]> git.saurik.com Git - apple/launchd.git/blob - launchd/src/launchd_mach_ipc.c
projects / apple / launchd.git / blob
? search:


91c571b7b537bd3793b5b763512f2b4c2fce59cc
[apple/launchd.git] / launchd / src / launchd_mach_ipc.c
1 /*
2 * Copyright (c) 1999-2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_APACHE_LICENSE_HEADER_START@
5 *
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *
18 * @APPLE_APACHE_LICENSE_HEADER_END@
19 */
20 /*
21 * bootstrap -- fundamental service initiator and port server
22 * Mike DeMoney, NeXT, Inc.
23 * Copyright, 1990. All rights reserved.
24 *
25 * bootstrap.c -- implementation of bootstrap main service loop
26 */
27
28 static const char *const __rcs_file_version__ = "$Revision: 1.52 $";
29
30 #include <mach/mach.h>
31 #include <mach/mach_error.h>
32 #include <mach/boolean.h>
33 #include <mach/message.h>
34 #include <mach/notify.h>
35 #include <mach/mig_errors.h>
36 #include <mach/mach_traps.h>
37 #include <mach/mach_interface.h>
38 #include <mach/host_info.h>
39 #include <mach/mach_host.h>
40 #include <mach/exception.h>
41 #include <sys/types.h>
42 #include <sys/time.h>
43 #include <sys/event.h>
44 #include <sys/queue.h>
45 #include <sys/socket.h>
46 #include <bsm/libbsm.h>
47 #include <unistd.h>
48 #include <pthread.h>
49 #include <errno.h>
50 #include <string.h>
51 #include <ctype.h>
52 #include <stdio.h>
53 #include <stdlib.h>
54 #include <stdbool.h>
55 #include <syslog.h>
56
57 #include "bootstrap_public.h"
58 #include "bootstrap_private.h"
59 #include "bootstrap.h"
60 #include "bootstrapServer.h"
61 #include "notifyServer.h"
62 #include "launchd_internal.h"
63 #include "launchd_internalServer.h"
64 #include "launchd.h"
65 #include "launchd_core_logic.h"
66 #include "launch_priv.h"
67 #include "launchd_unix_ipc.h"
68
69 struct ldcred {
70 uid_t euid;
71 uid_t uid;
72 gid_t egid;
73 gid_t gid;
74 pid_t pid;
75 au_asid_t asid;
76 };
77
78 static au_asid_t inherited_asid = 0;
79
80 static bool canReceive(mach_port_t);
81 static void init_ports(void);
82 static void *mport_demand_loop(void *arg);
83 static void audit_token_to_launchd_cred(audit_token_t au_tok, struct ldcred *ldc);
84
85 static mach_port_t inherited_bootstrap_port = MACH_PORT_NULL;
86 static mach_port_t demand_port_set = MACH_PORT_NULL;
87 static size_t port_to_obj_size = 0;
88 static void **port_to_obj = NULL;
89 static pthread_t demand_thread;
90
91 static bool trusted_client_check(struct jobcb *j, struct ldcred *ldc);
92
93 struct jobcb *
94 job_find_by_port(mach_port_t mp)
95 {
96 return port_to_obj[MACH_PORT_INDEX(mp)];
97 }
98
99 kern_return_t
100 x_handle_mport(mach_port_t junk __attribute__((unused)))
101 {
102 mach_port_name_array_t members;
103 mach_msg_type_number_t membersCnt;
104 mach_port_status_t status;
105 mach_msg_type_number_t statusCnt;
106 struct kevent kev;
107 unsigned int i;
108
109 if (!launchd_assumes(mach_port_get_set_status(mach_task_self(), demand_port_set, &members, &membersCnt) == KERN_SUCCESS))
110 return 1;
111
112 for (i = 0; i < membersCnt; i++) {
113 statusCnt = MACH_PORT_RECEIVE_STATUS_COUNT;
114 if (mach_port_get_attributes(mach_task_self(), members[i], MACH_PORT_RECEIVE_STATUS,
115 (mach_port_info_t)&status, &statusCnt) != KERN_SUCCESS)
116 continue;
117
118 if (status.mps_msgcount) {
119 EV_SET(&kev, members[i], EVFILT_MACHPORT, 0, 0, 0, job_find_by_port(members[i]));
120 (*((kq_callback *)kev.udata))(kev.udata, &kev);
121 /* the callback may have tainted our ability to continue this for loop */
122 break;
123 }
124 }
125
126 launchd_assumes(vm_deallocate(mach_task_self(), (vm_address_t)members,
127 (vm_size_t) membersCnt * sizeof(mach_port_name_t)) == KERN_SUCCESS);
128
129 return 0;
130 }
131
132 void
133 mach_init_init(mach_port_t req_port, mach_port_t checkin_port,
134 name_array_t l2l_names, mach_port_array_t l2l_ports, mach_msg_type_number_t l2l_cnt)
135 {
136 mach_msg_type_number_t l2l_i;
137 auditinfo_t inherited_audit;
138 pthread_attr_t attr;
139
140 getaudit(&inherited_audit);
141 inherited_asid = inherited_audit.ai_asid;
142
143 init_ports();
144
145 launchd_assert((root_job = job_new_bootstrap(NULL, req_port ? req_port : mach_task_self(), checkin_port)) != NULL);
146
147 launchd_assumes(launchd_get_bport(&inherited_bootstrap_port) == KERN_SUCCESS);
148
149 if (getpid() != 1)
150 launchd_assumes(inherited_bootstrap_port != MACH_PORT_NULL);
151
152 /* We set this explicitly as we start each child */
153 launchd_assumes(launchd_set_bport(MACH_PORT_NULL) == KERN_SUCCESS);
154
155 pthread_attr_init(&attr);
156 pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
157 pthread_attr_setstacksize(&attr, PTHREAD_STACK_MIN);
158
159 launchd_assert(pthread_create(&demand_thread, &attr, mport_demand_loop, NULL) == 0);
160
161 pthread_attr_destroy(&attr);
162
163 /* cut off the Libc cache, we don't want to deadlock against ourself */
164 bootstrap_port = MACH_PORT_NULL;
165
166 if (l2l_names == NULL)
167 return;
168
169 for (l2l_i = 0; l2l_i < l2l_cnt; l2l_i++) {
170 struct machservice *ms;
171
172 if ((ms = machservice_new(root_job, l2l_names[l2l_i], l2l_ports + l2l_i)))
173 machservice_watch(ms);
174 }
175 }
176
177 void mach_init_reap(void)
178 {
179 void *status;
180
181 launchd_assumes(mach_port_destroy(mach_task_self(), demand_port_set) == KERN_SUCCESS);
182
183 launchd_assumes(pthread_join(demand_thread, &status) == 0);
184 }
185
186 void
187 init_ports(void)
188 {
189 launchd_assert((errno = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_PORT_SET,
190 &demand_port_set)) == KERN_SUCCESS);
191 }
192
193 void *
194 mport_demand_loop(void *arg __attribute__((unused)))
195 {
196 mach_msg_empty_rcv_t dummy;
197 kern_return_t kr;
198
199 for (;;) {
200 kr = mach_msg(&dummy.header, MACH_RCV_MSG|MACH_RCV_LARGE, 0, 0, demand_port_set, 0, MACH_PORT_NULL);
201 if (kr == MACH_RCV_PORT_CHANGED) {
202 break;
203 } else if (!launchd_assumes(kr == MACH_RCV_TOO_LARGE)) {
204 continue;
205 }
206 launchd_assumes(handle_mport(launchd_internal_port) == 0);
207 }
208
209 return NULL;
210 }
211
212 boolean_t
213 launchd_mach_ipc_demux(mach_msg_header_t *Request, mach_msg_header_t *Reply)
214 {
215 if (bootstrap_server_routine(Request))
216 return bootstrap_server(Request, Reply);
217
218 return notify_server(Request, Reply);
219 }
220
221 bool
222 canReceive(mach_port_t port)
223 {
224 mach_port_type_t p_type;
225
226 if (!launchd_assumes(mach_port_type(mach_task_self(), port, &p_type) == KERN_SUCCESS))
227 return false;
228
229 return ((p_type & MACH_PORT_TYPE_RECEIVE) != 0);
230 }
231
232 kern_return_t
233 launchd_set_bport(mach_port_t name)
234 {
235 return errno = task_set_bootstrap_port(mach_task_self(), name);
236 }
237
238 kern_return_t
239 launchd_get_bport(mach_port_t *name)
240 {
241 return errno = task_get_bootstrap_port(mach_task_self(), name);
242 }
243
244 kern_return_t
245 launchd_mport_notify_req(mach_port_t name, mach_msg_id_t which)
246 {
247 mach_port_mscount_t msgc = (which == MACH_NOTIFY_NO_SENDERS) ? 1 : 0;
248 mach_port_t previous, where = (which == MACH_NOTIFY_NO_SENDERS) ? name : launchd_internal_port;
249
250 if (which == MACH_NOTIFY_NO_SENDERS) {
251 /* Always make sure the send count is zero, in case a receive right is reused */
252 errno = mach_port_set_mscount(mach_task_self(), name, 0);
253 if (errno != KERN_SUCCESS)
254 return errno;
255 }
256
257 errno = mach_port_request_notification(mach_task_self(), name, which, msgc, where,
258 MACH_MSG_TYPE_MAKE_SEND_ONCE, &previous);
259
260 if (errno == 0 && previous != MACH_PORT_NULL)
261 launchd_assumes(launchd_mport_deallocate(previous) == KERN_SUCCESS);
262
263 return errno;
264 }
265
266 kern_return_t
267 launchd_mport_request_callback(mach_port_t name, void *obj, bool readmsg)
268 {
269 size_t needed_size;
270
271 if (!obj)
272 return errno = mach_port_move_member(mach_task_self(), name, MACH_PORT_NULL);
273
274 needed_size = (MACH_PORT_INDEX(name) + 1) * sizeof(void *);
275
276 if (needed_size > port_to_obj_size) {
277 if (port_to_obj == NULL) {
278 launchd_assumes((port_to_obj = calloc(1, needed_size * 2)) != NULL);
279 } else {
280 launchd_assumes((port_to_obj = reallocf(port_to_obj, needed_size * 2)) != NULL);
281 memset((uint8_t *)port_to_obj + port_to_obj_size, 0, needed_size * 2 - port_to_obj_size);
282 }
283 port_to_obj_size = needed_size * 2;
284 }
285
286 port_to_obj[MACH_PORT_INDEX(name)] = obj;
287
288 return errno = mach_port_move_member(mach_task_self(), name, readmsg ? ipc_port_set : demand_port_set);
289 }
290
291 kern_return_t
292 launchd_mport_make_send(mach_port_t name)
293 {
294 return errno = mach_port_insert_right(mach_task_self(), name, name, MACH_MSG_TYPE_MAKE_SEND);
295 }
296
297 kern_return_t
298 launchd_mport_close_recv(mach_port_t name)
299 {
300 if (launchd_assumes(port_to_obj != NULL)) {
301 port_to_obj[MACH_PORT_INDEX(name)] = NULL;
302 return errno = mach_port_mod_refs(mach_task_self(), name, MACH_PORT_RIGHT_RECEIVE, -1);
303 } else {
304 return errno = KERN_FAILURE;
305 }
306 }
307
308 kern_return_t
309 launchd_mport_create_recv(mach_port_t *name)
310 {
311 return errno = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, name);
312 }
313
314 kern_return_t
315 launchd_mport_deallocate(mach_port_t name)
316 {
317 return errno = mach_port_deallocate(mach_task_self(), name);
318 }
319
320 void
321 audit_token_to_launchd_cred(audit_token_t au_tok, struct ldcred *ldc)
322 {
323 audit_token_to_au32(au_tok, /* audit UID */ NULL,
324 &ldc->euid, &ldc->egid,
325 &ldc->uid, &ldc->gid, &ldc->pid,
326 &ldc->asid, /* au_tid_t */ NULL);
327 }
328
329 kern_return_t
330 x_bootstrap_create_server(mach_port_t bp, cmd_t server_cmd, uid_t server_uid, boolean_t on_demand,
331 audit_token_t au_tok, mach_port_t *server_portp)
332 {
333 struct jobcb *js, *j = job_find_by_port(bp);
334 struct ldcred ldc;
335
336 audit_token_to_launchd_cred(au_tok, &ldc);
337
338 job_log(j, LOG_DEBUG, "Server create attempt: %s", server_cmd);
339
340 #define LET_MERE_MORTALS_ADD_SERVERS_TO_PID1
341 /* XXX - This code should go away once the per session launchd is integrated with the rest of the system */
342 #ifdef LET_MERE_MORTALS_ADD_SERVERS_TO_PID1
343 if (getpid() == 1) {
344 if (ldc.euid != 0 && ldc.euid != server_uid) {
345 job_log(j, LOG_WARNING, "Server create: \"%s\": Will run as UID %d, not UID %d as they told us to",
346 server_cmd, ldc.euid, server_uid);
347 server_uid = ldc.euid;
348 }
349 } else
350 #endif
351 if (!trusted_client_check(j, &ldc)) {
352 return BOOTSTRAP_NOT_PRIVILEGED;
353 } else if (server_uid != getuid()) {
354 job_log(j, LOG_WARNING, "Server create: \"%s\": As UID %d, we will not be able to switch to UID %d",
355 server_cmd, getuid(), server_uid);
356 server_uid = getuid();
357 }
358
359 js = job_new_via_mach_init(j, server_cmd, server_uid, on_demand);
360
361 if (js == NULL)
362 return BOOTSTRAP_NO_MEMORY;
363
364 *server_portp = job_get_bsport(js);
365 return BOOTSTRAP_SUCCESS;
366 }
367
368 kern_return_t
369 x_bootstrap_getsocket(mach_port_t bp, name_t spr)
370 {
371 if (!sockpath) {
372 return BOOTSTRAP_NO_MEMORY;
373 } else if (getpid() == 1) {
374 return BOOTSTRAP_NOT_PRIVILEGED;
375 }
376
377 strncpy(spr, sockpath, sizeof(name_t));
378
379 return BOOTSTRAP_SUCCESS;
380 }
381
382 kern_return_t
383 x_bootstrap_unprivileged(mach_port_t bp, mach_port_t *unprivportp)
384 {
385 struct jobcb *j = job_find_by_port(bp);
386
387 job_log(j, LOG_DEBUG, "Requested unprivileged bootstrap port");
388
389 j = job_get_bs(j);
390
391 *unprivportp = job_get_bsport(j);
392
393 return BOOTSTRAP_SUCCESS;
394 }
395
396
397 kern_return_t
398 x_bootstrap_check_in(mach_port_t bp, name_t servicename, audit_token_t au_tok, mach_port_t *serviceportp)
399 {
400 static pid_t last_warned_pid = 0;
401 struct jobcb *j = job_find_by_port(bp);
402 struct machservice *ms;
403 struct ldcred ldc;
404
405 audit_token_to_launchd_cred(au_tok, &ldc);
406
407 trusted_client_check(j, &ldc);
408
409 ms = job_lookup_service(j, servicename, true);
410
411 if (ms == NULL) {
412 job_log(j, LOG_DEBUG, "Check-in of Mach service failed. Unknown: %s", servicename);
413 return BOOTSTRAP_UNKNOWN_SERVICE;
414 }
415 if (machservice_job(ms) != j) {
416 if (last_warned_pid != ldc.pid) {
417 job_log(j, LOG_NOTICE, "Check-in of Mach service failed. PID %d is not privileged: %s",
418 ldc.pid, servicename);
419 last_warned_pid = ldc.pid;
420 }
421 return BOOTSTRAP_NOT_PRIVILEGED;
422 }
423 if (!canReceive(machservice_port(ms))) {
424 launchd_assumes(machservice_active(ms));
425 job_log(j, LOG_DEBUG, "Check-in of Mach service failed. Already active: %s", servicename);
426 return BOOTSTRAP_SERVICE_ACTIVE;
427 }
428
429 machservice_watch(ms);
430
431 job_log(j, LOG_INFO, "Check-in of service: %s", servicename);
432
433 *serviceportp = machservice_port(ms);
434 return BOOTSTRAP_SUCCESS;
435 }
436
437 kern_return_t
438 x_bootstrap_register(mach_port_t bp, audit_token_t au_tok, name_t servicename, mach_port_t serviceport)
439 {
440 struct jobcb *j = job_find_by_port(bp);
441 struct machservice *ms;
442 struct ldcred ldc;
443
444 audit_token_to_launchd_cred(au_tok, &ldc);
445
446 trusted_client_check(j, &ldc);
447
448 job_log(j, LOG_DEBUG, "Mach service registration attempt: %s", servicename);
449
450 ms = job_lookup_service(j, servicename, false);
451
452 if (ms) {
453 if (machservice_job(ms) != j)
454 return BOOTSTRAP_NOT_PRIVILEGED;
455 if (machservice_active(ms)) {
456 job_log(j, LOG_DEBUG, "Mach service registration failed. Already active: %s", servicename);
457 launchd_assumes(!canReceive(machservice_port(ms)));
458 return BOOTSTRAP_SERVICE_ACTIVE;
459 }
460 job_checkin(machservice_job(ms));
461 machservice_delete(ms);
462 }
463
464 if (serviceport != MACH_PORT_NULL) {
465 if ((ms = machservice_new(job_get_bs(j), servicename, &serviceport))) {
466 machservice_watch(ms);
467 } else {
468 return BOOTSTRAP_NO_MEMORY;
469 }
470 }
471
472 return BOOTSTRAP_SUCCESS;
473 }
474
475 kern_return_t
476 x_bootstrap_look_up(mach_port_t bp, audit_token_t au_tok, name_t servicename, mach_port_t *serviceportp, mach_msg_type_name_t *ptype)
477 {
478 struct jobcb *j = job_find_by_port(bp);
479 struct machservice *ms;
480 struct ldcred ldc;
481
482 audit_token_to_launchd_cred(au_tok, &ldc);
483
484 trusted_client_check(j, &ldc);
485
486 ms = job_lookup_service(j, servicename, true);
487
488 if (ms && machservice_hidden(ms) && !job_active(machservice_job(ms))) {
489 ms = NULL;
490 }
491
492 if (ms) {
493 launchd_assumes(machservice_port(ms) != MACH_PORT_NULL);
494 job_log(j, LOG_DEBUG, "Mach service lookup (by PID %d): %s", ldc.pid, servicename);
495 *serviceportp = machservice_port(ms);
496 *ptype = MACH_MSG_TYPE_COPY_SEND;
497 return BOOTSTRAP_SUCCESS;
498 } else if (inherited_bootstrap_port != MACH_PORT_NULL) {
499 job_log(j, LOG_DEBUG, "Mach service lookup (by PID %d) forwarded: %s", ldc.pid, servicename);
500 *ptype = MACH_MSG_TYPE_MOVE_SEND;
501 return bootstrap_look_up(inherited_bootstrap_port, servicename, serviceportp);
502 } else {
503 job_log(j, LOG_DEBUG, "Mach service lookup (by PID %d) failed: %s", ldc.pid, servicename);
504 return BOOTSTRAP_UNKNOWN_SERVICE;
505 }
506 }
507
508 kern_return_t
509 x_bootstrap_parent(mach_port_t bp, mach_port_t *parentport, mach_msg_type_name_t *pptype)
510 {
511 struct jobcb *j = job_find_by_port(bp);
512
513 job_log(j, LOG_DEBUG, "Requested parent bootstrap port");
514
515 j = job_get_bs(j);
516
517 *pptype = MACH_MSG_TYPE_MAKE_SEND;
518
519 if (job_parent(j)) {
520 *parentport = job_get_bsport(job_parent(j));
521 } else if (MACH_PORT_NULL == inherited_bootstrap_port) {
522 *parentport = job_get_bsport(j);
523 } else {
524 *pptype = MACH_MSG_TYPE_COPY_SEND;
525 *parentport = inherited_bootstrap_port;
526 }
527 return BOOTSTRAP_SUCCESS;
528 }
529
530 static void
531 x_bootstrap_info_countservices(struct machservice *ms, void *context)
532 {
533 unsigned int *cnt = context;
534
535 (*cnt)++;
536 }
537
538 struct x_bootstrap_info_copyservices_cb {
539 name_array_t service_names;
540 bootstrap_status_array_t service_actives;
541 mach_port_array_t ports;
542 unsigned int i;
543 };
544
545 static void
546 x_bootstrap_info_copyservices(struct machservice *ms, void *context)
547 {
548 struct x_bootstrap_info_copyservices_cb *info_resp = context;
549
550 strlcpy(info_resp->service_names[info_resp->i], machservice_name(ms), sizeof(info_resp->service_names[0]));
551
552 launchd_assumes(info_resp->service_actives || info_resp->ports);
553
554 if (info_resp->service_actives) {
555 info_resp->service_actives[info_resp->i] = machservice_status(ms);
556 } else {
557 info_resp->ports[info_resp->i] = machservice_port(ms);
558 }
559 info_resp->i++;
560 }
561
562 kern_return_t
563 x_bootstrap_info(mach_port_t bp, name_array_t *servicenamesp, unsigned int *servicenames_cnt,
564 bootstrap_status_array_t *serviceactivesp, unsigned int *serviceactives_cnt)
565 {
566 struct x_bootstrap_info_copyservices_cb info_resp = { NULL, NULL, NULL, 0 };
567 struct jobcb *ji, *j = job_find_by_port(bp);
568 kern_return_t result;
569 unsigned int cnt = 0;
570
571 for (ji = j; ji; ji = job_parent(ji))
572 job_foreach_service(ji, x_bootstrap_info_countservices, &cnt, true);
573
574 result = vm_allocate(mach_task_self(), (vm_address_t *)&info_resp.service_names, cnt * sizeof(info_resp.service_names[0]), true);
575 if (!launchd_assumes(result == KERN_SUCCESS))
576 goto out_bad;
577
578 result = vm_allocate(mach_task_self(), (vm_address_t *)&info_resp.service_actives, cnt * sizeof(info_resp.service_actives[0]), true);
579 if (!launchd_assumes(result == KERN_SUCCESS))
580 goto out_bad;
581
582 for (ji = j; ji; ji = job_parent(ji))
583 job_foreach_service(ji, x_bootstrap_info_copyservices, &info_resp, true);
584
585 launchd_assumes(info_resp.i == cnt);
586
587 *servicenamesp = info_resp.service_names;
588 *serviceactivesp = info_resp.service_actives;
589 *servicenames_cnt = *serviceactives_cnt = cnt;
590
591 return BOOTSTRAP_SUCCESS;
592
593 out_bad:
594 if (info_resp.service_names)
595 vm_deallocate(mach_task_self(), (vm_address_t)info_resp.service_names, cnt * sizeof(info_resp.service_names[0]));
596
597 return BOOTSTRAP_NO_MEMORY;
598 }
599
600 kern_return_t
601 x_bootstrap_transfer_subset(mach_port_t bp, mach_port_t *reqport, mach_port_t *rcvright,
602 name_array_t *servicenamesp, unsigned int *servicenames_cnt,
603 mach_port_array_t *ports, unsigned int *ports_cnt)
604 {
605 struct x_bootstrap_info_copyservices_cb info_resp = { NULL, NULL, NULL, 0 };
606 struct jobcb *j = job_find_by_port(bp);
607 unsigned int cnt = 0;
608 kern_return_t result;
609
610 if (getpid() != 1) {
611 job_log(j, LOG_ERR, "Only the system launchd will transfer Mach sub-bootstraps.");
612 return BOOTSTRAP_NOT_PRIVILEGED;
613 } else if (!job_parent(j)) {
614 job_log(j, LOG_ERR, "Root Mach bootstrap cannot be transferred.");
615 return BOOTSTRAP_NOT_PRIVILEGED;
616 }
617
618 job_log(j, LOG_DEBUG, "Transferring sub-bootstrap to the per session launchd.");
619
620 job_foreach_service(j, x_bootstrap_info_countservices, &cnt, false);
621
622 result = vm_allocate(mach_task_self(), (vm_address_t *)&info_resp.service_names, cnt * sizeof(info_resp.service_names[0]), true);
623 if (!launchd_assumes(result == KERN_SUCCESS))
624 goto out_bad;
625
626 result = vm_allocate(mach_task_self(), (vm_address_t *)&info_resp.ports, cnt * sizeof(info_resp.ports[0]), true);
627 if (!launchd_assumes(result == KERN_SUCCESS))
628 goto out_bad;
629
630 job_foreach_service(j, x_bootstrap_info_copyservices, &info_resp, false);
631
632 launchd_assumes(info_resp.i == cnt);
633
634 *servicenamesp = info_resp.service_names;
635 *ports = info_resp.ports;
636 *servicenames_cnt = *ports_cnt = cnt;
637
638 *reqport = job_get_reqport(j);
639 *rcvright = job_get_bsport(j);
640
641 launchd_assumes(launchd_mport_request_callback(*rcvright, NULL, true) == KERN_SUCCESS);
642
643 launchd_assumes(launchd_mport_make_send(*rcvright) == KERN_SUCCESS);
644
645 return BOOTSTRAP_SUCCESS;
646
647 out_bad:
648 if (info_resp.service_names)
649 vm_deallocate(mach_task_self(), (vm_address_t)info_resp.service_names, cnt * sizeof(info_resp.service_names[0]));
650
651 return BOOTSTRAP_NO_MEMORY;
652 }
653
654 kern_return_t
655 x_bootstrap_subset(mach_port_t bp, mach_port_t requestorport, mach_port_t *subsetportp)
656 {
657 struct jobcb *js, *j = job_find_by_port(bp);
658 int bsdepth = 0;
659
660 while ((j = job_parent(j)) != NULL)
661 bsdepth++;
662
663 j = job_find_by_port(bp);
664
665 /* Since we use recursion, we need an artificial depth for subsets */
666 if (bsdepth > 100) {
667 job_log(j, LOG_ERR, "Mach sub-bootstrap create request failed. Depth greater than: %d", bsdepth);
668 return BOOTSTRAP_NO_MEMORY;
669 }
670
671 if ((js = job_new_bootstrap(j, requestorport, MACH_PORT_NULL)) == NULL) {
672 if (requestorport == MACH_PORT_NULL)
673 return BOOTSTRAP_NOT_PRIVILEGED;
674 return BOOTSTRAP_NO_MEMORY;
675 }
676
677 *subsetportp = job_get_bsport(js);
678 return BOOTSTRAP_SUCCESS;
679 }
680
681 kern_return_t
682 x_bootstrap_create_service(mach_port_t bp, name_t servicename, mach_port_t *serviceportp)
683 {
684 struct jobcb *j = job_find_by_port(bp);
685 struct machservice *ms;
686
687 if (job_prog(j)[0] == '\0') {
688 job_log(j, LOG_ERR, "Mach service creation requires a target server: %s", servicename);
689 return BOOTSTRAP_NOT_PRIVILEGED;
690 }
691
692 ms = job_lookup_service(j, servicename, false);
693 if (ms) {
694 job_log(j, LOG_DEBUG, "Mach service creation attempt for failed. Already exists: %s", servicename);
695 return BOOTSTRAP_NAME_IN_USE;
696 }
697
698 job_checkin(j);
699
700 *serviceportp = MACH_PORT_NULL;
701 ms = machservice_new(j, servicename, serviceportp);
702
703 if (!launchd_assumes(ms != NULL))
704 goto out_bad;
705
706 return BOOTSTRAP_SUCCESS;
707
708 out_bad:
709 launchd_assumes(launchd_mport_close_recv(*serviceportp) == KERN_SUCCESS);
710 return BOOTSTRAP_NO_MEMORY;
711 }
712
713 kern_return_t
714 x_mpm_wait(mach_port_t bp, mach_port_t srp, audit_token_t au_tok, integer_t *waitstatus)
715 {
716 struct jobcb *j = job_find_by_port(bp);
717 #if 0
718 struct ldcred ldc;
719 audit_token_to_launchd_cred(au_tok, &ldc);
720 #endif
721 return job_handle_mpm_wait(j, srp, waitstatus);
722 }
723
724 kern_return_t
725 x_mpm_uncork_fork(mach_port_t bp, audit_token_t au_tok)
726 {
727 struct jobcb *j = job_find_by_port(bp);
728
729 if (!j)
730 return BOOTSTRAP_NOT_PRIVILEGED;
731
732 job_uncork_fork(j);
733
734 return 0;
735 }
736
737 kern_return_t
738 x_mpm_spawn(mach_port_t bp, audit_token_t au_tok,
739 _internal_string_t charbuf, mach_msg_type_number_t charbuf_cnt,
740 uint32_t argc, uint32_t envc, uint64_t flags, uint16_t mig_umask,
741 pid_t *child_pid, mach_port_t *obsvr_port)
742 {
743 struct jobcb *jr, *j = job_find_by_port(bp);
744 struct ldcred ldc;
745 size_t offset = 0;
746 char *tmpp;
747 const char **argv = NULL, **env = NULL;
748 const char *label = NULL;
749 const char *path = NULL;
750 const char *workingdir = NULL;
751 size_t argv_i = 0, env_i = 0;
752
753 audit_token_to_launchd_cred(au_tok, &ldc);
754
755 #if 0
756 if (ldc.asid != inherited_asid) {
757 job_log(j, LOG_ERR, "Security: PID %d (ASID %d) was denied a request to spawn a process in this session (ASID %d)",
758 ldc.pid, ldc.asid, inherited_asid);
759 return BOOTSTRAP_NOT_PRIVILEGED;
760 }
761 #endif
762
763 argv = alloca((argc + 1) * sizeof(char *));
764 memset(argv, 0, (argc + 1) * sizeof(char *));
765
766 if (envc > 0) {
767 env = alloca((envc + 1) * sizeof(char *));
768 memset(env, 0, (envc + 1) * sizeof(char *));
769 }
770
771 while (offset < charbuf_cnt) {
772 tmpp = charbuf + offset;
773 offset += strlen(tmpp) + 1;
774 if (!label) {
775 label = tmpp;
776 } else if (argc > 0) {
777 argv[argv_i] = tmpp;
778 argv_i++;
779 argc--;
780 } else if (envc > 0) {
781 env[env_i] = tmpp;
782 env_i++;
783 envc--;
784 } else if (flags & SPAWN_HAS_PATH) {
785 path = tmpp;
786 flags &= ~SPAWN_HAS_PATH;
787 } else if (flags & SPAWN_HAS_WDIR) {
788 workingdir = tmpp;
789 flags &= ~SPAWN_HAS_WDIR;
790 }
791 }
792
793 jr = job_new_spawn(label, path, workingdir, argv, env, flags & SPAWN_HAS_UMASK ? &mig_umask : NULL,
794 flags & SPAWN_WANTS_WAIT4DEBUGGER, flags & SPAWN_WANTS_FORCE_PPC);
795
796 if (jr == NULL) switch (errno) {
797 case EEXIST:
798 return BOOTSTRAP_NAME_IN_USE;
799 default:
800 return BOOTSTRAP_NO_MEMORY;
801 }
802
803 job_log(j, LOG_INFO, "Spawned with flags:%s%s",
804 flags & SPAWN_WANTS_FORCE_PPC ? " ppc": "",
805 flags & SPAWN_WANTS_WAIT4DEBUGGER ? " stopped": "");
806
807 *child_pid = job_get_pid(jr);
808 *obsvr_port = job_get_bsport(jr);
809
810 return BOOTSTRAP_SUCCESS;
811 }
812
813 kern_return_t
814 do_mach_notify_port_destroyed(mach_port_t notify, mach_port_t rights)
815 {
816 /* This message is sent to us when a receive right is returned to us. */
817
818 if (!job_ack_port_destruction(root_job, rights)) {
819 launchd_assumes(launchd_mport_close_recv(rights) == KERN_SUCCESS);
820 }
821
822 return KERN_SUCCESS;
823 }
824
825 kern_return_t
826 do_mach_notify_port_deleted(mach_port_t notify, mach_port_name_t name)
827 {
828 /* If we deallocate/destroy/mod_ref away a port with a pending notification,
829 * the original notification message is replaced with this message.
830 *
831 * To quote a Mach kernel expert, "the kernel has a send-once right that has
832 * to be used somehow."
833 */
834 return KERN_SUCCESS;
835 }
836
837 kern_return_t
838 do_mach_notify_no_senders(mach_port_t notify, mach_port_mscount_t mscount)
839 {
840 struct jobcb *j = job_find_by_port(notify);
841
842 /* This message is sent to us when the last customer of one of our objects
843 * goes away.
844 */
845
846 if (!launchd_assumes(j != NULL))
847 return KERN_FAILURE;
848
849 job_ack_no_senders(j);
850
851 return KERN_SUCCESS;
852 }
853
854 kern_return_t
855 do_mach_notify_send_once(mach_port_t notify)
856 {
857 /*
858 * This message is sent to us every time we close a port that we have
859 * outstanding Mach notification requests on. We can safely ignore
860 * this message.
861 */
862 return KERN_SUCCESS;
863 }
864
865 kern_return_t
866 do_mach_notify_dead_name(mach_port_t notify, mach_port_name_t name)
867 {
868 /* This message is sent to us when one of our send rights no longer has
869 * a receiver somewhere else on the system.
870 */
871
872 if (name == inherited_bootstrap_port) {
873 launchd_assumes(launchd_mport_deallocate(name) == KERN_SUCCESS);
874 inherited_bootstrap_port = MACH_PORT_NULL;
875 }
876
877 job_delete_anything_with_port(root_job, name);
878
879 /* A dead-name notification about a port appears to increment the
880 * rights on said port. Let's deallocate it so that we don't leak
881 * dead-name ports.
882 */
883 launchd_assumes(launchd_mport_deallocate(name) == KERN_SUCCESS);
884
885 return KERN_SUCCESS;
886 }
887
888 bool
889 trusted_client_check(struct jobcb *j, struct ldcred *ldc)
890 {
891 static pid_t last_warned_pid = 0;
892
893 /* In the long run, we wish to enforce the progeny rule, but for now,
894 * we'll let root and the user be forgiven. Once we get CoreProcesses
895 * to switch to using launchd rather than the WindowServer for indirect
896 * process invocation, we can then seriously look at cranking up the
897 * warning level here.
898 */
899
900 if (inherited_asid == ldc->asid)
901 return true;
902 if (progeny_check(ldc->pid))
903 return true;
904 if (ldc->euid == geteuid())
905 return true;
906 if (ldc->euid == 0 && ldc->uid == 0)
907 return true;
908 if (last_warned_pid == ldc->pid)
909 return false;
910
911 job_log(j, LOG_NOTICE, "Security: PID %d (ASID %d) was leaked into this session (ASID %d). This will be denied in the future.", ldc->pid, ldc->asid, inherited_asid);
912
913 last_warned_pid = ldc->pid;
914
915 return false;
916 }
mirror of launchd