|
KAUTH_UID_NONE, cur_pcred->cr_gmuid);
|
|
});
|
|
|
|
return error;
|
|
}
|
|
|
|
|
|
/*
|
|
* setreuid
|
|
*
|
|
* Description: Set real and effective user ID system call
|
|
*
|
|
* Parameters: uap->ruid real uid to set
|
|
* uap->euid effective uid to set
|
|
*
|
|
* Returns: 0 Success
|
|
* suser:EPERM Permission denied
|
|
*
|
|
* Notes: A value of -1 is a special case indicating that the uid for
|
|
* which that value is specified not be changed. If both values
|
|
* are specified as -1, no action is taken.
|
|
*
|
|
* If called by a privileged process, the real and effective uid
|
|
* will be set to the new value(s) specified.
|
|
*
|
|
* If called from an unprivileged process, the real uid may be
|
|
* set to the current value of the real uid, or to the current
|
|
* value of the saved uid. The effective uid may be set to the
|
|
* current value of any of the effective, real, or saved uid.
|
|
*
|
|
* If the newly requested real uid or effective uid does not
|
|
* match the saved uid, then set the saved uid to the new
|
|
* effective uid (potentially unrecoverably dropping saved
|
|
* privilege).
|
|
*
|
|
* If the credential is changed as a result of this call, then we
|
|
* flag the process as having set privilege since the last exec.
|
|
*/
|
|
int
|
|
setreuid(proc_t p, struct setreuid_args *uap, __unused int32_t *retval)
|
|
{
|
|
__block int error = 0;
|
|
__block uid_t old_ruid;
|
|
uid_t want_ruid, want_euid;
|
|
bool changed;
|
|
|
|
want_ruid = uap->ruid;
|
|
want_euid = uap->euid;
|
|
|
|
if (want_ruid == (uid_t)-1) {
|
|
want_ruid = KAUTH_UID_NONE;
|
|
}
|
|
|
|
if (want_euid == (uid_t)-1) {
|
|
want_euid = KAUTH_UID_NONE;
|
|
}
|
|
|
|
AUDIT_ARG(euid, want_euid);
|
|
AUDIT_ARG(ruid, want_ruid);
|
|
|
|
changed = kauth_cred_proc_update(p, PROC_SETTOKEN_SETUGID,
|
|
^bool (kauth_cred_t parent, kauth_cred_t model) {
|
|
posix_cred_t cur_pcred = posix_cred_get(parent);
|
|
uid_t svuid = KAUTH_UID_NONE;
|
|
|
|
#if CONFIG_MACF
|
|
if ((error = mac_proc_check_setreuid(p, parent, want_ruid, want_euid)) != 0) {
|
|
return false;
|
|
}
|
|
#endif
|
|
|
|
if (((want_ruid != KAUTH_UID_NONE && /* allow no change of ruid */
|
|
want_ruid != cur_pcred->cr_ruid && /* allow ruid = ruid */
|
|
want_ruid != cur_pcred->cr_uid && /* allow ruid = euid */
|
|
want_ruid != cur_pcred->cr_svuid) || /* allow ruid = svuid */
|
|
(want_euid != KAUTH_UID_NONE && /* allow no change of euid */
|
|
want_euid != cur_pcred->cr_uid && /* allow euid = euid */
|
|
want_euid != cur_pcred->cr_ruid && /* allow euid = ruid */
|
|
want_euid != cur_pcred->cr_svuid)) && /* allow euid = svuid */
|
|
(error = suser(parent, &p->p_acflag))) { /* allow root user any */
|
|
return false;
|
|
}
|
|
|
|
uid_t new_euid = cur_pcred->cr_uid;
|
|
|
|
if (want_euid != KAUTH_UID_NONE && cur_pcred->cr_uid != want_euid) {
|
|
new_euid = want_euid;
|
|
}
|
|
|
|
old_ruid = cur_pcred->cr_ruid;
|
|
|
|
/*
|
|
* If the newly requested real uid or effective uid does
|
|
* not match the saved uid, then set the saved uid to the
|
|
* new effective uid. We are protected from escalation
|
|
* by the prechecking.
|
|
*/
|
|
if (cur_pcred->cr_svuid != uap->ruid &&
|
|
cur_pcred->cr_svuid != uap->euid) {
|
|
svuid = new_euid;
|
|
}
|
|
|
|
return kauth_cred_model_setresuid(model, want_ruid, want_euid,
|
|
svuid, cur_pcred->cr_gmuid);
|
|
});
|
|
|
|
if (changed && want_ruid != KAUTH_UID_NONE && want_ruid != old_ruid &&
|
|
!proc_has_persona(p)) {
|
|
(void)chgproccnt(want_ruid, 1);
|
|
(void)chgproccnt(old_ruid, -1);
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
|
|
/*
|
|
* setgid
|
|
*
|
|
* Description: Set group ID system call
|
|
*
|
|
* Parameters: uap->gid gid to set
|
|
*
|
|
* Returns: 0 Success
|
|
* suser:EPERM Permission denied
|
|
*
|
|
* Notes: If called by a privileged process, this function will set the
|
|
* real, effective, and saved gid to the requested value.
|
|
*
|
|
* If called from an unprivileged process, but gid is equal to the
|
|
* real or saved gid, then the effective gid will be set to the
|
|
* requested value, but the real and saved gid will not change.
|
|
*
|
|
* If the credential is changed as a result of this call, then we
|
|
* flag the process as having set privilege since the last exec.
|
|
*
|
|
* As an implementation detail, the effective gid is stored as
|
|
* the first element of the supplementary group list, and
|
|
* therefore the effective group list may be reordered to keep
|
|
* the supplementary group list unchanged.
|
|
*/
|
|
int
|
|
setgid(proc_t p, struct setgid_args *uap, __unused int32_t *retval)
|
|
{
|
|
__block int error = 0;
|
|
gid_t want_gid;
|
|
|
|
want_gid = uap->gid;
|
|
AUDIT_ARG(gid, want_gid);
|
|
|
|
kauth_cred_proc_update(p, PROC_SETTOKEN_SETUGID,
|
|
^bool (kauth_cred_t parent, kauth_cred_t model) {
|
|
posix_cred_t cur_pcred = posix_cred_get(parent);
|
|
gid_t rgid = KAUTH_GID_NONE;
|
|
gid_t svgid = KAUTH_GID_NONE;
|
|
|
|
#if CONFIG_MACF
|
|
if ((error = mac_proc_check_setgid(p, parent, want_gid)) != 0) {
|
|
return false;
|
|
}
|
|
#endif
|
|
|
|
if (want_gid != cur_pcred->cr_rgid && /* allow setgid(getgid()) */
|
|
want_gid != cur_pcred->cr_svgid && /* allow setgid(saved gid) */
|
|
(error = suser(parent, &p->p_acflag))) {
|
|
return false;
|
|
}
|
|
|
|
/*
|
|
* If we are privileged, then set the saved and real GID too;
|
|
* otherwise, just set the effective GID
|
|
*/
|
|
if (suser(parent, &p->p_acflag) == 0) {
|
|
svgid = want_gid;
|
|
rgid = want_gid;
|
|
}
|
|
|
|
return kauth_cred_model_setresgid(model, rgid, want_gid, svgid);
|
|
});
|
|
|
|
return error;
|
|
}
|
|
|
|
|
|
/*
|
|
* setegid
|
|
*
|
|
* Description: Set effective group ID system call
|
|
*
|
|
* Parameters: uap->egid effective gid to set
|
|
*
|
|
* Returns: 0 Success
|
|
* suser:EPERM
|
|
*
|
|
* Notes: If called by a privileged process, or called from an
|
|
* unprivileged process but egid is equal to the real or saved
|
|
* gid, then the effective gid will be set to the requested
|
|
* value, but the real and saved gid will not change.
|
|
*
|
|
* If the credential is changed as a result of this call, then we
|
|
* flag the process as having set privilege since the last exec.
|
|
*
|
|
* As an implementation detail, the effective gid is stored as
|
|
* the first element of the supplementary group list, and
|
|
* therefore the effective group list may be reordered to keep
|
|
* the supplementary group list unchanged.
|
|
*/
|
|
int
|
|
setegid(proc_t p, struct setegid_args *uap, __unused int32_t *retval)
|
|
{
|
|
__block int error = 0;
|
|
gid_t want_egid;
|
|
|
|
want_egid = uap->egid;
|
|
AUDIT_ARG(egid, want_egid);
|
|
|
|
kauth_cred_proc_update(p, PROC_SETTOKEN_SETUGID,
|
|
^bool (kauth_cred_t parent, kauth_cred_t model) {
|
|
posix_cred_t cur_pcred = posix_cred_get(parent);
|
|
|
|
#if CONFIG_MACF
|
|
if ((error = mac_proc_check_setegid(p, parent, want_egid)) != 0) {
|
|
return false;
|
|
}
|
|
#endif
|
|
|
|
if (want_egid != cur_pcred->cr_rgid &&
|
|
want_egid != cur_pcred->cr_svgid &&
|
|
(error = suser(parent, &p->p_acflag))) {
|
|
return false;
|
|
}
|
|
|
|
return kauth_cred_model_setresgid(model, KAUTH_GID_NONE,
|
|
want_egid, KAUTH_GID_NONE);
|
|
});
|
|
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* setregid
|
|
*
|
|
* Description: Set real and effective group ID system call
|
|
*
|
|
* Parameters: uap->rgid real gid to set
|
|
* uap->egid effective gid to set
|
|
*
|
|
* Returns: 0 Success
|
|
* suser:EPERM Permission denied
|
|
*
|
|
* Notes: A value of -1 is a special case indicating that the gid for
|
|
* which that value is specified not be changed. If both values
|
|
* are specified as -1, no action is taken.
|
|
*
|
|
* If called by a privileged process, the real and effective gid
|
|
* will be set to the new value(s) specified.
|
|
*
|
|
* If called from an unprivileged process, the real gid may be
|
|
* set to the current value of the real gid, or to the current
|
|
* value of the saved gid. The effective gid may be set to the
|
|
* current value of any of the effective, real, or saved gid.
|
|
*
|
|
* If the new real and effective gid will not be equal, or the
|
|
* new real or effective gid is not the same as the saved gid,
|
|
* then the saved gid will be updated to reflect the new
|
|
* effective gid (potentially unrecoverably dropping saved
|
|
* privilege).
|
|
*
|
|
* If the credential is changed as a result of this call, then we
|
|
* flag the process as having set privilege since the last exec.
|
|
*
|
|
* As an implementation detail, the effective gid is stored as
|
|
* the first element of the supplementary group list, and
|
|
* therefore the effective group list may be reordered to keep
|
|
* the supplementary group list unchanged.
|
|
*/
|
|
int
|
|
setregid(proc_t p, struct setregid_args *uap, __unused int32_t *retval)
|
|
{
|
|
__block int error = 0;
|
|
gid_t want_rgid;
|
|
gid_t want_egid;
|
|
|
|
want_rgid = uap->rgid;
|
|
want_egid = uap->egid;
|
|
|
|
if (want_rgid == (gid_t)-1) {
|
|
want_rgid = KAUTH_GID_NONE;
|
|
}
|
|
|
|
if (want_egid == (gid_t)-1) {
|
|
want_egid = KAUTH_GID_NONE;
|
|
}
|
|
|
|
AUDIT_ARG(egid, want_egid);
|
|
AUDIT_ARG(rgid, want_rgid);
|
|
|
|
kauth_cred_proc_update(p, PROC_SETTOKEN_SETUGID,
|
|
^bool (kauth_cred_t parent, kauth_cred_t model) {
|
|
posix_cred_t cur_pcred = posix_cred_get(parent);
|
|
uid_t svgid = KAUTH_UID_NONE;
|
|
|
|
#if CONFIG_MACF
|
|
if ((error = mac_proc_check_setregid(p, parent, want_rgid,
|
|
want_egid)) != 0) {
|
|
return false;
|
|
}
|
|
#endif
|
|
|
|
if (((want_rgid != KAUTH_UID_NONE && /* allow no change of rgid */
|
|
want_rgid != cur_pcred->cr_rgid && /* allow rgid = rgid */
|
|
want_rgid != cur_pcred->cr_gid && /* allow rgid = egid */
|
|
want_rgid != cur_pcred->cr_svgid) || /* allow rgid = svgid */
|
|
(want_egid != KAUTH_UID_NONE && /* allow no change of egid */
|
|
want_egid != cur_pcred->cr_groups[0] && /* allow no change of egid */
|
|
want_egid != cur_pcred->cr_gid && /* allow egid = egid */
|
|
want_egid != cur_pcred->cr_rgid && /* allow egid = rgid */
|
|
want_egid != cur_pcred->cr_svgid)) && /* allow egid = svgid */
|
|
(error = suser(parent, &p->p_acflag))) { /* allow root user any */
|
|
return false;
|
|
}
|
|
|
|
uid_t new_egid = cur_pcred->cr_gid;
|
|
if (want_egid != KAUTH_UID_NONE && cur_pcred->cr_gid != want_egid) {
|
|
/* changing the effective GID */
|
|
new_egid = want_egid;
|
|
}
|
|
|
|
/*
|
|
* If the newly requested real gid or effective gid does
|
|
* not match the saved gid, then set the saved gid to the
|
|
* new effective gid. We are protected from escalation
|
|
* by the prechecking.
|
|
*/
|
|
if (cur_pcred->cr_svgid != want_rgid &&
|
|
cur_pcred->cr_svgid != want_egid) {
|
|
svgid = new_egid;
|
|
}
|
|
|
|
return kauth_cred_model_setresgid(model, want_rgid, want_egid, svgid);
|
|
});
|
|
|
|
return error;
|
|
}
|
|
|
|
|
|
static void
|
|
kern_settid_assume_cred(thread_ro_t tro, kauth_cred_t tmp)
|
|
{
|
|
kauth_cred_t cred = NOCRED;
|
|
|
|
kauth_cred_set(&cred, tmp);
|
|
zalloc_ro_update_field(ZONE_ID_THREAD_RO, tro, tro_cred, &cred);
|
|
}
|
|
|
|
/*
|
|
* Set the per-thread override identity. The first parameter can be the
|
|
* current real UID, KAUTH_UID_NONE, or, if the caller is privileged, it
|
|
* can be any UID. If it is KAUTH_UID_NONE, then as a special case, this
|
|
* means "revert to the per process credential"; otherwise, if permitted,
|
|
* it changes the effective, real, and saved UIDs and GIDs for the current
|
|
* thread to the requested UID and single GID, and clears all other GIDs.
|
|
*/
|
|
static int
|
|
kern_settid(proc_t p, uid_t uid, gid_t gid)
|
|
{
|
|
kauth_cred_t cred;
|
|
struct thread_ro *tro = current_thread_ro();
|
|
#if CONFIG_MACF
|
|
int error;
|
|
|
|
if ((error = mac_proc_check_settid(p, uid, gid)) != 0) {
|
|
return error;
|
|
}
|
|
#endif
|
|
|
|
if (proc_suser(p) != 0) {
|
|
return EPERM;
|
|
}
|
|
|
|
if (uid == KAUTH_UID_NONE) {
|
|
/* must already be assuming another identity in order to revert back */
|
|
if (tro->tro_realcred == tro->tro_cred) {
|
|
return EPERM;
|
|
}
|
|
|
|
/* revert to delayed binding of process credential */
|
|
kern_settid_assume_cred(tro, tro->tro_realcred);
|
|
} else {
|
|
/* cannot already be assuming another identity */
|
|
if (tro->tro_realcred != tro->tro_cred) {
|
|
return EPERM;
|
|
}
|
|
|
|
/*
|
|
* Get a new credential instance from the old if this one
|
|
* changes; otherwise kauth_cred_setuidgid() returns the
|
|
* same credential. We take an extra reference on the
|
|
* current credential while we muck with it, so we can do
|
|
* the post-compare for changes by pointer.
|
|
*/
|
|
cred = kauth_cred_derive(tro->tro_cred,
|
|
^bool (kauth_cred_t parent __unused, kauth_cred_t model) {
|
|
return kauth_cred_model_setuidgid(model, uid, gid);
|
|
});
|
|
kern_settid_assume_cred(tro, cred);
|
|
kauth_cred_unref(&cred);
|
|
}
|
|
|
|
/*
|
|
* XXX should potentially set per thread security token (there is
|
|
* XXX none).
|
|
* XXX it is unclear whether P_SUGID should be st at this point;
|
|
* XXX in theory, it is being deprecated.
|
|
*/
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
sys_settid(proc_t p, struct settid_args *uap, __unused int32_t *retval)
|
|
{
|
|
AUDIT_ARG(uid, uap->uid);
|
|
AUDIT_ARG(gid, uap->gid);
|
|
|
|
return kern_settid(p, uap->uid, uap->gid);
|
|
}
|
|
|
|
|
|
/*
|
|
* Set the per-thread override identity. Use this system call for a thread to
|
|
* assume the identity of another process or to revert back to normal identity
|
|
* of the current process.
|
|
*
|
|
* When the "assume" argument is non zero the current thread will assume the
|
|
* identity of the process represented by the pid argument.
|
|
*
|
|
* When the assume argument is zero we revert back to our normal identity.
|
|
*/
|
|
int
|
|
sys_settid_with_pid(proc_t p, struct settid_with_pid_args *uap, __unused int32_t *retval)
|
|
{
|
|
uid_t uid;
|
|
gid_t gid;
|
|
|
|
AUDIT_ARG(pid, uap->pid);
|
|
AUDIT_ARG(value32, uap->assume);
|
|
|
|
/*
|
|
* XXX should potentially set per thread security token (there is
|
|
* XXX none).
|
|
* XXX it is unclear whether P_SUGID should be st at this point;
|
|
* XXX in theory, it is being deprecated.
|
|
*/
|
|
|
|
/*
|
|
* assume argument tells us to assume the identity of the process with the
|
|
* id passed in the pid argument.
|
|
*/
|
|
if (uap->assume != 0) {
|
|
kauth_cred_t cred;
|
|
|
|
if (uap->pid == 0) {
|
|
return ESRCH;
|
|
}
|
|
|
|
cred = kauth_cred_proc_ref_for_pid(uap->pid);
|
|
if (cred == NOCRED) {
|
|
return ESRCH;
|
|
}
|
|
|
|
uid = kauth_cred_getuid(cred);
|
|
gid = kauth_cred_getgid(cred);
|
|
kauth_cred_unref(&cred);
|
|
} else {
|
|
/*
|
|
* Otherwise, we are reverting back to normal mode of operation
|
|
* where delayed binding of the process credential sets the
|
|
* credential in the thread_ro (tro_cred)
|
|
*/
|
|
uid = KAUTH_UID_NONE;
|
|
gid = KAUTH_GID_NONE;
|
|
}
|
|
|
|
return kern_settid(p, uid, gid);
|
|
}
|
|
|
|
|
|
/*
|
|
* setgroups1
|
|
*
|
|
* Description: Internal implementation for both the setgroups and initgroups
|
|
* system calls
|
|
*
|
|
* Parameters: gidsetsize Number of groups in set
|
|
* gidset Pointer to group list
|
|
* gmuid Base gid (initgroups only!)
|
|
*
|
|
* Returns: 0 Success
|
|
* suser:EPERM Permision denied
|
|
* EINVAL Invalid gidsetsize value
|
|
* copyin:EFAULT Bad gidset or gidsetsize is
|
|
* too large
|
|
*
|
|
* Notes: When called from a thread running under an assumed per-thread
|
|
* identity, this function will operate against the per-thread
|
|
* credential, rather than against the process credential. In
|
|
* this specific case, the process credential is verified to
|
|
* still be privileged at the time of the call, rather than the
|
|
* per-thread credential for this operation to be permitted.
|
|
*
|
|
* This effectively means that setgroups/initigroups calls in
|
|
* a thread running a per-thread credential should occur *after*
|
|
* the settid call that created it, not before (unlike setuid,
|
|
* which must be called after, since it will result in privilege
|
|
* being dropped).
|
|
*
|
|
* When called normally (i.e. no per-thread assumed identity),
|
|
* the per process credential is updated per POSIX.
|
|
*
|
|
* If the credential is changed as a result of this call, then we
|
|
* flag the process as having set privilege since the last exec.
|
|
*/
|
|
static int
|
|
setgroups1(proc_t p, u_int ngrp, user_addr_t gidset, uid_t gmuid, __unused int32_t *retval)
|
|
{
|
|
gid_t newgroups[NGROUPS] = { 0 };
|
|
int error;
|
|
|
|
if (ngrp > NGROUPS) {
|
|
return EINVAL;
|
|
}
|
|
|
|
if (ngrp >= 1) {
|
|
error = copyin(gidset,
|
|
(caddr_t)newgroups, ngrp * sizeof(gid_t));
|
|
if (error) {
|
|
return error;
|
|
}
|
|
}
|
|
return setgroups_internal(p, ngrp, newgroups, gmuid);
|
|
}
|
|
|
|
int
|
|
setgroups_internal(proc_t p, u_int ngrp, gid_t *newgroups, uid_t gmuid)
|
|
{
|
|
thread_ro_t tro = current_thread_ro();
|
|
kauth_cred_t cred;
|
|
int error;
|
|
|
|
error = proc_suser(p);
|
|
if (error) {
|
|
return error;
|
|
}
|
|
|
|
if (ngrp < 1) {
|
|
ngrp = 1;
|
|
newgroups[0] = 0;
|
|
}
|
|
|
|
kauth_cred_derive_t fn = ^bool (kauth_cred_t parent __unused, kauth_cred_t model) {
|
|
return kauth_cred_model_setgroups(model, newgroups, ngrp, gmuid);
|
|
};
|
|
|
|
if (tro->tro_realcred != tro->tro_cred) {
|
|
/*
|
|
* If this thread is under an assumed identity, set the
|
|
* supplementary grouplist on the thread credential instead
|
|
* of the process one. If we were the only reference holder,
|
|
* the credential is updated in place, otherwise, our reference
|
|
* is dropped and we get back a different cred with a reference
|
|
* already held on it. Because this is per-thread, we don't
|
|
* need the referencing/locking/retry required for per-process.
|
|
*/
|
|
cred = kauth_cred_derive(tro->tro_cred, fn);
|
|
kern_settid_assume_cred(tro, cred);
|
|
kauth_cred_unref(&cred);
|
|
} else {
|
|
kauth_cred_proc_update(p, PROC_SETTOKEN_SETUGID, fn);
|
|
AUDIT_ARG(groupset, &newgroups[0], ngrp);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* initgroups
|
|
*
|
|
* Description: Initialize the default supplementary groups list and set the
|
|
* gmuid for use by the external group resolver (if any)
|
|
*
|
|
* Parameters: uap->gidsetsize Number of groups in set
|
|
* uap->gidset Pointer to group list
|
|
* uap->gmuid Base gid
|
|
*
|
|
* Returns: 0 Success
|
|
* setgroups1:EPERM Permision denied
|
|
* setgroups1:EINVAL Invalid gidsetsize value
|
|
* setgroups1:EFAULT Bad gidset or gidsetsize is
|
|
*
|
|
* Notes: This function opts *IN* to memberd participation
|
|
*
|
|
* The normal purpose of this function is for a privileged
|
|
* process to indicate supplementary groups and identity for
|
|
* participation in extended group membership resolution prior
|
|
* to dropping privilege by assuming a specific user identity.
|
|
*
|
|
* It is the first half of the primary mechanism whereby user
|
|
* identity is established to the system by programs such as
|
|
* /usr/bin/login. The second half is the drop of uid privilege
|
|
* for a specific uid corresponding to the user.
|
|
*
|
|
* See also: setgroups1()
|
|
*/
|
|
int
|
|
initgroups(proc_t p, struct initgroups_args *uap, __unused int32_t *retval)
|
|
{
|
|
return setgroups1(p, uap->gidsetsize, uap->gidset, uap->gmuid, retval);
|
|
}
|
|
|
|
|
|
/*
|
|
* setgroups
|
|
*
|
|
* Description: Initialize the default supplementary groups list
|
|
*
|
|
* Parameters: gidsetsize Number of groups in set
|
|
* gidset Pointer to group list
|
|
*
|
|
* Returns: 0 Success
|
|
* setgroups1:EPERM Permision denied
|
|
* setgroups1:EINVAL Invalid gidsetsize value
|
|
* setgroups1:EFAULT Bad gidset or gidsetsize is
|
|
*
|
|
* Notes: This functions opts *OUT* of memberd participation.
|
|
*
|
|
* This function exists for compatibility with POSIX. Most user
|
|
* programs should use initgroups() instead to ensure correct
|
|
* participation in group membership resolution when utilizing
|
|
* a directory service for authentication.
|
|
*
|
|
* It is identical to an initgroups() call with a gmuid argument
|
|
* of KAUTH_UID_NONE.
|
|
*
|
|
* See also: setgroups1()
|
|
*/
|
|
int
|
|
setgroups(proc_t p, struct setgroups_args *uap, __unused int32_t *retval)
|
|
{
|
|
return setgroups1(p, uap->gidsetsize, uap->gidset, KAUTH_UID_NONE, retval);
|
|
}
|
|
|
|
|
|
/*
|
|
* Set the per-thread/per-process supplementary groups list.
|
|
*
|
|
* XXX implement setsgroups
|
|
*
|
|
*/
|
|
|
|
int
|
|
setsgroups(__unused proc_t p, __unused struct setsgroups_args *uap, __unused int32_t *retval)
|
|
{
|
|
return ENOTSUP;
|
|
}
|
|
|
|
/*
|
|
* Set the per-thread/per-process whiteout groups list.
|
|
*
|
|
* XXX implement setwgroups
|
|
*
|
|
*/
|
|
|
|
int
|
|
setwgroups(__unused proc_t p, __unused struct setwgroups_args *uap, __unused int32_t *retval)
|
|
{
|
|
return ENOTSUP;
|
|
}
|
|
|
|
|
|
/*
|
|
* Check if gid is a member of the group set.
|
|
*
|
|
* XXX This interface is going away; use kauth_cred_ismember_gid() directly
|
|
* XXX instead.
|
|
*/
|
|
int
|
|
groupmember(gid_t gid, kauth_cred_t cred)
|
|
{
|
|
int is_member;
|
|
|
|
if (kauth_cred_ismember_gid(cred, gid, &is_member) == 0 && is_member) {
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* Test whether the specified credentials imply "super-user"
|
|
* privilege; if so, and we have accounting info, set the flag
|
|
* indicating use of super-powers.
|
|
* Returns 0 or error.
|
|
*
|
|
* XXX This interface is going away; use kauth_cred_issuser() directly
|
|
* XXX instead.
|
|
*
|
|
* Note: This interface exists to implement the "has used privilege"
|
|
* bit (ASU) in the p_acflags field of the process, which is
|
|
* only externalized via private sysctl and in process accounting
|
|
* records. The flag is technically not required in either case.
|
|
*/
|
|
int
|
|
suser(kauth_cred_t cred, u_short *acflag)
|
|
{
|
|
if (kauth_cred_getuid(cred) == 0) {
|
|
if (acflag) {
|
|
*acflag |= ASU;
|
|
}
|
|
return 0;
|
|
}
|
|
return EPERM;
|
|
}
|
|
|
|
|
|
/*
|
|
* getlogin
|
|
*
|
|
* Description: Get login name, if available.
|
|
*
|
|
* Parameters: uap->namebuf User buffer for return
|
|
* uap->namelen User buffer length
|
|
*
|
|
* Returns: 0 Success
|
|
* copyout:EFAULT
|
|
*
|
|
* Notes: Intended to obtain a string containing the user name of the
|
|
* user associated with the controlling terminal for the calling
|
|
* process.
|
|
*
|
|
* Not very useful on modern systems, due to inherent length
|
|
* limitations for the static array in the session structure
|
|
* which is used to store the login name.
|
|
*
|
|
* Permitted to return NULL
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
getlogin(proc_t p, struct getlogin_args *uap, __unused int32_t *retval)
|
|
{
|
|
char buffer[MAXLOGNAME];
|
|
struct session *sessp;
|
|
struct pgrp *pg;
|
|
|
|
if (uap->namelen > MAXLOGNAME) {
|
|
uap->namelen = MAXLOGNAME;
|
|
}
|
|
|
|
if ((pg = proc_pgrp(p, &sessp)) != PGRP_NULL) {
|
|
session_lock(sessp);
|
|
bcopy(sessp->s_login, buffer, uap->namelen);
|
|
session_unlock(sessp);
|
|
pgrp_rele(pg);
|
|
} else {
|
|
bzero(buffer, uap->namelen);
|
|
}
|
|
|
|
return copyout((caddr_t)buffer, uap->namebuf, uap->namelen);
|
|
}
|
|
|
|
void
|
|
setlogin_internal(proc_t p, const char login[static MAXLOGNAME])
|
|
{
|
|
struct session *sessp;
|
|
struct pgrp *pg;
|
|
|
|
if ((pg = proc_pgrp(p, &sessp)) != PGRP_NULL) {
|
|
session_lock(sessp);
|
|
bcopy(login, sessp->s_login, MAXLOGNAME);
|
|
session_unlock(sessp);
|
|
pgrp_rele(pg);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* setlogin
|
|
*
|
|
* Description: Set login name.
|
|
*
|
|
* Parameters: uap->namebuf User buffer containing name
|
|
*
|
|
* Returns: 0 Success
|
|
* suser:EPERM Permission denied
|
|
* copyinstr:EFAULT User buffer invalid
|
|
* copyinstr:EINVAL Supplied name was too long
|
|
*
|
|
* Notes: This is a utility system call to support getlogin().
|
|
*
|
|
* XXX: Belongs in kern_proc.c
|
|
*/
|
|
int
|
|
setlogin(proc_t p, struct setlogin_args *uap, __unused int32_t *retval)
|
|
{
|
|
int error;
|
|
size_t dummy = 0;
|
|
char buffer[MAXLOGNAME + 1];
|
|
|
|
if ((error = proc_suser(p))) {
|
|
return error;
|
|
}
|
|
|
|
bzero(&buffer[0], MAXLOGNAME + 1);
|
|
|
|
|
|
error = copyinstr(uap->namebuf,
|
|
(caddr_t) &buffer[0],
|
|
MAXLOGNAME - 1, (size_t *)&dummy);
|
|
|
|
setlogin_internal(p, buffer);
|
|
|
|
if (!error) {
|
|
AUDIT_ARG(text, buffer);
|
|
} else if (error == ENAMETOOLONG) {
|
|
error = EINVAL;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
|
|
static void
|
|
proc_calc_audit_token(proc_t p, kauth_cred_t my_cred, audit_token_t *audit_token)
|
|
{
|
|
posix_cred_t my_pcred = posix_cred_get(my_cred);
|
|
|
|
/*
|
|
* The current layout of the Mach audit token explicitly
|
|
* adds these fields. But nobody should rely on such
|
|
* a literal representation. Instead, the BSM library
|
|
* provides a function to convert an audit token into
|
|
* a BSM subject. Use of that mechanism will isolate
|
|
* the user of the trailer from future representation
|
|
* changes.
|
|
*/
|
|
audit_token->val[0] = my_cred->cr_audit.as_aia_p->ai_auid;
|
|
audit_token->val[1] = my_pcred->cr_uid;
|
|
audit_token->val[2] = my_pcred->cr_gid;
|
|
audit_token->val[3] = my_pcred->cr_ruid;
|
|
audit_token->val[4] = my_pcred->cr_rgid;
|
|
audit_token->val[5] = proc_getpid(p);
|
|
audit_token->val[6] = my_cred->cr_audit.as_aia_p->ai_asid;
|
|
audit_token->val[7] = proc_pidversion(p);
|
|
}
|
|
|
|
/* Set the secrity token of the task with current euid and eguid */
|
|
int
|
|
set_security_token(proc_t p, struct ucred *my_cred)
|
|
{
|
|
security_token_t sec_token;
|
|
audit_token_t audit_token;
|
|
host_priv_t host_priv;
|
|
task_t task = proc_task(p);
|
|
|
|
proc_calc_audit_token(p, my_cred, &audit_token);
|
|
|
|
sec_token.val[0] = kauth_cred_getuid(my_cred);
|
|
sec_token.val[1] = kauth_cred_getgid(my_cred);
|
|
|
|
host_priv = (sec_token.val[0]) ? HOST_PRIV_NULL : host_priv_self();
|
|
#if CONFIG_MACF
|
|
if (host_priv != HOST_PRIV_NULL && mac_system_check_host_priv(my_cred)) {
|
|
host_priv = HOST_PRIV_NULL;
|
|
}
|
|
#endif
|
|
|
|
#if DEVELOPMENT || DEBUG
|
|
/*
|
|
* Update the pid an proc name for importance base if any
|
|
*/
|
|
task_importance_update_owner_info(task);
|
|
#endif
|
|
|
|
return task_set_security_tokens(task, sec_token, audit_token,
|
|
host_priv) != KERN_SUCCESS;
|
|
}
|
|
|
|
void
|
|
proc_parent_audit_token(proc_t p, audit_token_t *token_out)
|
|
{
|
|
proc_t parent;
|
|
kauth_cred_t my_cred;
|
|
|
|
proc_list_lock();
|
|
|
|
parent = p->p_pptr;
|
|
my_cred = kauth_cred_proc_ref(parent);
|
|
proc_calc_audit_token(parent, my_cred, token_out);
|
|
kauth_cred_unref(&my_cred);
|
|
|
|
proc_list_unlock();
|
|
}
|
|
|
|
|
|
int get_audit_token_pid(audit_token_t *audit_token);
|
|
|
|
int
|
|
get_audit_token_pid(audit_token_t *audit_token)
|
|
{
|
|
/* keep in-sync with set_security_token (above) */
|
|
if (audit_token) {
|
|
return (int)audit_token->val[5];
|
|
}
|
|
return -1;
|
|
}
|
|
|
|
|
|
/*
|
|
* Fill in a struct xucred based on a kauth_cred_t.
|
|
*/
|
|
void
|
|
cru2x(kauth_cred_t cr, struct xucred *xcr)
|
|
{
|
|
posix_cred_t pcr = posix_cred_get(cr);
|
|
|
|
bzero(xcr, sizeof(*xcr));
|
|
xcr->cr_version = XUCRED_VERSION;
|
|
xcr->cr_uid = kauth_cred_getuid(cr);
|
|
xcr->cr_ngroups = pcr->cr_ngroups;
|
|
bcopy(pcr->cr_groups, xcr->cr_groups, sizeof(xcr->cr_groups));
|
|
}
|
|
|
|
/*
|
|
* Copy kauth_cred into a virtual address by assignment.
|
|
* Needed because elements of kauth_cred are PACed
|
|
* so memcpy doesn't work.
|
|
*/
|
|
void
|
|
kauth_cred_copy(const uintptr_t kv, const uintptr_t new_data)
|
|
{
|
|
*(kauth_cred_t)kv = *(kauth_cred_t)new_data;
|
|
}
|