1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 07:57:46 +00:00

Kernel: Add Credentials to hold a set of user and group IDs

This patch adds a new object to hold a Process's user credentials:

- UID, EUID, SUID
- GID, EGID, SGID, extra GIDs

Credentials are immutable and child processes initially inherit the
Credentials object from their parent.

Whenever a process changes one or more of its user/group IDs, a new
Credentials object is constructed.

Any code that wants to inspect and act on a set of credentials can now
do so without worrying about data races.
This commit is contained in:
Andreas Kling 2022-08-20 18:25:54 +02:00
parent bec314611d
commit 122d7d9533
11 changed files with 366 additions and 128 deletions

View file

@ -495,6 +495,42 @@ ErrorOr<void> Process::do_exec(NonnullLockRefPtr<OpenFileDescription> main_progr
if (has_interpreter)
main_program_fd_allocation = TRY(allocate_fd());
auto old_credentials = this->credentials();
auto new_credentials = old_credentials;
bool executable_is_setid = false;
if (!(main_program_description->custody()->mount_flags() & MS_NOSUID)) {
auto main_program_metadata = main_program_description->metadata();
auto new_euid = old_credentials->euid();
auto new_egid = old_credentials->egid();
auto new_suid = old_credentials->suid();
auto new_sgid = old_credentials->sgid();
if (main_program_metadata.is_setuid()) {
executable_is_setid = true;
new_euid = main_program_metadata.uid;
new_suid = main_program_metadata.uid;
}
if (main_program_metadata.is_setgid()) {
executable_is_setid = true;
new_egid = main_program_metadata.gid;
new_sgid = main_program_metadata.gid;
}
if (executable_is_setid) {
new_credentials = TRY(Credentials::create(
old_credentials->uid(),
old_credentials->gid(),
new_euid,
new_egid,
new_suid,
new_sgid,
old_credentials->extra_gids()));
}
}
// We commit to the new executable at this point. There is no turning back!
// Prevent other processes from attaching to us with ptrace while we're doing this.
@ -506,24 +542,10 @@ ErrorOr<void> Process::do_exec(NonnullLockRefPtr<OpenFileDescription> main_progr
kill_threads_except_self();
bool executable_is_setid = false;
if (!(main_program_description->custody()->mount_flags() & MS_NOSUID)) {
auto main_program_metadata = main_program_description->metadata();
if (main_program_metadata.is_setuid()) {
executable_is_setid = true;
ProtectedDataMutationScope scope { *this };
m_protected_values.euid = main_program_metadata.uid;
m_protected_values.suid = main_program_metadata.uid;
}
if (main_program_metadata.is_setgid()) {
executable_is_setid = true;
ProtectedDataMutationScope scope { *this };
m_protected_values.egid = main_program_metadata.gid;
m_protected_values.sgid = main_program_metadata.gid;
}
{
ProtectedDataMutationScope scope { *this };
m_protected_values.credentials = move(new_credentials);
}
set_dumpable(!executable_is_setid);
// We make sure to enter the new address space before destroying the old one.

View file

@ -56,7 +56,7 @@ ErrorOr<FlatPtr> Process::sys$fork(RegisterState& regs)
child->m_protected_values.has_promises = m_protected_values.has_promises.load();
child->m_protected_values.has_execpromises = m_protected_values.has_execpromises.load();
child->m_protected_values.sid = m_protected_values.sid;
child->m_protected_values.extra_gids = m_protected_values.extra_gids;
child->m_protected_values.credentials = m_protected_values.credentials;
child->m_protected_values.umask = m_protected_values.umask;
child->m_protected_values.signal_trampoline = m_protected_values.signal_trampoline;
child->m_protected_values.dumpable = m_protected_values.dumpable;

View file

@ -36,35 +36,50 @@ ErrorOr<FlatPtr> Process::sys$getegid()
return egid().value();
}
ErrorOr<FlatPtr> Process::sys$getresuid(Userspace<UserID*> ruid, Userspace<UserID*> euid, Userspace<UserID*> suid)
ErrorOr<FlatPtr> Process::sys$getresuid(Userspace<UserID*> user_ruid, Userspace<UserID*> user_euid, Userspace<UserID*> user_suid)
{
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
TRY(require_promise(Pledge::stdio));
TRY(copy_to_user(ruid, &m_protected_values.uid));
TRY(copy_to_user(euid, &m_protected_values.euid));
TRY(copy_to_user(suid, &m_protected_values.suid));
auto credentials = this->credentials();
auto uid = credentials->uid();
auto euid = credentials->euid();
auto suid = credentials->suid();
TRY(copy_to_user(user_ruid, &uid));
TRY(copy_to_user(user_euid, &euid));
TRY(copy_to_user(user_suid, &suid));
return 0;
}
ErrorOr<FlatPtr> Process::sys$getresgid(Userspace<GroupID*> rgid, Userspace<GroupID*> egid, Userspace<GroupID*> sgid)
ErrorOr<FlatPtr> Process::sys$getresgid(Userspace<GroupID*> user_rgid, Userspace<GroupID*> user_egid, Userspace<GroupID*> user_sgid)
{
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
TRY(require_promise(Pledge::stdio));
TRY(copy_to_user(rgid, &m_protected_values.gid));
TRY(copy_to_user(egid, &m_protected_values.egid));
TRY(copy_to_user(sgid, &m_protected_values.sgid));
auto credentials = this->credentials();
auto gid = credentials->gid();
auto egid = credentials->egid();
auto sgid = credentials->sgid();
TRY(copy_to_user(user_rgid, &gid));
TRY(copy_to_user(user_egid, &egid));
TRY(copy_to_user(user_sgid, &sgid));
return 0;
}
ErrorOr<FlatPtr> Process::sys$getgroups(size_t count, Userspace<gid_t*> user_gids)
ErrorOr<FlatPtr> Process::sys$getgroups(size_t count, Userspace<GroupID*> user_gids)
{
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
TRY(require_promise(Pledge::stdio));
auto credentials = this->credentials();
if (!count)
return extra_gids().size();
if (count != extra_gids().size())
return credentials->extra_gids().size();
if (count != credentials->extra_gids().size())
return EINVAL;
TRY(copy_to_user(user_gids, extra_gids().data(), sizeof(gid_t) * count));
TRY(copy_to_user(user_gids, credentials->extra_gids().data(), sizeof(GroupID) * count));
return 0;
}

View file

@ -16,15 +16,26 @@ ErrorOr<FlatPtr> Process::sys$seteuid(UserID new_euid)
if (new_euid == (uid_t)-1)
return EINVAL;
if (new_euid != uid() && new_euid != suid() && !is_superuser())
auto credentials = this->credentials();
if (new_euid != credentials->uid() && new_euid != credentials->suid() && !credentials->is_superuser())
return EPERM;
if (euid() != new_euid)
set_dumpable(false);
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
new_euid,
credentials->egid(),
credentials->suid(),
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
m_protected_values.euid = new_euid;
if (credentials->euid() != new_euid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
}
@ -36,14 +47,26 @@ ErrorOr<FlatPtr> Process::sys$setegid(GroupID new_egid)
if (new_egid == (uid_t)-1)
return EINVAL;
if (new_egid != gid() && new_egid != sgid() && !is_superuser())
auto credentials = this->credentials();
if (new_egid != credentials->gid() && new_egid != credentials->sgid() && !credentials->is_superuser())
return EPERM;
if (egid() != new_egid)
set_dumpable(false);
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
credentials->euid(),
new_egid,
credentials->suid(),
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
m_protected_values.egid = new_egid;
if (credentials->egid() != new_egid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
}
@ -55,16 +78,26 @@ ErrorOr<FlatPtr> Process::sys$setuid(UserID new_uid)
if (new_uid == (uid_t)-1)
return EINVAL;
if (new_uid != uid() && new_uid != euid() && !is_superuser())
auto credentials = this->credentials();
if (new_uid != credentials->uid() && new_uid != credentials->euid() && !credentials->is_superuser())
return EPERM;
if (euid() != new_uid)
set_dumpable(false);
auto new_credentials = TRY(Credentials::create(
new_uid,
credentials->gid(),
new_uid,
credentials->egid(),
new_uid,
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
m_protected_values.uid = new_uid;
m_protected_values.euid = new_uid;
m_protected_values.suid = new_uid;
if (credentials->euid() != new_uid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
}
@ -76,16 +109,26 @@ ErrorOr<FlatPtr> Process::sys$setgid(GroupID new_gid)
if (new_gid == (uid_t)-1)
return EINVAL;
if (new_gid != gid() && new_gid != egid() && !is_superuser())
auto credentials = this->credentials();
if (new_gid != credentials->gid() && new_gid != credentials->egid() && !credentials->is_superuser())
return EPERM;
if (egid() != new_gid)
set_dumpable(false);
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
new_gid,
credentials->euid(),
new_gid,
credentials->suid(),
new_gid,
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
m_protected_values.gid = new_gid;
m_protected_values.egid = new_gid;
m_protected_values.sgid = new_gid;
if (credentials->egid() != new_gid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
}
@ -94,24 +137,35 @@ ErrorOr<FlatPtr> Process::sys$setreuid(UserID new_ruid, UserID new_euid)
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
TRY(require_promise(Pledge::id));
if (new_ruid == (uid_t)-1)
new_ruid = uid();
if (new_euid == (uid_t)-1)
new_euid = euid();
auto credentials = this->credentials();
auto ok = [this](UserID id) { return id == uid() || id == euid() || id == suid(); };
if (new_ruid == (uid_t)-1)
new_ruid = credentials->uid();
if (new_euid == (uid_t)-1)
new_euid = credentials->euid();
auto ok = [&credentials](UserID id) { return id == credentials->uid() || id == credentials->euid() || id == credentials->suid(); };
if (!ok(new_ruid) || !ok(new_euid))
return EPERM;
if (new_ruid < (uid_t)-1 || new_euid < (uid_t)-1)
return EINVAL;
if (euid() != new_euid)
set_dumpable(false);
auto new_credentials = TRY(Credentials::create(
new_ruid,
credentials->gid(),
new_euid,
credentials->egid(),
credentials->suid(),
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
m_protected_values.uid = new_ruid;
m_protected_values.euid = new_euid;
if (credentials->euid() != new_euid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
}
@ -120,24 +174,34 @@ ErrorOr<FlatPtr> Process::sys$setresuid(UserID new_ruid, UserID new_euid, UserID
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
TRY(require_promise(Pledge::id));
if (new_ruid == (uid_t)-1)
new_ruid = uid();
if (new_euid == (uid_t)-1)
new_euid = euid();
if (new_suid == (uid_t)-1)
new_suid = suid();
auto credentials = this->credentials();
auto ok = [this](UserID id) { return id == uid() || id == euid() || id == suid(); };
if ((!ok(new_ruid) || !ok(new_euid) || !ok(new_suid)) && !is_superuser())
if (new_ruid == (uid_t)-1)
new_ruid = credentials->uid();
if (new_euid == (uid_t)-1)
new_euid = credentials->euid();
if (new_suid == (uid_t)-1)
new_suid = credentials->suid();
auto ok = [&credentials](UserID id) { return id == credentials->uid() || id == credentials->euid() || id == credentials->suid(); };
if ((!ok(new_ruid) || !ok(new_euid) || !ok(new_suid)) && !credentials->is_superuser())
return EPERM;
if (euid() != new_euid)
set_dumpable(false);
auto new_credentials = TRY(Credentials::create(
new_ruid,
credentials->gid(),
new_euid,
credentials->egid(),
new_suid,
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
m_protected_values.uid = new_ruid;
m_protected_values.euid = new_euid;
m_protected_values.suid = new_suid;
if (credentials->euid() != new_euid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
}
@ -146,58 +210,84 @@ ErrorOr<FlatPtr> Process::sys$setresgid(GroupID new_rgid, GroupID new_egid, Grou
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
TRY(require_promise(Pledge::id));
if (new_rgid == (gid_t)-1)
new_rgid = gid();
if (new_egid == (gid_t)-1)
new_egid = egid();
if (new_sgid == (gid_t)-1)
new_sgid = sgid();
auto credentials = this->credentials();
auto ok = [this](GroupID id) { return id == gid() || id == egid() || id == sgid(); };
if ((!ok(new_rgid) || !ok(new_egid) || !ok(new_sgid)) && !is_superuser())
if (new_rgid == (gid_t)-1)
new_rgid = credentials->gid();
if (new_egid == (gid_t)-1)
new_egid = credentials->egid();
if (new_sgid == (gid_t)-1)
new_sgid = credentials->sgid();
auto ok = [&credentials](GroupID id) { return id == credentials->gid() || id == credentials->egid() || id == credentials->sgid(); };
if ((!ok(new_rgid) || !ok(new_egid) || !ok(new_sgid)) && !credentials->is_superuser())
return EPERM;
if (egid() != new_egid)
set_dumpable(false);
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
new_rgid,
credentials->euid(),
new_egid,
credentials->suid(),
new_sgid,
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
m_protected_values.gid = new_rgid;
m_protected_values.egid = new_egid;
m_protected_values.sgid = new_sgid;
if (credentials->egid() != new_egid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
}
ErrorOr<FlatPtr> Process::sys$setgroups(size_t count, Userspace<gid_t const*> user_gids)
ErrorOr<FlatPtr> Process::sys$setgroups(size_t count, Userspace<GroupID const*> user_gids)
{
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
TRY(require_promise(Pledge::id));
if (!is_superuser())
auto credentials = this->credentials();
if (!credentials->is_superuser())
return EPERM;
if (!count) {
ProtectedDataMutationScope scope { *this };
m_protected_values.extra_gids.clear();
m_protected_values.credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
credentials->euid(),
credentials->egid(),
credentials->suid(),
credentials->sgid(),
{}));
return 0;
}
Vector<gid_t> new_extra_gids;
Vector<GroupID> new_extra_gids;
TRY(new_extra_gids.try_resize(count));
TRY(copy_n_from_user(new_extra_gids.data(), user_gids, count));
HashTable<gid_t> unique_extra_gids;
HashTable<GroupID> unique_extra_gids;
for (auto& extra_gid : new_extra_gids) {
if (extra_gid != gid())
TRY(unique_extra_gids.try_set(extra_gid));
}
ProtectedDataMutationScope scope { *this };
TRY(m_protected_values.extra_gids.try_resize(unique_extra_gids.size()));
size_t i = 0;
for (auto& extra_gid : unique_extra_gids) {
if (extra_gid == gid())
continue;
m_protected_values.extra_gids[i++] = extra_gid;
new_extra_gids.clear_with_capacity();
for (auto extra_gid : unique_extra_gids) {
TRY(new_extra_gids.try_append(extra_gid));
}
ProtectedDataMutationScope scope { *this };
m_protected_values.credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
credentials->euid(),
credentials->egid(),
credentials->suid(),
credentials->sgid(),
new_extra_gids.span()));
return 0;
}