diff --git a/sys/fs/nfsserver/nfs_nfsdsubs.c b/sys/fs/nfsserver/nfs_nfsdsubs.c index d80826993f23..2fd877775c79 100644 --- a/sys/fs/nfsserver/nfs_nfsdsubs.c +++ b/sys/fs/nfsserver/nfs_nfsdsubs.c @@ -1,2204 +1,2203 @@ /*- * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Rick Macklem at The University of Guelph. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ #include /* * These functions support the macros and help fiddle mbuf chains for * the nfs op functions. They do things like create the rpc header and * copy data between mbuf chains and uio lists. */ #include extern u_int32_t newnfs_true, newnfs_false; extern int nfs_pubfhset; extern int nfsrv_clienthashsize; extern int nfsrv_lockhashsize; extern int nfsrv_sessionhashsize; extern int nfsrv_useacl; extern uid_t nfsrv_defaultuid; extern gid_t nfsrv_defaultgid; NFSD_VNET_DECLARE(struct nfsclienthashhead *, nfsclienthash); NFSD_VNET_DECLARE(struct nfslockhashhead *, nfslockhash); NFSD_VNET_DECLARE(struct nfssessionhash *, nfssessionhash); NFSD_VNET_DECLARE(int, nfs_rootfhset); NFSD_VNET_DECLARE(uid_t, nfsrv_defaultuid); NFSD_VNET_DECLARE(gid_t, nfsrv_defaultgid); char nfs_v2pubfh[NFSX_V2FH]; struct nfsdontlisthead nfsrv_dontlisthead; struct nfslayouthead nfsrv_recalllisthead; static nfstype newnfsv2_type[9] = { NFNON, NFREG, NFDIR, NFBLK, NFCHR, NFLNK, NFNON, NFCHR, NFNON }; extern nfstype nfsv34_type[9]; static u_int32_t nfsrv_isannfserr(u_int32_t); SYSCTL_DECL(_vfs_nfsd); static int enable_checkutf8 = 1; SYSCTL_INT(_vfs_nfsd, OID_AUTO, enable_checkutf8, CTLFLAG_RW, &enable_checkutf8, 0, "Enable the NFSv4 check for the UTF8 compliant name required by rfc3530"); static int enable_nobodycheck = 1; SYSCTL_INT(_vfs_nfsd, OID_AUTO, enable_nobodycheck, CTLFLAG_RW, &enable_nobodycheck, 0, "Enable the NFSv4 check when setting user nobody as owner"); static int enable_nogroupcheck = 1; SYSCTL_INT(_vfs_nfsd, OID_AUTO, enable_nogroupcheck, CTLFLAG_RW, &enable_nogroupcheck, 0, "Enable the NFSv4 check when setting group nogroup as owner"); static char nfsrv_hexdigit(char, int *); /* * Maps errno values to nfs error numbers. * Use NFSERR_IO as the catch all for ones not specifically defined in * RFC 1094. (It now includes the errors added for NFSv3.) */ static u_char nfsrv_v2errmap[NFSERR_REMOTE] = { NFSERR_PERM, NFSERR_NOENT, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_NXIO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_ACCES, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_EXIST, NFSERR_XDEV, NFSERR_NODEV, NFSERR_NOTDIR, NFSERR_ISDIR, NFSERR_INVAL, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_FBIG, NFSERR_NOSPC, NFSERR_IO, NFSERR_ROFS, NFSERR_MLINK, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_IO, NFSERR_NAMETOL, NFSERR_IO, NFSERR_IO, NFSERR_NOTEMPTY, NFSERR_IO, NFSERR_IO, NFSERR_DQUOT, NFSERR_STALE, NFSERR_REMOTE, }; /* * Maps errno values to nfs error numbers. * Although it is not obvious whether or not NFS clients really care if * a returned error value is in the specified list for the procedure, the * safest thing to do is filter them appropriately. For Version 2, the * X/Open XNFS document is the only specification that defines error values * for each RPC (The RFC simply lists all possible error values for all RPCs), * so I have decided to not do this for Version 2. * The first entry is the default error return and the rest are the valid * errors for that RPC in increasing numeric order. */ static short nfsv3err_null[] = { 0, 0, }; static short nfsv3err_getattr[] = { NFSERR_IO, NFSERR_IO, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_setattr[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_PERM, NFSERR_IO, NFSERR_INVAL, NFSERR_NOSPC, NFSERR_ROFS, NFSERR_DQUOT, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_NOT_SYNC, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_lookup[] = { NFSERR_IO, NFSERR_NOENT, NFSERR_ACCES, NFSERR_NAMETOL, NFSERR_IO, NFSERR_NOTDIR, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_access[] = { NFSERR_IO, NFSERR_IO, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_readlink[] = { NFSERR_IO, NFSERR_IO, NFSERR_ACCES, NFSERR_INVAL, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_NOTSUPP, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_read[] = { NFSERR_IO, NFSERR_IO, NFSERR_NXIO, NFSERR_ACCES, NFSERR_INVAL, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_write[] = { NFSERR_IO, NFSERR_IO, NFSERR_ACCES, NFSERR_NOSPC, NFSERR_INVAL, NFSERR_FBIG, NFSERR_ROFS, NFSERR_DQUOT, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_create[] = { NFSERR_IO, NFSERR_EXIST, NFSERR_NAMETOL, NFSERR_ACCES, NFSERR_IO, NFSERR_NOTDIR, NFSERR_NOSPC, NFSERR_ROFS, NFSERR_DQUOT, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_NOTSUPP, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_mkdir[] = { NFSERR_IO, NFSERR_EXIST, NFSERR_ACCES, NFSERR_NAMETOL, NFSERR_IO, NFSERR_NOTDIR, NFSERR_NOSPC, NFSERR_ROFS, NFSERR_DQUOT, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_NOTSUPP, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_symlink[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_EXIST, NFSERR_NAMETOL, NFSERR_NOSPC, NFSERR_IO, NFSERR_NOTDIR, NFSERR_ROFS, NFSERR_DQUOT, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_NOTSUPP, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_mknod[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_EXIST, NFSERR_NAMETOL, NFSERR_NOSPC, NFSERR_IO, NFSERR_NOTDIR, NFSERR_ROFS, NFSERR_DQUOT, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_NOTSUPP, NFSERR_SERVERFAULT, NFSERR_DELAY, NFSERR_BADTYPE, 0, }; static short nfsv3err_remove[] = { NFSERR_IO, NFSERR_NOENT, NFSERR_ACCES, NFSERR_NAMETOL, NFSERR_IO, NFSERR_NOTDIR, NFSERR_ROFS, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_rmdir[] = { NFSERR_IO, NFSERR_NOENT, NFSERR_ACCES, NFSERR_NOTDIR, NFSERR_NAMETOL, NFSERR_IO, NFSERR_EXIST, NFSERR_INVAL, NFSERR_ROFS, NFSERR_NOTEMPTY, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_NOTSUPP, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_rename[] = { NFSERR_IO, NFSERR_NOENT, NFSERR_ACCES, NFSERR_EXIST, NFSERR_NAMETOL, NFSERR_XDEV, NFSERR_IO, NFSERR_NOTDIR, NFSERR_ISDIR, NFSERR_INVAL, NFSERR_NOSPC, NFSERR_ROFS, NFSERR_MLINK, NFSERR_NOTEMPTY, NFSERR_DQUOT, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_NOTSUPP, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_link[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_EXIST, NFSERR_NAMETOL, NFSERR_IO, NFSERR_XDEV, NFSERR_NOTDIR, NFSERR_INVAL, NFSERR_NOSPC, NFSERR_ROFS, NFSERR_MLINK, NFSERR_DQUOT, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_NOTSUPP, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_readdir[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_NOTDIR, NFSERR_IO, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_BAD_COOKIE, NFSERR_TOOSMALL, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_readdirplus[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_NOTDIR, NFSERR_IO, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_BAD_COOKIE, NFSERR_NOTSUPP, NFSERR_TOOSMALL, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_fsstat[] = { NFSERR_IO, NFSERR_IO, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_fsinfo[] = { NFSERR_STALE, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_pathconf[] = { NFSERR_STALE, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short nfsv3err_commit[] = { NFSERR_IO, NFSERR_IO, NFSERR_STALE, NFSERR_BADHANDLE, NFSERR_SERVERFAULT, NFSERR_DELAY, 0, }; static short *nfsrv_v3errmap[] = { nfsv3err_null, nfsv3err_getattr, nfsv3err_setattr, nfsv3err_lookup, nfsv3err_access, nfsv3err_readlink, nfsv3err_read, nfsv3err_write, nfsv3err_create, nfsv3err_mkdir, nfsv3err_symlink, nfsv3err_mknod, nfsv3err_remove, nfsv3err_rmdir, nfsv3err_rename, nfsv3err_link, nfsv3err_readdir, nfsv3err_readdirplus, nfsv3err_fsstat, nfsv3err_fsinfo, nfsv3err_pathconf, nfsv3err_commit, }; /* * And the same for V4. */ static short nfsv4err_null[] = { 0, 0, }; static short nfsv4err_access[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADHANDLE, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_IO, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_close[] = { NFSERR_EXPIRED, NFSERR_ADMINREVOKED, NFSERR_BADHANDLE, NFSERR_BADSEQID, NFSERR_BADSTATEID, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_EXPIRED, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_ISDIR, NFSERR_LEASEMOVED, NFSERR_LOCKSHELD, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_OLDSTATEID, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALESTATEID, 0, }; static short nfsv4err_commit[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADHANDLE, NFSERR_BADXDR, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_IO, NFSERR_ISDIR, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_RESOURCE, NFSERR_ROFS, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_create[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_ATTRNOTSUPP, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADNAME, NFSERR_BADOWNER, NFSERR_BADTYPE, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_DQUOT, NFSERR_EXIST, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_IO, NFSERR_MOVED, NFSERR_NAMETOL, NFSERR_NOFILEHANDLE, NFSERR_NOSPC, NFSERR_NOTDIR, NFSERR_PERM, NFSERR_RESOURCE, NFSERR_ROFS, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_delegpurge[] = { NFSERR_SERVERFAULT, NFSERR_BADXDR, NFSERR_NOTSUPP, NFSERR_LEASEMOVED, NFSERR_MOVED, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALECLIENTID, 0, }; static short nfsv4err_delegreturn[] = { NFSERR_SERVERFAULT, NFSERR_ADMINREVOKED, NFSERR_BADSTATEID, NFSERR_BADXDR, NFSERR_EXPIRED, NFSERR_INVAL, NFSERR_LEASEMOVED, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_NOTSUPP, NFSERR_OLDSTATEID, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALESTATEID, 0, }; static short nfsv4err_getattr[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADHANDLE, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_IO, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_getfh[] = { NFSERR_BADHANDLE, NFSERR_BADHANDLE, NFSERR_FHEXPIRED, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_link[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADNAME, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_DQUOT, NFSERR_EXIST, NFSERR_FHEXPIRED, NFSERR_FILEOPEN, NFSERR_INVAL, NFSERR_IO, NFSERR_ISDIR, NFSERR_MLINK, NFSERR_MOVED, NFSERR_NAMETOL, NFSERR_NOENT, NFSERR_NOFILEHANDLE, NFSERR_NOSPC, NFSERR_NOTDIR, NFSERR_NOTSUPP, NFSERR_RESOURCE, NFSERR_ROFS, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_WRONGSEC, NFSERR_XDEV, 0, }; static short nfsv4err_lock[] = { NFSERR_SERVERFAULT, NFSERR_ACCES, NFSERR_ADMINREVOKED, NFSERR_BADHANDLE, NFSERR_BADRANGE, NFSERR_BADSEQID, NFSERR_BADSTATEID, NFSERR_BADXDR, NFSERR_DEADLOCK, NFSERR_DELAY, NFSERR_DENIED, NFSERR_EXPIRED, NFSERR_FHEXPIRED, NFSERR_GRACE, NFSERR_INVAL, NFSERR_ISDIR, NFSERR_LEASEMOVED, NFSERR_LOCKNOTSUPP, NFSERR_LOCKRANGE, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_NOGRACE, NFSERR_OLDSTATEID, NFSERR_OPENMODE, NFSERR_RECLAIMBAD, NFSERR_RECLAIMCONFLICT, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALECLIENTID, NFSERR_STALESTATEID, 0, }; static short nfsv4err_lockt[] = { NFSERR_SERVERFAULT, NFSERR_ACCES, NFSERR_BADHANDLE, NFSERR_BADRANGE, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_DENIED, NFSERR_FHEXPIRED, NFSERR_GRACE, NFSERR_INVAL, NFSERR_ISDIR, NFSERR_LEASEMOVED, NFSERR_LOCKRANGE, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALECLIENTID, 0, }; static short nfsv4err_locku[] = { NFSERR_SERVERFAULT, NFSERR_ACCES, NFSERR_ADMINREVOKED, NFSERR_BADHANDLE, NFSERR_BADRANGE, NFSERR_BADSEQID, NFSERR_BADSTATEID, NFSERR_BADXDR, NFSERR_EXPIRED, NFSERR_FHEXPIRED, NFSERR_GRACE, NFSERR_INVAL, NFSERR_ISDIR, NFSERR_LEASEMOVED, NFSERR_LOCKRANGE, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_OLDSTATEID, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALESTATEID, 0, }; static short nfsv4err_lookup[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADNAME, NFSERR_BADXDR, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_IO, NFSERR_MOVED, NFSERR_NAMETOL, NFSERR_NOENT, NFSERR_NOFILEHANDLE, NFSERR_NOTDIR, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_SYMLINK, NFSERR_WRONGSEC, 0, }; static short nfsv4err_lookupp[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADHANDLE, NFSERR_FHEXPIRED, NFSERR_IO, NFSERR_MOVED, NFSERR_NOENT, NFSERR_NOFILEHANDLE, NFSERR_NOTDIR, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_nverify[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_ATTRNOTSUPP, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_IO, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_RESOURCE, NFSERR_SAME, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_open[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_ADMINREVOKED, NFSERR_ATTRNOTSUPP, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADNAME, NFSERR_BADOWNER, NFSERR_BADSEQID, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_DQUOT, NFSERR_EXIST, NFSERR_EXPIRED, NFSERR_FHEXPIRED, NFSERR_GRACE, NFSERR_IO, NFSERR_INVAL, NFSERR_ISDIR, NFSERR_LEASEMOVED, NFSERR_MOVED, NFSERR_NAMETOL, NFSERR_NOENT, NFSERR_NOFILEHANDLE, NFSERR_NOGRACE, NFSERR_NOSPC, NFSERR_NOTDIR, NFSERR_NOTSUPP, NFSERR_PERM, NFSERR_RECLAIMBAD, NFSERR_RECLAIMCONFLICT, NFSERR_RESOURCE, NFSERR_ROFS, NFSERR_SERVERFAULT, NFSERR_SHAREDENIED, NFSERR_STALE, NFSERR_STALECLIENTID, NFSERR_SYMLINK, NFSERR_WRONGSEC, 0, }; static short nfsv4err_openattr[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADHANDLE, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_DQUOT, NFSERR_FHEXPIRED, NFSERR_IO, NFSERR_MOVED, NFSERR_NOENT, NFSERR_NOFILEHANDLE, NFSERR_NOSPC, NFSERR_NOTSUPP, NFSERR_RESOURCE, NFSERR_ROFS, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_openconfirm[] = { NFSERR_SERVERFAULT, NFSERR_ADMINREVOKED, NFSERR_BADHANDLE, NFSERR_BADSEQID, NFSERR_BADSTATEID, NFSERR_BADXDR, NFSERR_EXPIRED, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_ISDIR, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_OLDSTATEID, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALESTATEID, 0, }; static short nfsv4err_opendowngrade[] = { NFSERR_SERVERFAULT, NFSERR_ADMINREVOKED, NFSERR_BADHANDLE, NFSERR_BADSEQID, NFSERR_BADSTATEID, NFSERR_BADXDR, NFSERR_EXPIRED, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_OLDSTATEID, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALESTATEID, 0, }; static short nfsv4err_putfh[] = { NFSERR_SERVERFAULT, NFSERR_BADHANDLE, NFSERR_BADXDR, NFSERR_FHEXPIRED, NFSERR_MOVED, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_WRONGSEC, 0, }; static short nfsv4err_putpubfh[] = { NFSERR_SERVERFAULT, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_WRONGSEC, 0, }; static short nfsv4err_putrootfh[] = { NFSERR_SERVERFAULT, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_WRONGSEC, 0, }; static short nfsv4err_read[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_ADMINREVOKED, NFSERR_BADHANDLE, NFSERR_BADSTATEID, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_EXPIRED, NFSERR_FHEXPIRED, NFSERR_GRACE, NFSERR_IO, NFSERR_INVAL, NFSERR_ISDIR, NFSERR_LEASEMOVED, NFSERR_LOCKED, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_NXIO, NFSERR_OLDSTATEID, NFSERR_OPENMODE, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALESTATEID, 0, }; static short nfsv4err_readdir[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADHANDLE, NFSERR_BAD_COOKIE, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_IO, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_NOTDIR, NFSERR_NOTSAME, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_TOOSMALL, 0, }; static short nfsv4err_readlink[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADHANDLE, NFSERR_DELAY, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_IO, NFSERR_ISDIR, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_NOTSUPP, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_remove[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADNAME, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_FHEXPIRED, NFSERR_FILEOPEN, NFSERR_INVAL, NFSERR_IO, NFSERR_MOVED, NFSERR_NAMETOL, NFSERR_NOENT, NFSERR_NOFILEHANDLE, NFSERR_NOTDIR, NFSERR_NOTEMPTY, NFSERR_RESOURCE, NFSERR_ROFS, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_rename[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADNAME, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_DQUOT, NFSERR_EXIST, NFSERR_FHEXPIRED, NFSERR_FILEOPEN, NFSERR_INVAL, NFSERR_IO, NFSERR_MOVED, NFSERR_NAMETOL, NFSERR_NOENT, NFSERR_NOFILEHANDLE, NFSERR_NOSPC, NFSERR_NOTDIR, NFSERR_NOTEMPTY, NFSERR_RESOURCE, NFSERR_ROFS, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_WRONGSEC, NFSERR_XDEV, 0, }; static short nfsv4err_renew[] = { NFSERR_SERVERFAULT, NFSERR_ACCES, NFSERR_ADMINREVOKED, NFSERR_BADXDR, NFSERR_CBPATHDOWN, NFSERR_EXPIRED, NFSERR_LEASEMOVED, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALECLIENTID, 0, }; static short nfsv4err_restorefh[] = { NFSERR_SERVERFAULT, NFSERR_BADHANDLE, NFSERR_FHEXPIRED, NFSERR_MOVED, NFSERR_RESOURCE, NFSERR_RESTOREFH, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_WRONGSEC, 0, }; static short nfsv4err_savefh[] = { NFSERR_SERVERFAULT, NFSERR_BADHANDLE, NFSERR_FHEXPIRED, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_secinfo[] = { NFSERR_SERVERFAULT, NFSERR_ACCES, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADNAME, NFSERR_BADXDR, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_MOVED, NFSERR_NAMETOL, NFSERR_NOENT, NFSERR_NOFILEHANDLE, NFSERR_NOTDIR, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_setattr[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_ADMINREVOKED, NFSERR_ATTRNOTSUPP, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADOWNER, NFSERR_BADSTATEID, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_DQUOT, NFSERR_EXPIRED, NFSERR_FBIG, NFSERR_FHEXPIRED, NFSERR_GRACE, NFSERR_INVAL, NFSERR_IO, NFSERR_ISDIR, NFSERR_LOCKED, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_NOSPC, NFSERR_OLDSTATEID, NFSERR_OPENMODE, NFSERR_PERM, NFSERR_RESOURCE, NFSERR_ROFS, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALESTATEID, 0, }; static short nfsv4err_setclientid[] = { NFSERR_SERVERFAULT, NFSERR_BADXDR, NFSERR_CLIDINUSE, NFSERR_INVAL, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_WRONGSEC, 0, }; static short nfsv4err_setclientidconfirm[] = { NFSERR_SERVERFAULT, NFSERR_BADXDR, NFSERR_CLIDINUSE, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALECLIENTID, 0, }; static short nfsv4err_verify[] = { NFSERR_SERVERFAULT, NFSERR_ACCES, NFSERR_ATTRNOTSUPP, NFSERR_BADCHAR, NFSERR_BADHANDLE, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_FHEXPIRED, NFSERR_INVAL, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_NOTSAME, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALE, 0, }; static short nfsv4err_write[] = { NFSERR_IO, NFSERR_ACCES, NFSERR_ADMINREVOKED, NFSERR_BADHANDLE, NFSERR_BADSTATEID, NFSERR_BADXDR, NFSERR_DELAY, NFSERR_DQUOT, NFSERR_EXPIRED, NFSERR_FBIG, NFSERR_FHEXPIRED, NFSERR_GRACE, NFSERR_INVAL, NFSERR_IO, NFSERR_ISDIR, NFSERR_LEASEMOVED, NFSERR_LOCKED, NFSERR_MOVED, NFSERR_NOFILEHANDLE, NFSERR_NOSPC, NFSERR_NXIO, NFSERR_OLDSTATEID, NFSERR_OPENMODE, NFSERR_RESOURCE, NFSERR_ROFS, NFSERR_SERVERFAULT, NFSERR_STALE, NFSERR_STALESTATEID, 0, }; static short nfsv4err_releaselockowner[] = { NFSERR_SERVERFAULT, NFSERR_ADMINREVOKED, NFSERR_BADXDR, NFSERR_EXPIRED, NFSERR_LEASEMOVED, NFSERR_LOCKSHELD, NFSERR_RESOURCE, NFSERR_SERVERFAULT, NFSERR_STALECLIENTID, 0, }; static short *nfsrv_v4errmap[] = { nfsv4err_null, nfsv4err_null, nfsv4err_null, nfsv4err_access, nfsv4err_close, nfsv4err_commit, nfsv4err_create, nfsv4err_delegpurge, nfsv4err_delegreturn, nfsv4err_getattr, nfsv4err_getfh, nfsv4err_link, nfsv4err_lock, nfsv4err_lockt, nfsv4err_locku, nfsv4err_lookup, nfsv4err_lookupp, nfsv4err_nverify, nfsv4err_open, nfsv4err_openattr, nfsv4err_openconfirm, nfsv4err_opendowngrade, nfsv4err_putfh, nfsv4err_putpubfh, nfsv4err_putrootfh, nfsv4err_read, nfsv4err_readdir, nfsv4err_readlink, nfsv4err_remove, nfsv4err_rename, nfsv4err_renew, nfsv4err_restorefh, nfsv4err_savefh, nfsv4err_secinfo, nfsv4err_setattr, nfsv4err_setclientid, nfsv4err_setclientidconfirm, nfsv4err_verify, nfsv4err_write, nfsv4err_releaselockowner, }; /* * Trim tlen bytes off the end of the mbuf list and then ensure * the end of the last mbuf is nul filled to a long boundary, * as indicated by the value of "nul". * Return the last mbuf in the updated list and free and mbufs * that follow it in the original list. * This is somewhat different than the old nfsrv_adj() with * support for ext_pgs mbufs. It frees the remaining mbufs * instead of setting them 0 length, since lists of ext_pgs * mbufs are all expected to be non-empty. */ struct mbuf * nfsrv_adj(struct mbuf *mp, int len, int nul) { struct mbuf *m, *m2; vm_page_t pg; int i, lastlen, pgno, plen, tlen, trim; uint16_t off; char *cp; /* * Find the last mbuf after adjustment and * how much it needs to be adjusted by. */ tlen = 0; m = mp; for (;;) { tlen += m->m_len; if (m->m_next == NULL) break; m = m->m_next; } /* m is now the last mbuf and tlen the total length. */ if (len >= m->m_len) { /* Need to trim away the last mbuf(s). */ i = tlen - len; m = mp; for (;;) { if (m->m_len >= i) break; i -= m->m_len; m = m->m_next; } lastlen = i; } else lastlen = m->m_len - len; /* * m is now the last mbuf after trimming and its length needs to * be lastlen. * Adjust the last mbuf and set cp to point to where nuls must be * written. */ if ((m->m_flags & M_EXTPG) != 0) { pgno = m->m_epg_npgs - 1; off = (pgno == 0) ? m->m_epg_1st_off : 0; plen = m_epg_pagelen(m, pgno, off); if (m->m_len > lastlen) { /* Trim this mbuf. */ trim = m->m_len - lastlen; while (trim >= plen) { KASSERT(pgno > 0, ("nfsrv_adj: freeing page 0")); /* Free page. */ pg = PHYS_TO_VM_PAGE(m->m_epg_pa[pgno]); vm_page_unwire_noq(pg); vm_page_free(pg); trim -= plen; m->m_epg_npgs--; pgno--; off = (pgno == 0) ? m->m_epg_1st_off : 0; plen = m_epg_pagelen(m, pgno, off); } plen -= trim; m->m_epg_last_len = plen; m->m_len = lastlen; } cp = (char *)(void *)PHYS_TO_DMAP(m->m_epg_pa[pgno]); cp += off + plen - nul; } else { m->m_len = lastlen; cp = mtod(m, char *) + m->m_len - nul; } /* Write the nul bytes. */ for (i = 0; i < nul; i++) *cp++ = '\0'; /* Free up any mbufs past "m". */ m2 = m->m_next; m->m_next = NULL; if (m2 != NULL) m_freem(m2); return (m); } /* * Make these functions instead of macros, so that the kernel text size * doesn't get too big... */ void nfsrv_wcc(struct nfsrv_descript *nd, int before_ret, struct nfsvattr *before_nvap, int after_ret, struct nfsvattr *after_nvap) { u_int32_t *tl; if (before_ret) { NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED); *tl = newnfs_false; } else { NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED); *tl++ = newnfs_true; txdr_hyper(before_nvap->na_size, tl); tl += 2; txdr_nfsv3time(&(before_nvap->na_mtime), tl); tl += 2; txdr_nfsv3time(&(before_nvap->na_ctime), tl); } nfsrv_postopattr(nd, after_ret, after_nvap); } void nfsrv_postopattr(struct nfsrv_descript *nd, int after_ret, struct nfsvattr *after_nvap) { u_int32_t *tl; NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED); if (after_ret) *tl = newnfs_false; else { *tl = newnfs_true; nfsrv_fillattr(nd, after_nvap); } } /* * Fill in file attributes for V2 and 3. For V4, call a separate * routine that sifts through all the attribute bits. */ void nfsrv_fillattr(struct nfsrv_descript *nd, struct nfsvattr *nvap) { struct nfs_fattr *fp; int fattr_size; /* * Build space for the attribute structure. */ if (nd->nd_flag & ND_NFSV3) fattr_size = NFSX_V3FATTR; else fattr_size = NFSX_V2FATTR; NFSM_BUILD(fp, struct nfs_fattr *, fattr_size); /* * Now just fill it all in. */ fp->fa_nlink = txdr_unsigned(nvap->na_nlink); fp->fa_uid = txdr_unsigned(nvap->na_uid); fp->fa_gid = txdr_unsigned(nvap->na_gid); if (nd->nd_flag & ND_NFSV3) { fp->fa_type = vtonfsv34_type(nvap->na_type); fp->fa_mode = vtonfsv34_mode(nvap->na_mode); txdr_hyper(nvap->na_size, (uint32_t*)&fp->fa3_size); txdr_hyper(nvap->na_bytes, (uint32_t*)&fp->fa3_used); fp->fa3_rdev.specdata1 = txdr_unsigned(NFSMAJOR(nvap->na_rdev)); fp->fa3_rdev.specdata2 = txdr_unsigned(NFSMINOR(nvap->na_rdev)); fp->fa3_fsid.nfsuquad[0] = 0; fp->fa3_fsid.nfsuquad[1] = txdr_unsigned(nvap->na_fsid); txdr_hyper(nvap->na_fileid, (uint32_t*)&fp->fa3_fileid); txdr_nfsv3time(&nvap->na_atime, &fp->fa3_atime); txdr_nfsv3time(&nvap->na_mtime, &fp->fa3_mtime); txdr_nfsv3time(&nvap->na_ctime, &fp->fa3_ctime); } else { fp->fa_type = vtonfsv2_type(nvap->na_type); fp->fa_mode = vtonfsv2_mode(nvap->na_type, nvap->na_mode); fp->fa2_size = txdr_unsigned(nvap->na_size); fp->fa2_blocksize = txdr_unsigned(nvap->na_blocksize); if (nvap->na_type == VFIFO) fp->fa2_rdev = 0xffffffff; else fp->fa2_rdev = txdr_unsigned(nvap->na_rdev); fp->fa2_blocks = txdr_unsigned(nvap->na_bytes / NFS_FABLKSIZE); fp->fa2_fsid = txdr_unsigned(nvap->na_fsid); fp->fa2_fileid = txdr_unsigned(nvap->na_fileid); txdr_nfsv2time(&nvap->na_atime, &fp->fa2_atime); txdr_nfsv2time(&nvap->na_mtime, &fp->fa2_mtime); txdr_nfsv2time(&nvap->na_ctime, &fp->fa2_ctime); } } /* * This function gets a file handle out of an mbuf list. * It returns 0 for success, EBADRPC otherwise. * If sets the third flagp argument to 1 if the file handle is * the public file handle. * For NFSv4, if the length is incorrect, set nd_repstat == NFSERR_BADHANDLE */ int nfsrv_mtofh(struct nfsrv_descript *nd, struct nfsrvfh *fhp) { u_int32_t *tl; int error = 0, len, copylen; if (nd->nd_flag & (ND_NFSV3 | ND_NFSV4)) { NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED); len = fxdr_unsigned(int, *tl); if (len == 0 && nfs_pubfhset && (nd->nd_flag & ND_NFSV3) && nd->nd_procnum == NFSPROC_LOOKUP) { nd->nd_flag |= ND_PUBLOOKUP; goto nfsmout; } copylen = len; /* If len == NFSX_V4PNFSFH the RPC is a pNFS DS one. */ if (len == NFSX_V4PNFSFH && (nd->nd_flag & ND_NFSV41) != 0) { copylen = NFSX_MYFH; len = NFSM_RNDUP(len); nd->nd_flag |= ND_DSSERVER; } else if (len < NFSRV_MINFH || len > NFSRV_MAXFH) { if (nd->nd_flag & ND_NFSV4) { if (len > 0 && len <= NFSX_V4FHMAX) { error = nfsm_advance(nd, NFSM_RNDUP(len), -1); if (error) goto nfsmout; nd->nd_repstat = NFSERR_BADHANDLE; goto nfsmout; } else { error = EBADRPC; goto nfsmout; } } else { error = EBADRPC; goto nfsmout; } } } else { /* * For NFSv2, the file handle is always 32 bytes on the * wire, but this server only cares about the first * NFSRV_MAXFH bytes. */ len = NFSX_V2FH; copylen = NFSRV_MAXFH; } NFSM_DISSECT(tl, u_int32_t *, len); if ((nd->nd_flag & ND_NFSV2) && nfs_pubfhset && nd->nd_procnum == NFSPROC_LOOKUP && !NFSBCMP((caddr_t)tl, nfs_v2pubfh, NFSX_V2FH)) { nd->nd_flag |= ND_PUBLOOKUP; goto nfsmout; } NFSBCOPY(tl, (caddr_t)fhp->nfsrvfh_data, copylen); fhp->nfsrvfh_len = copylen; nfsmout: NFSEXITCODE2(error, nd); return (error); } /* * Map errnos to NFS error numbers. For Version 3 and 4 also filter out error * numbers not specified for the associated procedure. * NFSPROC_NOOP is a special case, where the high order bits of nd_repstat * should be cleared. NFSPROC_NOOP is used to return errors when a valid * RPC procedure is not involved. * Returns the error number in XDR. */ int nfsd_errmap(struct nfsrv_descript *nd) { short *defaulterrp, *errp; if (!nd->nd_repstat) return (0); if ((nd->nd_repstat & NFSERR_AUTHERR) != 0) return (txdr_unsigned(NFSERR_ACCES)); if (nd->nd_flag & (ND_NFSV3 | ND_NFSV4)) { if (nd->nd_procnum == NFSPROC_NOOP) return (txdr_unsigned(nd->nd_repstat & 0xffff)); if (nd->nd_flag & ND_NFSV3) errp = defaulterrp = nfsrv_v3errmap[nd->nd_procnum]; else if (nd->nd_repstat == EBADRPC) return (txdr_unsigned(NFSERR_BADXDR)); else if (nd->nd_repstat == NFSERR_MINORVERMISMATCH || nd->nd_repstat == NFSERR_OPILLEGAL) return (txdr_unsigned(nd->nd_repstat)); else if (nd->nd_repstat == NFSERR_REPLYFROMCACHE) return (txdr_unsigned(NFSERR_IO)); else if ((nd->nd_flag & ND_NFSV41) != 0) { if (nd->nd_repstat == EOPNOTSUPP) nd->nd_repstat = NFSERR_NOTSUPP; nd->nd_repstat = nfsrv_isannfserr(nd->nd_repstat); return (txdr_unsigned(nd->nd_repstat)); } else errp = defaulterrp = nfsrv_v4errmap[nd->nd_procnum]; while (*++errp) if (*errp == nd->nd_repstat) return (txdr_unsigned(nd->nd_repstat)); return (txdr_unsigned(*defaulterrp)); } if (nd->nd_repstat <= NFSERR_REMOTE) return (txdr_unsigned(nfsrv_v2errmap[nd->nd_repstat - 1])); return (txdr_unsigned(NFSERR_IO)); } /* * Check to see if the error is a valid NFS one. If not, replace it with * NFSERR_IO. */ static u_int32_t nfsrv_isannfserr(u_int32_t errval) { if (errval == NFSERR_OK) return (errval); if (errval >= NFSERR_BADHANDLE && errval <= NFSERR_MAXERRVAL) return (errval); if (errval > 0 && errval <= NFSERR_REMOTE) return (nfsrv_v2errmap[errval - 1]); return (NFSERR_IO); } /* * Check to see if setting a uid/gid is permitted when creating a new * file object. (Called when uid and/or gid is specified in the * settable attributes for V4. */ int nfsrv_checkuidgid(struct nfsrv_descript *nd, struct nfsvattr *nvap) { int error = 0; /* * If not setting either uid nor gid, it's OK. */ if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap)) goto out; if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == NFSD_VNET(nfsrv_defaultuid) && enable_nobodycheck == 1) || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == NFSD_VNET(nfsrv_defaultgid) && enable_nogroupcheck == 1)) { error = NFSERR_BADOWNER; goto out; } if (nd->nd_cred->cr_uid == 0) goto out; if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid != nd->nd_cred->cr_uid) || - (NFSVNO_ISSETGID(nvap) && nvap->na_gid != nd->nd_cred->cr_gid && + (NFSVNO_ISSETGID(nvap) && !groupmember(nvap->na_gid, nd->nd_cred))) error = NFSERR_PERM; out: NFSEXITCODE2(error, nd); return (error); } /* * and this routine fixes up the settable attributes for V4 if allowed * by nfsrv_checkuidgid(). */ void nfsrv_fixattr(struct nfsrv_descript *nd, vnode_t vp, struct nfsvattr *nvap, NFSACL_T *aclp, NFSPROC_T *p, nfsattrbit_t *attrbitp, struct nfsexstuff *exp) { int change = 0; struct nfsvattr nva; uid_t tuid; int error; nfsattrbit_t nattrbits; /* * Maybe this should be done for V2 and 3 but it never has been * and nobody seems to be upset, so I think it's best not to change * the V2 and 3 semantics. */ if ((nd->nd_flag & ND_NFSV4) == 0) goto out; NFSVNO_ATTRINIT(&nva); NFSZERO_ATTRBIT(&nattrbits); tuid = nd->nd_cred->cr_uid; if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_OWNER) && NFSVNO_ISSETUID(nvap) && nvap->na_uid != nd->nd_cred->cr_uid) { if (nd->nd_cred->cr_uid == 0) { nva.na_uid = nvap->na_uid; change++; NFSSETBIT_ATTRBIT(&nattrbits, NFSATTRBIT_OWNER); } else { NFSCLRBIT_ATTRBIT(attrbitp, NFSATTRBIT_OWNER); } } if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_TIMEACCESSSET) && NFSVNO_ISSETATIME(nvap)) { nva.na_atime = nvap->na_atime; change++; NFSSETBIT_ATTRBIT(&nattrbits, NFSATTRBIT_TIMEACCESSSET); } if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_TIMEMODIFYSET) && NFSVNO_ISSETMTIME(nvap)) { nva.na_mtime = nvap->na_mtime; change++; NFSSETBIT_ATTRBIT(&nattrbits, NFSATTRBIT_TIMEMODIFYSET); } if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_OWNERGROUP) && NFSVNO_ISSETGID(nvap)) { - if (nvap->na_gid == nd->nd_cred->cr_gid || - groupmember(nvap->na_gid, nd->nd_cred)) { + if (groupmember(nvap->na_gid, nd->nd_cred)) { nd->nd_cred->cr_uid = 0; nva.na_gid = nvap->na_gid; change++; NFSSETBIT_ATTRBIT(&nattrbits, NFSATTRBIT_OWNERGROUP); } else { NFSCLRBIT_ATTRBIT(attrbitp, NFSATTRBIT_OWNERGROUP); } } if (change) { error = nfsvno_setattr(vp, &nva, nd->nd_cred, p, exp); if (error) { NFSCLRALL_ATTRBIT(attrbitp, &nattrbits); } } if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_SIZE) && NFSVNO_ISSETSIZE(nvap) && nvap->na_size != (u_quad_t)0) { NFSCLRBIT_ATTRBIT(attrbitp, NFSATTRBIT_SIZE); } #ifdef NFS4_ACL_EXTATTR_NAME if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_ACL) && nfsrv_useacl != 0 && aclp != NULL) { if (aclp->acl_cnt > 0) { error = nfsrv_setacl(vp, aclp, nd->nd_cred, p); if (error) { NFSCLRBIT_ATTRBIT(attrbitp, NFSATTRBIT_ACL); } } } else #endif NFSCLRBIT_ATTRBIT(attrbitp, NFSATTRBIT_ACL); nd->nd_cred->cr_uid = tuid; out: NFSEXITCODE2(0, nd); } /* * Translate an ASCII hex digit to it's binary value. Return -1 if the * char isn't a hex digit. */ static char nfsrv_hexdigit(char c, int *err) { *err = 0; if (c >= '0' && c <= '9') return (c - '0'); if (c >= 'a' && c <= 'f') return (c - 'a' + ((char)10)); if (c >= 'A' && c <= 'F') return (c - 'A' + ((char)10)); /* Not valid ! */ *err = 1; return (1); /* BOGUS */ } /* * Check to see if NFSERR_MOVED can be returned for this op. Return 1 iff * it can be. */ int nfsrv_errmoved(int op) { short *errp; errp = nfsrv_v4errmap[op]; while (*errp != 0) { if (*errp == NFSERR_MOVED) return (1); errp++; } return (0); } /* * Fill in attributes for a Referral. * (Return the number of bytes of XDR created.) */ int nfsrv_putreferralattr(struct nfsrv_descript *nd, nfsattrbit_t *retbitp, struct nfsreferral *refp, int getattr, int *reterrp) { u_int32_t *tl, *retnump; u_char *cp, *cp2; int prefixnum, retnum = 0, i, len, bitpos, rderrbit = 0, nonrefbit = 0; int fslocationsbit = 0; nfsattrbit_t tmpbits, refbits; NFSREFERRAL_ATTRBIT(&refbits); if (getattr) NFSCLRBIT_ATTRBIT(&refbits, NFSATTRBIT_RDATTRERROR); else if (NFSISSET_ATTRBIT(retbitp, NFSATTRBIT_RDATTRERROR)) rderrbit = 1; if (NFSISSET_ATTRBIT(retbitp, NFSATTRBIT_FSLOCATIONS)) fslocationsbit = 1; /* * Check for the case where unsupported referral attributes are * requested. */ NFSSET_ATTRBIT(&tmpbits, retbitp); NFSCLRALL_ATTRBIT(&tmpbits, &refbits); if (NFSNONZERO_ATTRBIT(&tmpbits)) nonrefbit = 1; if (nonrefbit && !fslocationsbit && (getattr || !rderrbit)) { *reterrp = NFSERR_MOVED; return (0); } /* * Now we can fill in the attributes. */ NFSSET_ATTRBIT(&tmpbits, retbitp); NFSCLRNOT_ATTRBIT(&tmpbits, &refbits); /* * Put out the attribute bitmap for the ones being filled in * and get the field for the number of attributes returned. */ prefixnum = nfsrv_putattrbit(nd, &tmpbits); NFSM_BUILD(retnump, u_int32_t *, NFSX_UNSIGNED); prefixnum += NFSX_UNSIGNED; /* * Now, loop around filling in the attributes for each bit set. */ for (bitpos = 0; bitpos < NFSATTRBIT_MAX; bitpos++) { if (NFSISSET_ATTRBIT(&tmpbits, bitpos)) { switch (bitpos) { case NFSATTRBIT_TYPE: NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED); *tl = txdr_unsigned(NFDIR); retnum += NFSX_UNSIGNED; break; case NFSATTRBIT_FSID: NFSM_BUILD(tl, u_int32_t *, NFSX_V4FSID); *tl++ = 0; *tl++ = txdr_unsigned(NFSV4ROOT_FSID0); *tl++ = 0; *tl = txdr_unsigned(NFSV4ROOT_REFERRAL); retnum += NFSX_V4FSID; break; case NFSATTRBIT_RDATTRERROR: NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED); if (nonrefbit) *tl = txdr_unsigned(NFSERR_MOVED); else *tl = 0; retnum += NFSX_UNSIGNED; break; case NFSATTRBIT_FSLOCATIONS: retnum += nfsm_strtom(nd, "/", 1); NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED); *tl = txdr_unsigned(refp->nfr_srvcnt); retnum += NFSX_UNSIGNED; cp = refp->nfr_srvlist; for (i = 0; i < refp->nfr_srvcnt; i++) { NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED); *tl = txdr_unsigned(1); retnum += NFSX_UNSIGNED; cp2 = STRCHR(cp, ':'); if (cp2 != NULL) len = cp2 - cp; else len = 1; retnum += nfsm_strtom(nd, cp, len); if (cp2 != NULL) cp = cp2 + 1; cp2 = STRCHR(cp, ','); if (cp2 != NULL) len = cp2 - cp; else len = strlen(cp); retnum += nfsm_strtom(nd, cp, len); if (cp2 != NULL) cp = cp2 + 1; } break; case NFSATTRBIT_MOUNTEDONFILEID: NFSM_BUILD(tl, u_int32_t *, NFSX_HYPER); txdr_hyper(refp->nfr_dfileno, tl); retnum += NFSX_HYPER; break; default: printf("EEK! Bad V4 refattr bitpos=%d\n", bitpos); } } } *retnump = txdr_unsigned(retnum); return (retnum + prefixnum); } /* * Parse a file name out of a request. */ int nfsrv_parsename(struct nfsrv_descript *nd, char *bufp, u_long *hashp, NFSPATHLEN_T *outlenp) { char *fromcp, *tocp, val = '\0'; struct mbuf *md; int i; int rem, len, error = 0, pubtype = 0, outlen = 0, percent = 0; char digit; u_int32_t *tl; u_long hash = 0; if (hashp != NULL) *hashp = 0; tocp = bufp; /* * For V4, check for lookup parent. * Otherwise, get the component name. */ if ((nd->nd_flag & ND_NFSV4) && (nd->nd_procnum == NFSV4OP_LOOKUPP || nd->nd_procnum == NFSV4OP_SECINFONONAME)) { *tocp++ = '.'; hash += ((u_char)'.'); *tocp++ = '.'; hash += ((u_char)'.'); outlen = 2; } else { /* * First, get the name length. */ NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED); len = fxdr_unsigned(int, *tl); if (len > NFS_MAXNAMLEN) { nd->nd_repstat = NFSERR_NAMETOL; error = 0; goto nfsmout; } else if (len <= 0) { nd->nd_repstat = NFSERR_INVAL; error = 0; goto nfsmout; } /* * Now, copy the component name into the buffer. */ fromcp = nd->nd_dpos; md = nd->nd_md; rem = mtod(md, caddr_t) + md->m_len - fromcp; for (i = 0; i < len; i++) { while (rem == 0) { md = md->m_next; if (md == NULL) { error = EBADRPC; goto nfsmout; } fromcp = mtod(md, caddr_t); rem = md->m_len; } if (*fromcp == '\0') { nd->nd_repstat = EACCES; error = 0; goto nfsmout; } /* * For lookups on the public filehandle, do some special * processing on the name. (The public file handle is the * root of the public file system for this server.) */ if (nd->nd_flag & ND_PUBLOOKUP) { /* * If the first char is ASCII, it is a canonical * path, otherwise it is a native path. (RFC2054 * doesn't actually state what it is if the first * char isn't ASCII or 0x80, so I assume native.) * pubtype == 1 -> native path * pubtype == 2 -> canonical path */ if (i == 0) { if (*fromcp & 0x80) { /* * Since RFC2054 doesn't indicate * that a native path of just 0x80 * isn't allowed, I'll replace the * 0x80 with '/' instead of just * throwing it away. */ *fromcp = '/'; pubtype = 1; } else { pubtype = 2; } } /* * '/' only allowed in a native path */ if (*fromcp == '/' && pubtype != 1) { nd->nd_repstat = EACCES; error = 0; goto nfsmout; } /* * For the special case of 2 hex digits after a * '%' in an absolute path, calculate the value. * percent == 1 -> indicates "get first hex digit" * percent == 2 -> indicates "get second hex digit" */ if (percent > 0) { digit = nfsrv_hexdigit(*fromcp, &error); if (error) { nd->nd_repstat = EACCES; error = 0; goto nfsmout; } if (percent == 1) { val = (digit << 4); percent = 2; } else { val += digit; percent = 0; *tocp++ = val; hash += ((u_char)val); outlen++; } } else { if (*fromcp == '%' && pubtype == 2) { /* * Must be followed by 2 hex digits */ if ((len - i) < 3) { nd->nd_repstat = EACCES; error = 0; goto nfsmout; } percent = 1; } else { *tocp++ = *fromcp; hash += ((u_char)*fromcp); outlen++; } } } else { /* * Normal, non lookup on public, name. */ if (*fromcp == '/') { if (nd->nd_flag & ND_NFSV4) nd->nd_repstat = NFSERR_BADNAME; else nd->nd_repstat = EACCES; error = 0; goto nfsmout; } hash += ((u_char)*fromcp); *tocp++ = *fromcp; outlen++; } fromcp++; rem--; } nd->nd_md = md; nd->nd_dpos = fromcp; i = NFSM_RNDUP(len) - len; if (i > 0) { if (rem >= i) { nd->nd_dpos += i; } else { error = nfsm_advance(nd, i, rem); if (error) goto nfsmout; } } /* * For v4, don't allow lookups of '.' or '..' and * also check for non-utf8 strings. */ if (nd->nd_flag & ND_NFSV4) { if ((outlen == 1 && bufp[0] == '.') || (outlen == 2 && bufp[0] == '.' && bufp[1] == '.')) { nd->nd_repstat = NFSERR_BADNAME; error = 0; goto nfsmout; } if (enable_checkutf8 == 1 && nfsrv_checkutf8((u_int8_t *)bufp, outlen)) { nd->nd_repstat = NFSERR_INVAL; error = 0; goto nfsmout; } } } *tocp = '\0'; *outlenp = (size_t)outlen + 1; if (hashp != NULL) *hashp = hash; nfsmout: NFSEXITCODE2(error, nd); return (error); } void nfsd_init(void) { int i; /* * Initialize client queues. Don't free/reinitialize * them when nfsds are restarted. */ NFSD_VNET(nfsclienthash) = malloc(sizeof(struct nfsclienthashhead) * nfsrv_clienthashsize, M_NFSDCLIENT, M_WAITOK | M_ZERO); for (i = 0; i < nfsrv_clienthashsize; i++) LIST_INIT(&NFSD_VNET(nfsclienthash)[i]); NFSD_VNET(nfslockhash) = malloc(sizeof(struct nfslockhashhead) * nfsrv_lockhashsize, M_NFSDLOCKFILE, M_WAITOK | M_ZERO); for (i = 0; i < nfsrv_lockhashsize; i++) LIST_INIT(&NFSD_VNET(nfslockhash)[i]); NFSD_VNET(nfssessionhash) = malloc(sizeof(struct nfssessionhash) * nfsrv_sessionhashsize, M_NFSDSESSION, M_WAITOK | M_ZERO); for (i = 0; i < nfsrv_sessionhashsize; i++) { mtx_init(&NFSD_VNET(nfssessionhash)[i].mtx, "nfssm", NULL, MTX_DEF); LIST_INIT(&NFSD_VNET(nfssessionhash)[i].list); } LIST_INIT(&nfsrv_dontlisthead); TAILQ_INIT(&nfsrv_recalllisthead); /* and the v2 pubfh should be all zeros */ NFSBZERO(nfs_v2pubfh, NFSX_V2FH); } /* * Check the v4 root exports. * Return 0 if ok, 1 otherwise. */ int nfsd_checkrootexp(struct nfsrv_descript *nd) { if (NFSD_VNET(nfs_rootfhset) == 0) return (NFSERR_AUTHERR | AUTH_FAILED); /* * For NFSv4.1/4.2, if the client specifies SP4_NONE, then these * operations are allowed regardless of the value of the "sec=XXX" * field in the V4: exports line. * As such, these Kerberos checks only apply to NFSv4.0 mounts. */ if ((nd->nd_flag & ND_NFSV41) != 0) goto checktls; if ((nd->nd_flag & (ND_GSS | ND_EXAUTHSYS)) == ND_EXAUTHSYS) goto checktls; if ((nd->nd_flag & (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) == (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) goto checktls; if ((nd->nd_flag & (ND_GSSPRIVACY | ND_EXGSSPRIVACY)) == (ND_GSSPRIVACY | ND_EXGSSPRIVACY)) goto checktls; if ((nd->nd_flag & (ND_GSS | ND_GSSINTEGRITY | ND_GSSPRIVACY | ND_EXGSS)) == (ND_GSS | ND_EXGSS)) goto checktls; return (NFSERR_AUTHERR | AUTH_TOOWEAK); checktls: if ((nd->nd_flag & ND_EXTLS) == 0) return (0); if ((nd->nd_flag & (ND_TLSCERTUSER | ND_EXTLSCERTUSER)) == (ND_TLSCERTUSER | ND_EXTLSCERTUSER)) return (0); if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT | ND_EXTLSCERTUSER)) == (ND_TLSCERT | ND_EXTLSCERT)) return (0); if ((nd->nd_flag & (ND_TLS | ND_EXTLSCERTUSER | ND_EXTLSCERT)) == ND_TLS) return (0); #ifdef notnow /* There is currently no auth_stat for this. */ if ((nd->nd_flag & ND_TLS) == 0) return (NFSERR_AUTHERR | AUTH_NEEDS_TLS); return (NFSERR_AUTHERR | AUTH_NEEDS_TLS_MUTUAL_HOST); #endif return (NFSERR_AUTHERR | AUTH_TOOWEAK); } /* * Parse the first part of an NFSv4 compound to find out what the minor * version# is. */ void nfsd_getminorvers(struct nfsrv_descript *nd, u_char *tag, u_char **tagstrp, int *taglenp, u_int32_t *minversp) { uint32_t *tl; int error = 0, taglen = -1; u_char *tagstr = NULL; NFSM_DISSECT(tl, uint32_t *, NFSX_UNSIGNED); taglen = fxdr_unsigned(int, *tl); if (taglen < 0 || taglen > NFSV4_OPAQUELIMIT) { error = EBADRPC; goto nfsmout; } if (taglen <= NFSV4_SMALLSTR) tagstr = tag; else tagstr = malloc(taglen + 1, M_TEMP, M_WAITOK); error = nfsrv_mtostr(nd, tagstr, taglen); if (error != 0) goto nfsmout; NFSM_DISSECT(tl, uint32_t *, NFSX_UNSIGNED); *minversp = fxdr_unsigned(u_int32_t, *tl); *tagstrp = tagstr; if (*minversp == NFSV41_MINORVERSION) nd->nd_flag |= ND_NFSV41; else if (*minversp == NFSV42_MINORVERSION) nd->nd_flag |= (ND_NFSV41 | ND_NFSV42); nfsmout: if (error != 0) { if (tagstr != NULL && taglen > NFSV4_SMALLSTR) free(tagstr, M_TEMP); taglen = -1; } *taglenp = taglen; } diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 40cfa236a07d..95362ce8a310 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1,2523 +1,2530 @@ /*- * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 * The Regents of the University of California. * (c) UNIX System Laboratories, Inc. * Copyright (c) 2000-2001 Robert N. M. Watson. * All rights reserved. * * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph * Co. or Unix System Laboratories, Inc. and are reproduced herein with * the permission of UNIX System Laboratories, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * System calls related to processes and protection */ #include #include "opt_inet.h" #include "opt_inet6.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef COMPAT_43 #include #endif #include #include #include #include #include #include #include #include #include #include #ifdef REGRESSION FEATURE(regression, "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); #endif #include #include static MALLOC_DEFINE(M_CRED, "cred", "credentials"); SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, "BSD security policy"); static void crfree_final(struct ucred *cr); static void crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups); static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); static int cr_canseeothergids(struct ucred *u1, struct ucred *u2); static int cr_canseejailproc(struct ucred *u1, struct ucred *u2); #ifndef _SYS_SYSPROTO_H_ struct getpid_args { int dummy; }; #endif /* ARGSUSED */ int sys_getpid(struct thread *td, struct getpid_args *uap) { struct proc *p = td->td_proc; td->td_retval[0] = p->p_pid; #if defined(COMPAT_43) if (SV_PROC_FLAG(p, SV_AOUT)) td->td_retval[1] = kern_getppid(td); #endif return (0); } #ifndef _SYS_SYSPROTO_H_ struct getppid_args { int dummy; }; #endif /* ARGSUSED */ int sys_getppid(struct thread *td, struct getppid_args *uap) { td->td_retval[0] = kern_getppid(td); return (0); } int kern_getppid(struct thread *td) { struct proc *p = td->td_proc; return (p->p_oppid); } /* * Get process group ID; note that POSIX getpgrp takes no parameter. */ #ifndef _SYS_SYSPROTO_H_ struct getpgrp_args { int dummy; }; #endif int sys_getpgrp(struct thread *td, struct getpgrp_args *uap) { struct proc *p = td->td_proc; PROC_LOCK(p); td->td_retval[0] = p->p_pgrp->pg_id; PROC_UNLOCK(p); return (0); } /* Get an arbitrary pid's process group id */ #ifndef _SYS_SYSPROTO_H_ struct getpgid_args { pid_t pid; }; #endif int sys_getpgid(struct thread *td, struct getpgid_args *uap) { struct proc *p; int error; if (uap->pid == 0) { p = td->td_proc; PROC_LOCK(p); } else { p = pfind(uap->pid); if (p == NULL) return (ESRCH); error = p_cansee(td, p); if (error) { PROC_UNLOCK(p); return (error); } } td->td_retval[0] = p->p_pgrp->pg_id; PROC_UNLOCK(p); return (0); } /* * Get an arbitrary pid's session id. */ #ifndef _SYS_SYSPROTO_H_ struct getsid_args { pid_t pid; }; #endif int sys_getsid(struct thread *td, struct getsid_args *uap) { return (kern_getsid(td, uap->pid)); } int kern_getsid(struct thread *td, pid_t pid) { struct proc *p; int error; if (pid == 0) { p = td->td_proc; PROC_LOCK(p); } else { p = pfind(pid); if (p == NULL) return (ESRCH); error = p_cansee(td, p); if (error) { PROC_UNLOCK(p); return (error); } } td->td_retval[0] = p->p_session->s_sid; PROC_UNLOCK(p); return (0); } #ifndef _SYS_SYSPROTO_H_ struct getuid_args { int dummy; }; #endif /* ARGSUSED */ int sys_getuid(struct thread *td, struct getuid_args *uap) { td->td_retval[0] = td->td_ucred->cr_ruid; #if defined(COMPAT_43) td->td_retval[1] = td->td_ucred->cr_uid; #endif return (0); } #ifndef _SYS_SYSPROTO_H_ struct geteuid_args { int dummy; }; #endif /* ARGSUSED */ int sys_geteuid(struct thread *td, struct geteuid_args *uap) { td->td_retval[0] = td->td_ucred->cr_uid; return (0); } #ifndef _SYS_SYSPROTO_H_ struct getgid_args { int dummy; }; #endif /* ARGSUSED */ int sys_getgid(struct thread *td, struct getgid_args *uap) { td->td_retval[0] = td->td_ucred->cr_rgid; #if defined(COMPAT_43) td->td_retval[1] = td->td_ucred->cr_groups[0]; #endif return (0); } /* * Get effective group ID. The "egid" is groups[0], and could be obtained * via getgroups. This syscall exists because it is somewhat painful to do * correctly in a library function. */ #ifndef _SYS_SYSPROTO_H_ struct getegid_args { int dummy; }; #endif /* ARGSUSED */ int sys_getegid(struct thread *td, struct getegid_args *uap) { td->td_retval[0] = td->td_ucred->cr_groups[0]; return (0); } #ifndef _SYS_SYSPROTO_H_ struct getgroups_args { int gidsetsize; gid_t *gidset; }; #endif int sys_getgroups(struct thread *td, struct getgroups_args *uap) { struct ucred *cred; int ngrp, error; cred = td->td_ucred; ngrp = cred->cr_ngroups; if (uap->gidsetsize == 0) { error = 0; goto out; } if (uap->gidsetsize < ngrp) return (EINVAL); error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t)); out: td->td_retval[0] = ngrp; return (error); } #ifndef _SYS_SYSPROTO_H_ struct setsid_args { int dummy; }; #endif /* ARGSUSED */ int sys_setsid(struct thread *td, struct setsid_args *uap) { struct pgrp *pgrp; int error; struct proc *p = td->td_proc; struct pgrp *newpgrp; struct session *newsess; pgrp = NULL; newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); newsess = malloc(sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO); again: error = 0; sx_xlock(&proctree_lock); if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) { if (pgrp != NULL) PGRP_UNLOCK(pgrp); error = EPERM; } else { error = enterpgrp(p, p->p_pid, newpgrp, newsess); if (error == ERESTART) goto again; MPASS(error == 0); td->td_retval[0] = p->p_pid; newpgrp = NULL; newsess = NULL; } sx_xunlock(&proctree_lock); uma_zfree(pgrp_zone, newpgrp); free(newsess, M_SESSION); return (error); } /* * set process group (setpgid/old setpgrp) * * caller does setpgid(targpid, targpgid) * * pid must be caller or child of caller (ESRCH) * if a child * pid must be in same session (EPERM) * pid can't have done an exec (EACCES) * if pgid != pid * there must exist some pid in same session having pgid (EPERM) * pid must not be session leader (EPERM) */ #ifndef _SYS_SYSPROTO_H_ struct setpgid_args { int pid; /* target process id */ int pgid; /* target pgrp id */ }; #endif /* ARGSUSED */ int sys_setpgid(struct thread *td, struct setpgid_args *uap) { struct proc *curp = td->td_proc; struct proc *targp; /* target process */ struct pgrp *pgrp; /* target pgrp */ int error; struct pgrp *newpgrp; if (uap->pgid < 0) return (EINVAL); newpgrp = uma_zalloc(pgrp_zone, M_WAITOK); again: error = 0; sx_xlock(&proctree_lock); if (uap->pid != 0 && uap->pid != curp->p_pid) { if ((targp = pfind(uap->pid)) == NULL) { error = ESRCH; goto done; } if (!inferior(targp)) { PROC_UNLOCK(targp); error = ESRCH; goto done; } if ((error = p_cansee(td, targp))) { PROC_UNLOCK(targp); goto done; } if (targp->p_pgrp == NULL || targp->p_session != curp->p_session) { PROC_UNLOCK(targp); error = EPERM; goto done; } if (targp->p_flag & P_EXEC) { PROC_UNLOCK(targp); error = EACCES; goto done; } PROC_UNLOCK(targp); } else targp = curp; if (SESS_LEADER(targp)) { error = EPERM; goto done; } if (uap->pgid == 0) uap->pgid = targp->p_pid; if ((pgrp = pgfind(uap->pgid)) == NULL) { if (uap->pgid == targp->p_pid) { error = enterpgrp(targp, uap->pgid, newpgrp, NULL); if (error == 0) newpgrp = NULL; } else error = EPERM; } else { if (pgrp == targp->p_pgrp) { PGRP_UNLOCK(pgrp); goto done; } if (pgrp->pg_id != targp->p_pid && pgrp->pg_session != curp->p_session) { PGRP_UNLOCK(pgrp); error = EPERM; goto done; } PGRP_UNLOCK(pgrp); error = enterthispgrp(targp, pgrp); } done: KASSERT(error == 0 || newpgrp != NULL, ("setpgid failed and newpgrp is NULL")); if (error == ERESTART) goto again; sx_xunlock(&proctree_lock); uma_zfree(pgrp_zone, newpgrp); return (error); } /* * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD * compatible. It says that setting the uid/gid to euid/egid is a special * case of "appropriate privilege". Once the rules are expanded out, this * basically means that setuid(nnn) sets all three id's, in all permitted * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) * does not set the saved id - this is dangerous for traditional BSD * programs. For this reason, we *really* do not want to set * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. */ #define POSIX_APPENDIX_B_4_2_2 #ifndef _SYS_SYSPROTO_H_ struct setuid_args { uid_t uid; }; #endif /* ARGSUSED */ int sys_setuid(struct thread *td, struct setuid_args *uap) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; uid_t uid; struct uidinfo *uip; int error; uid = uap->uid; AUDIT_ARG_UID(uid); newcred = crget(); uip = uifind(uid); PROC_LOCK(p); /* * Copy credentials so other references do not see our changes. */ oldcred = crcopysafe(p, newcred); #ifdef MAC error = mac_cred_check_setuid(oldcred, uid); if (error) goto fail; #endif /* * See if we have "permission" by POSIX 1003.1 rules. * * Note that setuid(geteuid()) is a special case of * "appropriate privileges" in appendix B.4.2.2. We need * to use this clause to be compatible with traditional BSD * semantics. Basically, it means that "setuid(xx)" sets all * three id's (assuming you have privs). * * Notes on the logic. We do things in three steps. * 1: We determine if the euid is going to change, and do EPERM * right away. We unconditionally change the euid later if this * test is satisfied, simplifying that part of the logic. * 2: We determine if the real and/or saved uids are going to * change. Determined by compile options. * 3: Change euid last. (after tests in #2 for "appropriate privs") */ if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */ #ifdef _POSIX_SAVED_IDS uid != oldcred->cr_svuid && /* allow setuid(saved gid) */ #endif #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ #endif (error = priv_check_cred(oldcred, PRIV_CRED_SETUID)) != 0) goto fail; #ifdef _POSIX_SAVED_IDS /* * Do we have "appropriate privileges" (are we root or uid == euid) * If so, we are changing the real uid and/or saved uid. */ if ( #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ uid == oldcred->cr_uid || #endif /* We are using privs. */ priv_check_cred(oldcred, PRIV_CRED_SETUID) == 0) #endif { /* * Set the real uid and transfer proc count to new user. */ if (uid != oldcred->cr_ruid) { change_ruid(newcred, uip); setsugid(p); } /* * Set saved uid * * XXX always set saved uid even if not _POSIX_SAVED_IDS, as * the security of seteuid() depends on it. B.4.2.2 says it * is important that we should do this. */ if (uid != oldcred->cr_svuid) { change_svuid(newcred, uid); setsugid(p); } } /* * In all permitted cases, we are changing the euid. */ if (uid != oldcred->cr_uid) { change_euid(newcred, uip); setsugid(p); } proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); crhold(newcred); #endif PROC_UNLOCK(p); #ifdef RCTL rctl_proc_ucred_changed(p, newcred); crfree(newcred); #endif uifree(uip); crfree(oldcred); return (0); fail: PROC_UNLOCK(p); uifree(uip); crfree(newcred); return (error); } #ifndef _SYS_SYSPROTO_H_ struct seteuid_args { uid_t euid; }; #endif /* ARGSUSED */ int sys_seteuid(struct thread *td, struct seteuid_args *uap) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; uid_t euid; struct uidinfo *euip; int error; euid = uap->euid; AUDIT_ARG_EUID(euid); newcred = crget(); euip = uifind(euid); PROC_LOCK(p); /* * Copy credentials so other references do not see our changes. */ oldcred = crcopysafe(p, newcred); #ifdef MAC error = mac_cred_check_seteuid(oldcred, euid); if (error) goto fail; #endif if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID)) != 0) goto fail; /* * Everything's okay, do it. */ if (oldcred->cr_uid != euid) { change_euid(newcred, euip); setsugid(p); } proc_set_cred(p, newcred); PROC_UNLOCK(p); uifree(euip); crfree(oldcred); return (0); fail: PROC_UNLOCK(p); uifree(euip); crfree(newcred); return (error); } #ifndef _SYS_SYSPROTO_H_ struct setgid_args { gid_t gid; }; #endif /* ARGSUSED */ int sys_setgid(struct thread *td, struct setgid_args *uap) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; gid_t gid; int error; gid = uap->gid; AUDIT_ARG_GID(gid); newcred = crget(); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); #ifdef MAC error = mac_cred_check_setgid(oldcred, gid); if (error) goto fail; #endif /* * See if we have "permission" by POSIX 1003.1 rules. * * Note that setgid(getegid()) is a special case of * "appropriate privileges" in appendix B.4.2.2. We need * to use this clause to be compatible with traditional BSD * semantics. Basically, it means that "setgid(xx)" sets all * three id's (assuming you have privs). * * For notes on the logic here, see setuid() above. */ if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */ #ifdef _POSIX_SAVED_IDS gid != oldcred->cr_svgid && /* allow setgid(saved gid) */ #endif #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ #endif (error = priv_check_cred(oldcred, PRIV_CRED_SETGID)) != 0) goto fail; #ifdef _POSIX_SAVED_IDS /* * Do we have "appropriate privileges" (are we root or gid == egid) * If so, we are changing the real uid and saved gid. */ if ( #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ gid == oldcred->cr_groups[0] || #endif /* We are using privs. */ priv_check_cred(oldcred, PRIV_CRED_SETGID) == 0) #endif { /* * Set real gid */ if (oldcred->cr_rgid != gid) { change_rgid(newcred, gid); setsugid(p); } /* * Set saved gid * * XXX always set saved gid even if not _POSIX_SAVED_IDS, as * the security of setegid() depends on it. B.4.2.2 says it * is important that we should do this. */ if (oldcred->cr_svgid != gid) { change_svgid(newcred, gid); setsugid(p); } } /* * In all cases permitted cases, we are changing the egid. * Copy credentials so other references do not see our changes. */ if (oldcred->cr_groups[0] != gid) { change_egid(newcred, gid); setsugid(p); } proc_set_cred(p, newcred); PROC_UNLOCK(p); crfree(oldcred); return (0); fail: PROC_UNLOCK(p); crfree(newcred); return (error); } #ifndef _SYS_SYSPROTO_H_ struct setegid_args { gid_t egid; }; #endif /* ARGSUSED */ int sys_setegid(struct thread *td, struct setegid_args *uap) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; gid_t egid; int error; egid = uap->egid; AUDIT_ARG_EGID(egid); newcred = crget(); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); #ifdef MAC error = mac_cred_check_setegid(oldcred, egid); if (error) goto fail; #endif if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID)) != 0) goto fail; if (oldcred->cr_groups[0] != egid) { change_egid(newcred, egid); setsugid(p); } proc_set_cred(p, newcred); PROC_UNLOCK(p); crfree(oldcred); return (0); fail: PROC_UNLOCK(p); crfree(newcred); return (error); } #ifndef _SYS_SYSPROTO_H_ struct setgroups_args { int gidsetsize; gid_t *gidset; }; #endif /* ARGSUSED */ int sys_setgroups(struct thread *td, struct setgroups_args *uap) { gid_t smallgroups[XU_NGROUPS]; gid_t *groups; int gidsetsize, error; gidsetsize = uap->gidsetsize; if (gidsetsize > ngroups_max + 1 || gidsetsize < 0) return (EINVAL); if (gidsetsize > XU_NGROUPS) groups = malloc(gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); else groups = smallgroups; error = copyin(uap->gidset, groups, gidsetsize * sizeof(gid_t)); if (error == 0) error = kern_setgroups(td, gidsetsize, groups); if (gidsetsize > XU_NGROUPS) free(groups, M_TEMP); return (error); } int kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; int error; MPASS(ngrp <= ngroups_max + 1); AUDIT_ARG_GROUPSET(groups, ngrp); newcred = crget(); crextend(newcred, ngrp); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); #ifdef MAC error = mac_cred_check_setgroups(oldcred, ngrp, groups); if (error) goto fail; #endif error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS); if (error) goto fail; if (ngrp == 0) { /* * setgroups(0, NULL) is a legitimate way of clearing the * groups vector on non-BSD systems (which generally do not * have the egid in the groups[0]). We risk security holes * when running non-BSD software if we do not do the same. */ newcred->cr_ngroups = 1; } else { crsetgroups_locked(newcred, ngrp, groups); } setsugid(p); proc_set_cred(p, newcred); PROC_UNLOCK(p); crfree(oldcred); return (0); fail: PROC_UNLOCK(p); crfree(newcred); return (error); } #ifndef _SYS_SYSPROTO_H_ struct setreuid_args { uid_t ruid; uid_t euid; }; #endif /* ARGSUSED */ int sys_setreuid(struct thread *td, struct setreuid_args *uap) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; uid_t euid, ruid; struct uidinfo *euip, *ruip; int error; euid = uap->euid; ruid = uap->ruid; AUDIT_ARG_EUID(euid); AUDIT_ARG_RUID(ruid); newcred = crget(); euip = uifind(euid); ruip = uifind(ruid); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); #ifdef MAC error = mac_cred_check_setreuid(oldcred, ruid, euid); if (error) goto fail; #endif if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && ruid != oldcred->cr_svuid) || (euid != (uid_t)-1 && euid != oldcred->cr_uid && euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID)) != 0) goto fail; if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { change_euid(newcred, euip); setsugid(p); } if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { change_ruid(newcred, ruip); setsugid(p); } if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) && newcred->cr_svuid != newcred->cr_uid) { change_svuid(newcred, newcred->cr_uid); setsugid(p); } proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); crhold(newcred); #endif PROC_UNLOCK(p); #ifdef RCTL rctl_proc_ucred_changed(p, newcred); crfree(newcred); #endif uifree(ruip); uifree(euip); crfree(oldcred); return (0); fail: PROC_UNLOCK(p); uifree(ruip); uifree(euip); crfree(newcred); return (error); } #ifndef _SYS_SYSPROTO_H_ struct setregid_args { gid_t rgid; gid_t egid; }; #endif /* ARGSUSED */ int sys_setregid(struct thread *td, struct setregid_args *uap) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; gid_t egid, rgid; int error; egid = uap->egid; rgid = uap->rgid; AUDIT_ARG_EGID(egid); AUDIT_ARG_RGID(rgid); newcred = crget(); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); #ifdef MAC error = mac_cred_check_setregid(oldcred, rgid, egid); if (error) goto fail; #endif if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && rgid != oldcred->cr_svgid) || (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID)) != 0) goto fail; if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { change_egid(newcred, egid); setsugid(p); } if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { change_rgid(newcred, rgid); setsugid(p); } if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) && newcred->cr_svgid != newcred->cr_groups[0]) { change_svgid(newcred, newcred->cr_groups[0]); setsugid(p); } proc_set_cred(p, newcred); PROC_UNLOCK(p); crfree(oldcred); return (0); fail: PROC_UNLOCK(p); crfree(newcred); return (error); } /* * setresuid(ruid, euid, suid) is like setreuid except control over the saved * uid is explicit. */ #ifndef _SYS_SYSPROTO_H_ struct setresuid_args { uid_t ruid; uid_t euid; uid_t suid; }; #endif /* ARGSUSED */ int sys_setresuid(struct thread *td, struct setresuid_args *uap) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; uid_t euid, ruid, suid; struct uidinfo *euip, *ruip; int error; euid = uap->euid; ruid = uap->ruid; suid = uap->suid; AUDIT_ARG_EUID(euid); AUDIT_ARG_RUID(ruid); AUDIT_ARG_SUID(suid); newcred = crget(); euip = uifind(euid); ruip = uifind(ruid); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); #ifdef MAC error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); if (error) goto fail; #endif if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && ruid != oldcred->cr_svuid && ruid != oldcred->cr_uid) || (euid != (uid_t)-1 && euid != oldcred->cr_ruid && euid != oldcred->cr_svuid && euid != oldcred->cr_uid) || (suid != (uid_t)-1 && suid != oldcred->cr_ruid && suid != oldcred->cr_svuid && suid != oldcred->cr_uid)) && (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID)) != 0) goto fail; if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { change_euid(newcred, euip); setsugid(p); } if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) { change_ruid(newcred, ruip); setsugid(p); } if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) { change_svuid(newcred, suid); setsugid(p); } proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); crhold(newcred); #endif PROC_UNLOCK(p); #ifdef RCTL rctl_proc_ucred_changed(p, newcred); crfree(newcred); #endif uifree(ruip); uifree(euip); crfree(oldcred); return (0); fail: PROC_UNLOCK(p); uifree(ruip); uifree(euip); crfree(newcred); return (error); } /* * setresgid(rgid, egid, sgid) is like setregid except control over the saved * gid is explicit. */ #ifndef _SYS_SYSPROTO_H_ struct setresgid_args { gid_t rgid; gid_t egid; gid_t sgid; }; #endif /* ARGSUSED */ int sys_setresgid(struct thread *td, struct setresgid_args *uap) { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; gid_t egid, rgid, sgid; int error; egid = uap->egid; rgid = uap->rgid; sgid = uap->sgid; AUDIT_ARG_EGID(egid); AUDIT_ARG_RGID(rgid); AUDIT_ARG_SGID(sgid); newcred = crget(); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); #ifdef MAC error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); if (error) goto fail; #endif if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && rgid != oldcred->cr_svgid && rgid != oldcred->cr_groups[0]) || (egid != (gid_t)-1 && egid != oldcred->cr_rgid && egid != oldcred->cr_svgid && egid != oldcred->cr_groups[0]) || (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && sgid != oldcred->cr_svgid && sgid != oldcred->cr_groups[0])) && (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID)) != 0) goto fail; if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { change_egid(newcred, egid); setsugid(p); } if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) { change_rgid(newcred, rgid); setsugid(p); } if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) { change_svgid(newcred, sgid); setsugid(p); } proc_set_cred(p, newcred); PROC_UNLOCK(p); crfree(oldcred); return (0); fail: PROC_UNLOCK(p); crfree(newcred); return (error); } #ifndef _SYS_SYSPROTO_H_ struct getresuid_args { uid_t *ruid; uid_t *euid; uid_t *suid; }; #endif /* ARGSUSED */ int sys_getresuid(struct thread *td, struct getresuid_args *uap) { struct ucred *cred; int error1 = 0, error2 = 0, error3 = 0; cred = td->td_ucred; if (uap->ruid) error1 = copyout(&cred->cr_ruid, uap->ruid, sizeof(cred->cr_ruid)); if (uap->euid) error2 = copyout(&cred->cr_uid, uap->euid, sizeof(cred->cr_uid)); if (uap->suid) error3 = copyout(&cred->cr_svuid, uap->suid, sizeof(cred->cr_svuid)); return (error1 ? error1 : error2 ? error2 : error3); } #ifndef _SYS_SYSPROTO_H_ struct getresgid_args { gid_t *rgid; gid_t *egid; gid_t *sgid; }; #endif /* ARGSUSED */ int sys_getresgid(struct thread *td, struct getresgid_args *uap) { struct ucred *cred; int error1 = 0, error2 = 0, error3 = 0; cred = td->td_ucred; if (uap->rgid) error1 = copyout(&cred->cr_rgid, uap->rgid, sizeof(cred->cr_rgid)); if (uap->egid) error2 = copyout(&cred->cr_groups[0], uap->egid, sizeof(cred->cr_groups[0])); if (uap->sgid) error3 = copyout(&cred->cr_svgid, uap->sgid, sizeof(cred->cr_svgid)); return (error1 ? error1 : error2 ? error2 : error3); } #ifndef _SYS_SYSPROTO_H_ struct issetugid_args { int dummy; }; #endif /* ARGSUSED */ int sys_issetugid(struct thread *td, struct issetugid_args *uap) { struct proc *p = td->td_proc; /* * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, * we use P_SUGID because we consider changing the owners as * "tainting" as well. * This is significant for procs that start as root and "become" * a user without an exec - programs cannot know *everything* * that libc *might* have put in their data segment. */ td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0; return (0); } int sys___setugid(struct thread *td, struct __setugid_args *uap) { #ifdef REGRESSION struct proc *p; p = td->td_proc; switch (uap->flag) { case 0: PROC_LOCK(p); p->p_flag &= ~P_SUGID; PROC_UNLOCK(p); return (0); case 1: PROC_LOCK(p); p->p_flag |= P_SUGID; PROC_UNLOCK(p); return (0); default: return (EINVAL); } #else /* !REGRESSION */ return (ENOSYS); #endif /* REGRESSION */ } /* * Returns whether gid designates a supplementary group in cred. */ static bool supplementary_group_member(gid_t gid, struct ucred *cred) { int l, h, m; /* * Perform a binary search of the supplemental groups. This is possible * because we sort the groups in crsetgroups(). */ l = 1; h = cred->cr_ngroups; while (l < h) { m = l + (h - l) / 2; if (cred->cr_groups[m] < gid) l = m + 1; else h = m; } return (l < cred->cr_ngroups && cred->cr_groups[l] == gid); } /* * Check if gid is a member of the (effective) group set (i.e., effective and * supplementary groups). */ bool groupmember(gid_t gid, struct ucred *cred) { + /* + * The nfsd server can use a credential with zero groups in it + * when certain mapped export credentials are specified via exports(5). + */ + if (cred->cr_ngroups == 0) + return (false); + if (gid == cred->cr_groups[0]) return (true); return (supplementary_group_member(gid, cred)); } /* * Check if gid is a member of the real group set (i.e., real and supplementary * groups). */ bool realgroupmember(gid_t gid, struct ucred *cred) { if (gid == cred->cr_rgid) return (true); return (supplementary_group_member(gid, cred)); } /* * Test the active securelevel against a given level. securelevel_gt() * implements (securelevel > level). securelevel_ge() implements * (securelevel >= level). Note that the logic is inverted -- these * functions return EPERM on "success" and 0 on "failure". * * Due to care taken when setting the securelevel, we know that no jail will * be less secure that its parent (or the physical system), so it is sufficient * to test the current jail only. * * XXXRW: Possibly since this has to do with privilege, it should move to * kern_priv.c. */ int securelevel_gt(struct ucred *cr, int level) { return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); } int securelevel_ge(struct ucred *cr, int level) { return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); } /* * 'see_other_uids' determines whether or not visibility of processes * and sockets with credentials holding different real uids is possible * using a variety of system MIBs. * XXX: data declarations should be together near the beginning of the file. */ static int see_other_uids = 1; SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, &see_other_uids, 0, "Unprivileged processes may see subjects/objects with different real uid"); /*- * Determine if u1 "can see" the subject specified by u2, according to the * 'see_other_uids' policy. * Returns: 0 for permitted, ESRCH otherwise * Locks: none * References: *u1 and *u2 must not change during the call * u1 may equal u2, in which case only one reference is required */ static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2) { if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { if (priv_check_cred(u1, PRIV_SEEOTHERUIDS) != 0) return (ESRCH); } return (0); } /* * 'see_other_gids' determines whether or not visibility of processes * and sockets with credentials holding different real gids is possible * using a variety of system MIBs. * XXX: data declarations should be together near the beginning of the file. */ static int see_other_gids = 1; SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, &see_other_gids, 0, "Unprivileged processes may see subjects/objects with different real gid"); /* * Determine if u1 can "see" the subject specified by u2, according to the * 'see_other_gids' policy. * Returns: 0 for permitted, ESRCH otherwise * Locks: none * References: *u1 and *u2 must not change during the call * u1 may equal u2, in which case only one reference is required */ static int cr_canseeothergids(struct ucred *u1, struct ucred *u2) { if (!see_other_gids) { if (realgroupmember(u1->cr_rgid, u2)) return (0); for (int i = 1; i < u1->cr_ngroups; i++) if (realgroupmember(u1->cr_groups[i], u2)) return (0); if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) return (ESRCH); } return (0); } /* * 'see_jail_proc' determines whether or not visibility of processes and * sockets with credentials holding different jail ids is possible using a * variety of system MIBs. * * XXX: data declarations should be together near the beginning of the file. */ static int see_jail_proc = 1; SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, &see_jail_proc, 0, "Unprivileged processes may see subjects/objects with different jail ids"); /*- * Determine if u1 "can see" the subject specified by u2, according to the * 'see_jail_proc' policy. * Returns: 0 for permitted, ESRCH otherwise * Locks: none * References: *u1 and *u2 must not change during the call * u1 may equal u2, in which case only one reference is required */ static int cr_canseejailproc(struct ucred *u1, struct ucred *u2) { if (see_jail_proc || /* Policy deactivated. */ u1->cr_prison == u2->cr_prison || /* Same jail. */ priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ return (0); return (ESRCH); } /* * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_* * policies. Determines if u1 "can see" u2 according to these policies. * Returns: 0 for permitted, ESRCH otherwise */ int cr_bsd_visible(struct ucred *u1, struct ucred *u2) { int error; error = cr_canseeotheruids(u1, u2); if (error != 0) return (error); error = cr_canseeothergids(u1, u2); if (error != 0) return (error); error = cr_canseejailproc(u1, u2); if (error != 0) return (error); return (0); } /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise * Locks: none * References: *u1 and *u2 must not change during the call * u1 may equal u2, in which case only one reference is required */ int cr_cansee(struct ucred *u1, struct ucred *u2) { int error; if ((error = prison_check(u1, u2))) return (error); #ifdef MAC if ((error = mac_cred_check_visible(u1, u2))) return (error); #endif if ((error = cr_bsd_visible(u1, u2))) return (error); return (0); } /*- * Determine if td "can see" the subject specified by p. * Returns: 0 for permitted, an errno value otherwise * Locks: Sufficient locks to protect p->p_ucred must be held. td really * should be curthread. * References: td and p must be valid for the lifetime of the call */ int p_cansee(struct thread *td, struct proc *p) { /* Wrap cr_cansee() for all functionality. */ KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); if (td->td_proc == p) return (0); return (cr_cansee(td->td_ucred, p->p_ucred)); } /* * 'conservative_signals' prevents the delivery of a broad class of * signals by unprivileged processes to processes that have changed their * credentials since the last invocation of execve(). This can prevent * the leakage of cached information or retained privileges as a result * of a common class of signal-related vulnerabilities. However, this * may interfere with some applications that expect to be able to * deliver these signals to peer processes after having given up * privilege. */ static int conservative_signals = 1; SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW, &conservative_signals, 0, "Unprivileged processes prevented from " "sending certain signals to processes whose credentials have changed"); /*- * Determine whether cred may deliver the specified signal to proc. * Returns: 0 for permitted, an errno value otherwise. * Locks: A lock must be held for proc. * References: cred and proc must be valid for the lifetime of the call. */ int cr_cansignal(struct ucred *cred, struct proc *proc, int signum) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); /* * Jail semantics limit the scope of signalling to proc in the * same jail as cred, if cred is in jail. */ error = prison_check(cred, proc->p_ucred); if (error) return (error); #ifdef MAC if ((error = mac_proc_check_signal(cred, proc, signum))) return (error); #endif if ((error = cr_bsd_visible(cred, proc->p_ucred))) return (error); /* * UNIX signal semantics depend on the status of the P_SUGID * bit on the target process. If the bit is set, then additional * restrictions are placed on the set of available signals. */ if (conservative_signals && (proc->p_flag & P_SUGID)) { switch (signum) { case 0: case SIGKILL: case SIGINT: case SIGTERM: case SIGALRM: case SIGSTOP: case SIGTTIN: case SIGTTOU: case SIGTSTP: case SIGHUP: case SIGUSR1: case SIGUSR2: /* * Generally, permit job and terminal control * signals. */ break; default: /* Not permitted without privilege. */ error = priv_check_cred(cred, PRIV_SIGNAL_SUGID); if (error) return (error); } } /* * Generally, the target credential's ruid or svuid must match the * subject credential's ruid or euid. */ if (cred->cr_ruid != proc->p_ucred->cr_ruid && cred->cr_ruid != proc->p_ucred->cr_svuid && cred->cr_uid != proc->p_ucred->cr_ruid && cred->cr_uid != proc->p_ucred->cr_svuid) { error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED); if (error) return (error); } return (0); } /*- * Determine whether td may deliver the specified signal to p. * Returns: 0 for permitted, an errno value otherwise * Locks: Sufficient locks to protect various components of td and p * must be held. td must be curthread, and a lock must be * held for p. * References: td and p must be valid for the lifetime of the call */ int p_cansignal(struct thread *td, struct proc *p, int signum) { KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); if (td->td_proc == p) return (0); /* * UNIX signalling semantics require that processes in the same * session always be able to deliver SIGCONT to one another, * overriding the remaining protections. */ /* XXX: This will require an additional lock of some sort. */ if (signum == SIGCONT && td->td_proc->p_session == p->p_session) return (0); /* * Some compat layers use SIGTHR and higher signals for * communication between different kernel threads of the same * process, so that they expect that it's always possible to * deliver them, even for suid applications where cr_cansignal() can * deny such ability for security consideration. It should be * pretty safe to do since the only way to create two processes * with the same p_leader is via rfork(2). */ if (td->td_proc->p_leader != NULL && signum >= SIGTHR && signum < SIGTHR + 4 && td->td_proc->p_leader == p->p_leader) return (0); return (cr_cansignal(td->td_ucred, p, signum)); } /*- * Determine whether td may reschedule p. * Returns: 0 for permitted, an errno value otherwise * Locks: Sufficient locks to protect various components of td and p * must be held. td must be curthread, and a lock must * be held for p. * References: td and p must be valid for the lifetime of the call */ int p_cansched(struct thread *td, struct proc *p) { int error; KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); if (td->td_proc == p) return (0); if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC if ((error = mac_proc_check_sched(td->td_ucred, p))) return (error); #endif if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) return (error); if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { error = priv_check(td, PRIV_SCHED_DIFFCRED); if (error) return (error); } return (0); } /* * Handle getting or setting the prison's unprivileged_proc_debug * value. */ static int sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) { int error, val; val = prison_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG); error = sysctl_handle_int(oidp, &val, 0, req); if (error != 0 || req->newptr == NULL) return (error); if (val != 0 && val != 1) return (EINVAL); prison_set_allow(req->td->td_ucred, PR_ALLOW_UNPRIV_DEBUG, val); return (0); } /* * The 'unprivileged_proc_debug' flag may be used to disable a variety of * unprivileged inter-process debugging services, including some procfs * functionality, ptrace(), and ktrace(). In the past, inter-process * debugging has been involved in a variety of security problems, and sites * not requiring the service might choose to disable it when hardening * systems. */ SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_PRISON | CTLFLAG_SECURE | CTLFLAG_MPSAFE, 0, 0, sysctl_unprivileged_proc_debug, "I", "Unprivileged processes may use process debugging facilities"); /*- * Determine whether td may debug p. * Returns: 0 for permitted, an errno value otherwise * Locks: Sufficient locks to protect various components of td and p * must be held. td must be curthread, and a lock must * be held for p. * References: td and p must be valid for the lifetime of the call */ int p_candebug(struct thread *td, struct proc *p) { int error, grpsubset, i, uidsubset; KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); if (td->td_proc == p) return (0); if ((error = priv_check(td, PRIV_DEBUG_UNPRIV))) return (error); if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC if ((error = mac_proc_check_debug(td->td_ucred, p))) return (error); #endif if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) return (error); /* * Is p's group set a subset of td's effective group set? This * includes p's egid, group access list, rgid, and svgid. */ grpsubset = 1; for (i = 0; i < p->p_ucred->cr_ngroups; i++) { if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) { grpsubset = 0; break; } } grpsubset = grpsubset && groupmember(p->p_ucred->cr_rgid, td->td_ucred) && groupmember(p->p_ucred->cr_svgid, td->td_ucred); /* * Are the uids present in p's credential equal to td's * effective uid? This includes p's euid, svuid, and ruid. */ uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid && td->td_ucred->cr_uid == p->p_ucred->cr_svuid && td->td_ucred->cr_uid == p->p_ucred->cr_ruid); /* * If p's gids aren't a subset, or the uids aren't a subset, * or the credential has changed, require appropriate privilege * for td to debug p. */ if (!grpsubset || !uidsubset) { error = priv_check(td, PRIV_DEBUG_DIFFCRED); if (error) return (error); } /* * Has the credential of the process changed since the last exec()? */ if ((p->p_flag & P_SUGID) != 0) { error = priv_check(td, PRIV_DEBUG_SUGID); if (error) return (error); } /* Can't trace init when securelevel > 0. */ if (p == initproc) { error = securelevel_gt(td->td_ucred, 0); if (error) return (error); } /* * Can't trace a process that's currently exec'ing. * * XXX: Note, this is not a security policy decision, it's a * basic correctness/functionality decision. Therefore, this check * should be moved to the caller's of p_candebug(). */ if ((p->p_flag & P_INEXEC) != 0) return (EBUSY); /* Denied explicitly */ if ((p->p_flag2 & P2_NOTRACE) != 0) { error = priv_check(td, PRIV_DEBUG_DENIED); if (error != 0) return (error); } return (0); } /*- * Determine whether the subject represented by cred can "see" a socket. * Returns: 0 for permitted, ENOENT otherwise. */ int cr_canseesocket(struct ucred *cred, struct socket *so) { int error; error = prison_check(cred, so->so_cred); if (error) return (ENOENT); #ifdef MAC error = mac_socket_check_visible(cred, so); if (error) return (error); #endif if (cr_bsd_visible(cred, so->so_cred)) return (ENOENT); return (0); } /*- * Determine whether td can wait for the exit of p. * Returns: 0 for permitted, an errno value otherwise * Locks: Sufficient locks to protect various components of td and p * must be held. td must be curthread, and a lock must * be held for p. * References: td and p must be valid for the lifetime of the call */ int p_canwait(struct thread *td, struct proc *p) { int error; KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC if ((error = mac_proc_check_wait(td->td_ucred, p))) return (error); #endif #if 0 /* XXXMAC: This could have odd effects on some shells. */ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) return (error); #endif return (0); } /* * Credential management. * * struct ucred objects are rarely allocated but gain and lose references all * the time (e.g., on struct file alloc/dealloc) turning refcount updates into * a significant source of cache-line ping ponging. Common cases are worked * around by modifying thread-local counter instead if the cred to operate on * matches td_realucred. * * The counter is split into 2 parts: * - cr_users -- total count of all struct proc and struct thread objects * which have given cred in p_ucred and td_ucred respectively * - cr_ref -- the actual ref count, only valid if cr_users == 0 * * If users == 0 then cr_ref behaves similarly to refcount(9), in particular if * the count reaches 0 the object is freeable. * If users > 0 and curthread->td_realucred == cred, then updates are performed * against td_ucredref. * In other cases updates are performed against cr_ref. * * Changing td_realucred into something else decrements cr_users and transfers * accumulated updates. */ struct ucred * crcowget(struct ucred *cr) { mtx_lock(&cr->cr_mtx); KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", __func__, cr->cr_users, cr)); cr->cr_users++; cr->cr_ref++; mtx_unlock(&cr->cr_mtx); return (cr); } static struct ucred * crunuse(struct thread *td) { struct ucred *cr, *crold; MPASS(td->td_realucred == td->td_ucred); cr = td->td_realucred; mtx_lock(&cr->cr_mtx); cr->cr_ref += td->td_ucredref; td->td_ucredref = 0; KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", __func__, cr->cr_users, cr)); cr->cr_users--; if (cr->cr_users == 0) { KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", __func__, cr->cr_ref, cr)); crold = cr; } else { cr->cr_ref--; crold = NULL; } mtx_unlock(&cr->cr_mtx); td->td_realucred = NULL; return (crold); } static void crunusebatch(struct ucred *cr, int users, int ref) { KASSERT(users > 0, ("%s: passed users %d not > 0 ; cred %p", __func__, users, cr)); mtx_lock(&cr->cr_mtx); KASSERT(cr->cr_users >= users, ("%s: users %d not > %d on cred %p", __func__, cr->cr_users, users, cr)); cr->cr_users -= users; cr->cr_ref += ref; cr->cr_ref -= users; if (cr->cr_users > 0) { mtx_unlock(&cr->cr_mtx); return; } KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", __func__, cr->cr_ref, cr)); if (cr->cr_ref > 0) { mtx_unlock(&cr->cr_mtx); return; } crfree_final(cr); } void crcowfree(struct thread *td) { struct ucred *cr; cr = crunuse(td); if (cr != NULL) crfree(cr); } struct ucred * crcowsync(void) { struct thread *td; struct proc *p; struct ucred *crnew, *crold; td = curthread; p = td->td_proc; PROC_LOCK_ASSERT(p, MA_OWNED); MPASS(td->td_realucred == td->td_ucred); if (td->td_realucred == p->p_ucred) return (NULL); crnew = crcowget(p->p_ucred); crold = crunuse(td); td->td_realucred = crnew; td->td_ucred = td->td_realucred; return (crold); } /* * Batching. */ void credbatch_add(struct credbatch *crb, struct thread *td) { struct ucred *cr; MPASS(td->td_realucred != NULL); MPASS(td->td_realucred == td->td_ucred); MPASS(TD_GET_STATE(td) == TDS_INACTIVE); cr = td->td_realucred; KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", __func__, cr->cr_users, cr)); if (crb->cred != cr) { if (crb->users > 0) { MPASS(crb->cred != NULL); crunusebatch(crb->cred, crb->users, crb->ref); crb->users = 0; crb->ref = 0; } } crb->cred = cr; crb->users++; crb->ref += td->td_ucredref; td->td_ucredref = 0; td->td_realucred = NULL; } void credbatch_final(struct credbatch *crb) { MPASS(crb->cred != NULL); MPASS(crb->users > 0); crunusebatch(crb->cred, crb->users, crb->ref); } /* * Allocate a zeroed cred structure. */ struct ucred * crget(void) { struct ucred *cr; cr = malloc(sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); mtx_init(&cr->cr_mtx, "cred", NULL, MTX_DEF); cr->cr_ref = 1; #ifdef AUDIT audit_cred_init(cr); #endif #ifdef MAC mac_cred_init(cr); #endif cr->cr_groups = cr->cr_smallgroups; cr->cr_agroups = sizeof(cr->cr_smallgroups) / sizeof(cr->cr_smallgroups[0]); return (cr); } /* * Claim another reference to a ucred structure. */ struct ucred * crhold(struct ucred *cr) { struct thread *td; td = curthread; if (__predict_true(td->td_realucred == cr)) { KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", __func__, cr->cr_users, cr)); td->td_ucredref++; return (cr); } mtx_lock(&cr->cr_mtx); cr->cr_ref++; mtx_unlock(&cr->cr_mtx); return (cr); } /* * Free a cred structure. Throws away space when ref count gets to 0. */ void crfree(struct ucred *cr) { struct thread *td; td = curthread; if (__predict_true(td->td_realucred == cr)) { KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", __func__, cr->cr_users, cr)); td->td_ucredref--; return; } mtx_lock(&cr->cr_mtx); KASSERT(cr->cr_users >= 0, ("%s: users %d not >= 0 on cred %p", __func__, cr->cr_users, cr)); cr->cr_ref--; if (cr->cr_users > 0) { mtx_unlock(&cr->cr_mtx); return; } KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p", __func__, cr->cr_ref, cr)); if (cr->cr_ref > 0) { mtx_unlock(&cr->cr_mtx); return; } crfree_final(cr); } static void crfree_final(struct ucred *cr) { KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p", __func__, cr->cr_users, cr)); KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p", __func__, cr->cr_ref, cr)); /* * Some callers of crget(), such as nfs_statfs(), allocate a temporary * credential, but don't allocate a uidinfo structure. */ if (cr->cr_uidinfo != NULL) uifree(cr->cr_uidinfo); if (cr->cr_ruidinfo != NULL) uifree(cr->cr_ruidinfo); if (cr->cr_prison != NULL) prison_free(cr->cr_prison); if (cr->cr_loginclass != NULL) loginclass_free(cr->cr_loginclass); #ifdef AUDIT audit_cred_destroy(cr); #endif #ifdef MAC mac_cred_destroy(cr); #endif mtx_destroy(&cr->cr_mtx); if (cr->cr_groups != cr->cr_smallgroups) free(cr->cr_groups, M_CRED); free(cr, M_CRED); } /* * Copy a ucred's contents from a template. Does not block. */ void crcopy(struct ucred *dest, struct ucred *src) { KASSERT(dest->cr_ref == 1, ("crcopy of shared ucred")); bcopy(&src->cr_startcopy, &dest->cr_startcopy, (unsigned)((caddr_t)&src->cr_endcopy - (caddr_t)&src->cr_startcopy)); dest->cr_flags = src->cr_flags; crsetgroups(dest, src->cr_ngroups, src->cr_groups); uihold(dest->cr_uidinfo); uihold(dest->cr_ruidinfo); prison_hold(dest->cr_prison); loginclass_hold(dest->cr_loginclass); #ifdef AUDIT audit_cred_copy(src, dest); #endif #ifdef MAC mac_cred_copy(src, dest); #endif } /* * Dup cred struct to a new held one. */ struct ucred * crdup(struct ucred *cr) { struct ucred *newcr; newcr = crget(); crcopy(newcr, cr); return (newcr); } /* * Fill in a struct xucred based on a struct ucred. */ void cru2x(struct ucred *cr, struct xucred *xcr) { int ngroups; bzero(xcr, sizeof(*xcr)); xcr->cr_version = XUCRED_VERSION; xcr->cr_uid = cr->cr_uid; ngroups = MIN(cr->cr_ngroups, XU_NGROUPS); xcr->cr_ngroups = ngroups; bcopy(cr->cr_groups, xcr->cr_groups, ngroups * sizeof(*cr->cr_groups)); } void cru2xt(struct thread *td, struct xucred *xcr) { cru2x(td->td_ucred, xcr); xcr->cr_pid = td->td_proc->p_pid; } /* * Change process credentials. * Callers are responsible for providing the reference for passed credentials * and for freeing old ones. * * Process has to be locked except when it does not have credentials (as it * should not be visible just yet) or when newcred is NULL (as this can be * only used when the process is about to be freed, at which point it should * not be visible anymore). */ void proc_set_cred(struct proc *p, struct ucred *newcred) { struct ucred *cr; cr = p->p_ucred; MPASS(cr != NULL); PROC_LOCK_ASSERT(p, MA_OWNED); KASSERT(newcred->cr_users == 0, ("%s: users %d not 0 on cred %p", __func__, newcred->cr_users, newcred)); mtx_lock(&cr->cr_mtx); KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", __func__, cr->cr_users, cr)); cr->cr_users--; mtx_unlock(&cr->cr_mtx); p->p_ucred = newcred; newcred->cr_users = 1; PROC_UPDATE_COW(p); } void proc_unset_cred(struct proc *p) { struct ucred *cr; MPASS(p->p_state == PRS_ZOMBIE || p->p_state == PRS_NEW); cr = p->p_ucred; p->p_ucred = NULL; KASSERT(cr->cr_users > 0, ("%s: users %d not > 0 on cred %p", __func__, cr->cr_users, cr)); mtx_lock(&cr->cr_mtx); cr->cr_users--; if (cr->cr_users == 0) KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p", __func__, cr->cr_ref, cr)); mtx_unlock(&cr->cr_mtx); crfree(cr); } struct ucred * crcopysafe(struct proc *p, struct ucred *cr) { struct ucred *oldcred; int groups; PROC_LOCK_ASSERT(p, MA_OWNED); oldcred = p->p_ucred; while (cr->cr_agroups < oldcred->cr_agroups) { groups = oldcred->cr_agroups; PROC_UNLOCK(p); crextend(cr, groups); PROC_LOCK(p); oldcred = p->p_ucred; } crcopy(cr, oldcred); return (oldcred); } /* * Extend the passed in credential to hold n items. */ void crextend(struct ucred *cr, int n) { int cnt; /* Truncate? */ if (n <= cr->cr_agroups) return; /* * We extend by 2 each time since we're using a power of two * allocator until we need enough groups to fill a page. * Once we're allocating multiple pages, only allocate as many * as we actually need. The case of processes needing a * non-power of two number of pages seems more likely than * a real world process that adds thousands of groups one at a * time. */ if ( n < PAGE_SIZE / sizeof(gid_t) ) { if (cr->cr_agroups == 0) cnt = MAX(1, MINALLOCSIZE / sizeof(gid_t)); else cnt = cr->cr_agroups * 2; while (cnt < n) cnt *= 2; } else cnt = roundup2(n, PAGE_SIZE / sizeof(gid_t)); /* Free the old array. */ if (cr->cr_groups != cr->cr_smallgroups) free(cr->cr_groups, M_CRED); cr->cr_groups = malloc(cnt * sizeof(gid_t), M_CRED, M_WAITOK | M_ZERO); cr->cr_agroups = cnt; } /* * Copy groups in to a credential, preserving any necessary invariants. * Currently this includes the sorting of all supplemental gids. * crextend() must have been called before hand to ensure sufficient * space is available. */ static void crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups) { int i; int j; gid_t g; KASSERT(cr->cr_agroups >= ngrp, ("cr_ngroups is too small")); bcopy(groups, cr->cr_groups, ngrp * sizeof(gid_t)); cr->cr_ngroups = ngrp; /* * Sort all groups except cr_groups[0] to allow groupmember to * perform a binary search. * * XXX: If large numbers of groups become common this should * be replaced with shell sort like linux uses or possibly * heap sort. */ for (i = 2; i < ngrp; i++) { g = cr->cr_groups[i]; for (j = i-1; j >= 1 && g < cr->cr_groups[j]; j--) cr->cr_groups[j + 1] = cr->cr_groups[j]; cr->cr_groups[j + 1] = g; } } /* * Copy groups in to a credential after expanding it if required. * Truncate the list to (ngroups_max + 1) if it is too large. */ void crsetgroups(struct ucred *cr, int ngrp, gid_t *groups) { if (ngrp > ngroups_max + 1) ngrp = ngroups_max + 1; crextend(cr, ngrp); crsetgroups_locked(cr, ngrp, groups); } /* * Get login name, if available. */ #ifndef _SYS_SYSPROTO_H_ struct getlogin_args { char *namebuf; u_int namelen; }; #endif /* ARGSUSED */ int sys_getlogin(struct thread *td, struct getlogin_args *uap) { char login[MAXLOGNAME]; struct proc *p = td->td_proc; size_t len; if (uap->namelen > MAXLOGNAME) uap->namelen = MAXLOGNAME; PROC_LOCK(p); SESS_LOCK(p->p_session); len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; SESS_UNLOCK(p->p_session); PROC_UNLOCK(p); if (len > uap->namelen) return (ERANGE); return (copyout(login, uap->namebuf, len)); } /* * Set login name. */ #ifndef _SYS_SYSPROTO_H_ struct setlogin_args { char *namebuf; }; #endif /* ARGSUSED */ int sys_setlogin(struct thread *td, struct setlogin_args *uap) { struct proc *p = td->td_proc; int error; char logintmp[MAXLOGNAME]; CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); error = priv_check(td, PRIV_PROC_SETLOGIN); if (error) return (error); error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); if (error != 0) { if (error == ENAMETOOLONG) error = EINVAL; return (error); } AUDIT_ARG_LOGIN(logintmp); PROC_LOCK(p); SESS_LOCK(p->p_session); strcpy(p->p_session->s_login, logintmp); SESS_UNLOCK(p->p_session); PROC_UNLOCK(p); return (0); } void setsugid(struct proc *p) { PROC_LOCK_ASSERT(p, MA_OWNED); p->p_flag |= P_SUGID; } /*- * Change a process's effective uid. * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified. * References: newcred must be an exclusive credential reference for the * duration of the call. */ void change_euid(struct ucred *newcred, struct uidinfo *euip) { newcred->cr_uid = euip->ui_uid; uihold(euip); uifree(newcred->cr_uidinfo); newcred->cr_uidinfo = euip; } /*- * Change a process's effective gid. * Side effects: newcred->cr_gid will be modified. * References: newcred must be an exclusive credential reference for the * duration of the call. */ void change_egid(struct ucred *newcred, gid_t egid) { newcred->cr_groups[0] = egid; } /*- * Change a process's real uid. * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo * will be updated, and the old and new cr_ruidinfo proc * counts will be updated. * References: newcred must be an exclusive credential reference for the * duration of the call. */ void change_ruid(struct ucred *newcred, struct uidinfo *ruip) { (void)chgproccnt(newcred->cr_ruidinfo, -1, 0); newcred->cr_ruid = ruip->ui_uid; uihold(ruip); uifree(newcred->cr_ruidinfo); newcred->cr_ruidinfo = ruip; (void)chgproccnt(newcred->cr_ruidinfo, 1, 0); } /*- * Change a process's real gid. * Side effects: newcred->cr_rgid will be updated. * References: newcred must be an exclusive credential reference for the * duration of the call. */ void change_rgid(struct ucred *newcred, gid_t rgid) { newcred->cr_rgid = rgid; } /*- * Change a process's saved uid. * Side effects: newcred->cr_svuid will be updated. * References: newcred must be an exclusive credential reference for the * duration of the call. */ void change_svuid(struct ucred *newcred, uid_t svuid) { newcred->cr_svuid = svuid; } /*- * Change a process's saved gid. * Side effects: newcred->cr_svgid will be updated. * References: newcred must be an exclusive credential reference for the * duration of the call. */ void change_svgid(struct ucred *newcred, gid_t svgid) { newcred->cr_svgid = svgid; } bool allow_ptrace = true; SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_ptrace, CTLFLAG_RWTUN, &allow_ptrace, 0, "Deny ptrace(2) use by returning ENOSYS");