+/*
+ * Copyright (c) 1999-2004 Apple Computer, Inc. All rights reserved.
+ *
+ * @APPLE_APACHE_LICENSE_HEADER_START@
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @APPLE_APACHE_LICENSE_HEADER_END@
+ */
+/*
+ * bootstrap -- fundamental service initiator and port server
+ * Mike DeMoney, NeXT, Inc.
+ * Copyright, 1990. All rights reserved.
+ *
+ * bootstrap.c -- implementation of bootstrap main service loop
+ */
+
+static const char *const __rcs_file_version__ = "$Revision: 1.52 $";
+
+#include <mach/mach.h>
+#include <mach/mach_error.h>
+#include <mach/boolean.h>
+#include <mach/message.h>
+#include <mach/notify.h>
+#include <mach/mig_errors.h>
+#include <mach/mach_traps.h>
+#include <mach/mach_interface.h>
+#include <mach/host_info.h>
+#include <mach/mach_host.h>
+#include <mach/exception.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/event.h>
+#include <sys/queue.h>
+#include <sys/socket.h>
+#include <bsm/libbsm.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <errno.h>
+#include <string.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <syslog.h>
+
+#include "bootstrap_public.h"
+#include "bootstrap_private.h"
+#include "bootstrap.h"
+#include "bootstrapServer.h"
+#include "notifyServer.h"
+#include "launchd_internal.h"
+#include "launchd_internalServer.h"
+#include "launchd.h"
+#include "launchd_core_logic.h"
+#include "launch_priv.h"
+#include "launchd_unix_ipc.h"
+
+struct ldcred {
+ uid_t euid;
+ uid_t uid;
+ gid_t egid;
+ gid_t gid;
+ pid_t pid;
+ au_asid_t asid;
+};
+
+static au_asid_t inherited_asid = 0;
+
+static bool canReceive(mach_port_t);
+static void init_ports(void);
+static void *mport_demand_loop(void *arg);
+static void audit_token_to_launchd_cred(audit_token_t au_tok, struct ldcred *ldc);
+
+static mach_port_t inherited_bootstrap_port = MACH_PORT_NULL;
+static mach_port_t demand_port_set = MACH_PORT_NULL;
+static size_t port_to_obj_size = 0;
+static void **port_to_obj = NULL;
+static pthread_t demand_thread;
+
+static bool trusted_client_check(struct jobcb *j, struct ldcred *ldc);
+
+struct jobcb *
+job_find_by_port(mach_port_t mp)
+{
+ return port_to_obj[MACH_PORT_INDEX(mp)];
+}
+
+kern_return_t
+x_handle_mport(mach_port_t junk __attribute__((unused)))
+{
+ mach_port_name_array_t members;
+ mach_msg_type_number_t membersCnt;
+ mach_port_status_t status;
+ mach_msg_type_number_t statusCnt;
+ struct kevent kev;
+ unsigned int i;
+
+ if (!launchd_assumes(mach_port_get_set_status(mach_task_self(), demand_port_set, &members, &membersCnt) == KERN_SUCCESS))
+ return 1;
+
+ for (i = 0; i < membersCnt; i++) {
+ statusCnt = MACH_PORT_RECEIVE_STATUS_COUNT;
+ if (mach_port_get_attributes(mach_task_self(), members[i], MACH_PORT_RECEIVE_STATUS,
+ (mach_port_info_t)&status, &statusCnt) != KERN_SUCCESS)
+ continue;
+
+ if (status.mps_msgcount) {
+ EV_SET(&kev, members[i], EVFILT_MACHPORT, 0, 0, 0, job_find_by_port(members[i]));
+ (*((kq_callback *)kev.udata))(kev.udata, &kev);
+ /* the callback may have tainted our ability to continue this for loop */
+ break;
+ }
+ }
+
+ launchd_assumes(vm_deallocate(mach_task_self(), (vm_address_t)members,
+ (vm_size_t) membersCnt * sizeof(mach_port_name_t)) == KERN_SUCCESS);
+
+ return 0;
+}
+
+void
+mach_init_init(mach_port_t req_port, mach_port_t checkin_port,
+ name_array_t l2l_names, mach_port_array_t l2l_ports, mach_msg_type_number_t l2l_cnt)
+{
+ mach_msg_type_number_t l2l_i;
+ auditinfo_t inherited_audit;
+ pthread_attr_t attr;
+
+ getaudit(&inherited_audit);
+ inherited_asid = inherited_audit.ai_asid;
+
+ init_ports();
+
+ launchd_assert((root_job = job_new_bootstrap(NULL, req_port ? req_port : mach_task_self(), checkin_port)) != NULL);
+
+ launchd_assumes(launchd_get_bport(&inherited_bootstrap_port) == KERN_SUCCESS);
+
+ if (getpid() != 1)
+ launchd_assumes(inherited_bootstrap_port != MACH_PORT_NULL);
+
+ /* We set this explicitly as we start each child */
+ launchd_assumes(launchd_set_bport(MACH_PORT_NULL) == KERN_SUCCESS);
+
+ pthread_attr_init(&attr);
+ pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
+ pthread_attr_setstacksize(&attr, PTHREAD_STACK_MIN);
+
+ launchd_assert(pthread_create(&demand_thread, &attr, mport_demand_loop, NULL) == 0);
+
+ pthread_attr_destroy(&attr);
+
+ /* cut off the Libc cache, we don't want to deadlock against ourself */
+ bootstrap_port = MACH_PORT_NULL;
+
+ if (l2l_names == NULL)
+ return;
+
+ for (l2l_i = 0; l2l_i < l2l_cnt; l2l_i++) {
+ struct machservice *ms;
+
+ if ((ms = machservice_new(root_job, l2l_names[l2l_i], l2l_ports + l2l_i)))
+ machservice_watch(ms);
+ }
+}
+
+void mach_init_reap(void)
+{
+ void *status;
+
+ launchd_assumes(mach_port_destroy(mach_task_self(), demand_port_set) == KERN_SUCCESS);
+
+ launchd_assumes(pthread_join(demand_thread, &status) == 0);
+}
+
+void
+init_ports(void)
+{
+ launchd_assert((errno = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_PORT_SET,
+ &demand_port_set)) == KERN_SUCCESS);
+}
+
+void *
+mport_demand_loop(void *arg __attribute__((unused)))
+{
+ mach_msg_empty_rcv_t dummy;
+ kern_return_t kr;
+
+ for (;;) {
+ kr = mach_msg(&dummy.header, MACH_RCV_MSG|MACH_RCV_LARGE, 0, 0, demand_port_set, 0, MACH_PORT_NULL);
+ if (kr == MACH_RCV_PORT_CHANGED) {
+ break;
+ } else if (!launchd_assumes(kr == MACH_RCV_TOO_LARGE)) {
+ continue;
+ }
+ launchd_assumes(handle_mport(launchd_internal_port) == 0);
+ }
+
+ return NULL;
+}
+
+boolean_t
+launchd_mach_ipc_demux(mach_msg_header_t *Request, mach_msg_header_t *Reply)
+{
+ if (bootstrap_server_routine(Request))
+ return bootstrap_server(Request, Reply);
+
+ return notify_server(Request, Reply);
+}
+
+bool
+canReceive(mach_port_t port)
+{
+ mach_port_type_t p_type;
+
+ if (!launchd_assumes(mach_port_type(mach_task_self(), port, &p_type) == KERN_SUCCESS))
+ return false;
+
+ return ((p_type & MACH_PORT_TYPE_RECEIVE) != 0);
+}
+
+kern_return_t
+launchd_set_bport(mach_port_t name)
+{
+ return errno = task_set_bootstrap_port(mach_task_self(), name);
+}
+
+kern_return_t
+launchd_get_bport(mach_port_t *name)
+{
+ return errno = task_get_bootstrap_port(mach_task_self(), name);
+}
+
+kern_return_t
+launchd_mport_notify_req(mach_port_t name, mach_msg_id_t which)
+{
+ mach_port_mscount_t msgc = (which == MACH_NOTIFY_NO_SENDERS) ? 1 : 0;
+ mach_port_t previous, where = (which == MACH_NOTIFY_NO_SENDERS) ? name : launchd_internal_port;
+
+ if (which == MACH_NOTIFY_NO_SENDERS) {
+ /* Always make sure the send count is zero, in case a receive right is reused */
+ errno = mach_port_set_mscount(mach_task_self(), name, 0);
+ if (errno != KERN_SUCCESS)
+ return errno;
+ }
+
+ errno = mach_port_request_notification(mach_task_self(), name, which, msgc, where,
+ MACH_MSG_TYPE_MAKE_SEND_ONCE, &previous);
+
+ if (errno == 0 && previous != MACH_PORT_NULL)
+ launchd_assumes(launchd_mport_deallocate(previous) == KERN_SUCCESS);
+
+ return errno;
+}
+
+kern_return_t
+launchd_mport_request_callback(mach_port_t name, void *obj, bool readmsg)
+{
+ size_t needed_size;
+
+ if (!obj)
+ return errno = mach_port_move_member(mach_task_self(), name, MACH_PORT_NULL);
+
+ needed_size = (MACH_PORT_INDEX(name) + 1) * sizeof(void *);
+
+ if (needed_size > port_to_obj_size) {
+ if (port_to_obj == NULL) {
+ launchd_assumes((port_to_obj = calloc(1, needed_size * 2)) != NULL);
+ } else {
+ launchd_assumes((port_to_obj = reallocf(port_to_obj, needed_size * 2)) != NULL);
+ memset((uint8_t *)port_to_obj + port_to_obj_size, 0, needed_size * 2 - port_to_obj_size);
+ }
+ port_to_obj_size = needed_size * 2;
+ }
+
+ port_to_obj[MACH_PORT_INDEX(name)] = obj;
+
+ return errno = mach_port_move_member(mach_task_self(), name, readmsg ? ipc_port_set : demand_port_set);
+}
+
+kern_return_t
+launchd_mport_make_send(mach_port_t name)
+{
+ return errno = mach_port_insert_right(mach_task_self(), name, name, MACH_MSG_TYPE_MAKE_SEND);
+}
+
+kern_return_t
+launchd_mport_close_recv(mach_port_t name)
+{
+ if (launchd_assumes(port_to_obj != NULL)) {
+ port_to_obj[MACH_PORT_INDEX(name)] = NULL;
+ return errno = mach_port_mod_refs(mach_task_self(), name, MACH_PORT_RIGHT_RECEIVE, -1);
+ } else {
+ return errno = KERN_FAILURE;
+ }
+}
+
+kern_return_t
+launchd_mport_create_recv(mach_port_t *name)
+{
+ return errno = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, name);
+}
+
+kern_return_t
+launchd_mport_deallocate(mach_port_t name)
+{
+ return errno = mach_port_deallocate(mach_task_self(), name);
+}
+
+void
+audit_token_to_launchd_cred(audit_token_t au_tok, struct ldcred *ldc)
+{
+ audit_token_to_au32(au_tok, /* audit UID */ NULL,
+ &ldc->euid, &ldc->egid,
+ &ldc->uid, &ldc->gid, &ldc->pid,
+ &ldc->asid, /* au_tid_t */ NULL);
+}
+
+kern_return_t
+x_bootstrap_create_server(mach_port_t bp, cmd_t server_cmd, uid_t server_uid, boolean_t on_demand,
+ audit_token_t au_tok, mach_port_t *server_portp)
+{
+ struct jobcb *js, *j = job_find_by_port(bp);
+ struct ldcred ldc;
+
+ audit_token_to_launchd_cred(au_tok, &ldc);
+
+ job_log(j, LOG_DEBUG, "Server create attempt: %s", server_cmd);
+
+#define LET_MERE_MORTALS_ADD_SERVERS_TO_PID1
+ /* XXX - This code should go away once the per session launchd is integrated with the rest of the system */
+ #ifdef LET_MERE_MORTALS_ADD_SERVERS_TO_PID1
+ if (getpid() == 1) {
+ if (ldc.euid != 0 && ldc.euid != server_uid) {
+ job_log(j, LOG_WARNING, "Server create: \"%s\": Will run as UID %d, not UID %d as they told us to",
+ server_cmd, ldc.euid, server_uid);
+ server_uid = ldc.euid;
+ }
+ } else
+#endif
+ if (!trusted_client_check(j, &ldc)) {
+ return BOOTSTRAP_NOT_PRIVILEGED;
+ } else if (server_uid != getuid()) {
+ job_log(j, LOG_WARNING, "Server create: \"%s\": As UID %d, we will not be able to switch to UID %d",
+ server_cmd, getuid(), server_uid);
+ server_uid = getuid();
+ }
+
+ js = job_new_via_mach_init(j, server_cmd, server_uid, on_demand);
+
+ if (js == NULL)
+ return BOOTSTRAP_NO_MEMORY;
+
+ *server_portp = job_get_bsport(js);
+ return BOOTSTRAP_SUCCESS;
+}
+
+kern_return_t
+x_bootstrap_getsocket(mach_port_t bp, name_t spr)
+{
+ if (!sockpath) {
+ return BOOTSTRAP_NO_MEMORY;
+ } else if (getpid() == 1) {
+ return BOOTSTRAP_NOT_PRIVILEGED;
+ }
+
+ strncpy(spr, sockpath, sizeof(name_t));
+
+ return BOOTSTRAP_SUCCESS;
+}
+
+kern_return_t
+x_bootstrap_unprivileged(mach_port_t bp, mach_port_t *unprivportp)
+{
+ struct jobcb *j = job_find_by_port(bp);
+
+ job_log(j, LOG_DEBUG, "Requested unprivileged bootstrap port");
+
+ j = job_get_bs(j);
+
+ *unprivportp = job_get_bsport(j);
+
+ return BOOTSTRAP_SUCCESS;
+}
+
+
+kern_return_t
+x_bootstrap_check_in(mach_port_t bp, name_t servicename, audit_token_t au_tok, mach_port_t *serviceportp)
+{
+ static pid_t last_warned_pid = 0;
+ struct jobcb *j = job_find_by_port(bp);
+ struct machservice *ms;
+ struct ldcred ldc;
+
+ audit_token_to_launchd_cred(au_tok, &ldc);
+
+ trusted_client_check(j, &ldc);
+
+ ms = job_lookup_service(j, servicename, true);
+
+ if (ms == NULL) {
+ job_log(j, LOG_DEBUG, "Check-in of Mach service failed. Unknown: %s", servicename);
+ return BOOTSTRAP_UNKNOWN_SERVICE;
+ }
+ if (machservice_job(ms) != j) {
+ if (last_warned_pid != ldc.pid) {
+ job_log(j, LOG_NOTICE, "Check-in of Mach service failed. PID %d is not privileged: %s",
+ ldc.pid, servicename);
+ last_warned_pid = ldc.pid;
+ }
+ return BOOTSTRAP_NOT_PRIVILEGED;
+ }
+ if (!canReceive(machservice_port(ms))) {
+ launchd_assumes(machservice_active(ms));
+ job_log(j, LOG_DEBUG, "Check-in of Mach service failed. Already active: %s", servicename);
+ return BOOTSTRAP_SERVICE_ACTIVE;
+ }
+
+ machservice_watch(ms);
+
+ job_log(j, LOG_INFO, "Check-in of service: %s", servicename);
+
+ *serviceportp = machservice_port(ms);
+ return BOOTSTRAP_SUCCESS;
+}
+
+kern_return_t
+x_bootstrap_register(mach_port_t bp, audit_token_t au_tok, name_t servicename, mach_port_t serviceport)
+{
+ struct jobcb *j = job_find_by_port(bp);
+ struct machservice *ms;
+ struct ldcred ldc;
+
+ audit_token_to_launchd_cred(au_tok, &ldc);
+
+ trusted_client_check(j, &ldc);
+
+ job_log(j, LOG_DEBUG, "Mach service registration attempt: %s", servicename);
+
+ ms = job_lookup_service(j, servicename, false);
+
+ if (ms) {
+ if (machservice_job(ms) != j)
+ return BOOTSTRAP_NOT_PRIVILEGED;
+ if (machservice_active(ms)) {
+ job_log(j, LOG_DEBUG, "Mach service registration failed. Already active: %s", servicename);
+ launchd_assumes(!canReceive(machservice_port(ms)));
+ return BOOTSTRAP_SERVICE_ACTIVE;
+ }
+ job_checkin(machservice_job(ms));
+ machservice_delete(ms);
+ }
+
+ if (serviceport != MACH_PORT_NULL) {
+ if ((ms = machservice_new(job_get_bs(j), servicename, &serviceport))) {
+ machservice_watch(ms);
+ } else {
+ return BOOTSTRAP_NO_MEMORY;
+ }
+ }
+
+ return BOOTSTRAP_SUCCESS;
+}
+
+kern_return_t
+x_bootstrap_look_up(mach_port_t bp, audit_token_t au_tok, name_t servicename, mach_port_t *serviceportp, mach_msg_type_name_t *ptype)
+{
+ struct jobcb *j = job_find_by_port(bp);
+ struct machservice *ms;
+ struct ldcred ldc;
+
+ audit_token_to_launchd_cred(au_tok, &ldc);
+
+ trusted_client_check(j, &ldc);
+
+ ms = job_lookup_service(j, servicename, true);
+
+ if (ms && machservice_hidden(ms) && !job_active(machservice_job(ms))) {
+ ms = NULL;
+ }
+
+ if (ms) {
+ launchd_assumes(machservice_port(ms) != MACH_PORT_NULL);
+ job_log(j, LOG_DEBUG, "Mach service lookup (by PID %d): %s", ldc.pid, servicename);
+ *serviceportp = machservice_port(ms);
+ *ptype = MACH_MSG_TYPE_COPY_SEND;
+ return BOOTSTRAP_SUCCESS;
+ } else if (inherited_bootstrap_port != MACH_PORT_NULL) {
+ job_log(j, LOG_DEBUG, "Mach service lookup (by PID %d) forwarded: %s", ldc.pid, servicename);
+ *ptype = MACH_MSG_TYPE_MOVE_SEND;
+ return bootstrap_look_up(inherited_bootstrap_port, servicename, serviceportp);
+ } else {
+ job_log(j, LOG_DEBUG, "Mach service lookup (by PID %d) failed: %s", ldc.pid, servicename);
+ return BOOTSTRAP_UNKNOWN_SERVICE;
+ }
+}
+
+kern_return_t
+x_bootstrap_parent(mach_port_t bp, mach_port_t *parentport, mach_msg_type_name_t *pptype)
+{
+ struct jobcb *j = job_find_by_port(bp);
+
+ job_log(j, LOG_DEBUG, "Requested parent bootstrap port");
+
+ j = job_get_bs(j);
+
+ *pptype = MACH_MSG_TYPE_MAKE_SEND;
+
+ if (job_parent(j)) {
+ *parentport = job_get_bsport(job_parent(j));
+ } else if (MACH_PORT_NULL == inherited_bootstrap_port) {
+ *parentport = job_get_bsport(j);
+ } else {
+ *pptype = MACH_MSG_TYPE_COPY_SEND;
+ *parentport = inherited_bootstrap_port;
+ }
+ return BOOTSTRAP_SUCCESS;
+}
+
+static void
+x_bootstrap_info_countservices(struct machservice *ms, void *context)
+{
+ unsigned int *cnt = context;
+
+ (*cnt)++;
+}
+
+struct x_bootstrap_info_copyservices_cb {
+ name_array_t service_names;
+ bootstrap_status_array_t service_actives;
+ mach_port_array_t ports;
+ unsigned int i;
+};
+
+static void
+x_bootstrap_info_copyservices(struct machservice *ms, void *context)
+{
+ struct x_bootstrap_info_copyservices_cb *info_resp = context;
+
+ strlcpy(info_resp->service_names[info_resp->i], machservice_name(ms), sizeof(info_resp->service_names[0]));
+
+ launchd_assumes(info_resp->service_actives || info_resp->ports);
+
+ if (info_resp->service_actives) {
+ info_resp->service_actives[info_resp->i] = machservice_status(ms);
+ } else {
+ info_resp->ports[info_resp->i] = machservice_port(ms);
+ }
+ info_resp->i++;
+}
+
+kern_return_t
+x_bootstrap_info(mach_port_t bp, name_array_t *servicenamesp, unsigned int *servicenames_cnt,
+ bootstrap_status_array_t *serviceactivesp, unsigned int *serviceactives_cnt)
+{
+ struct x_bootstrap_info_copyservices_cb info_resp = { NULL, NULL, NULL, 0 };
+ struct jobcb *ji, *j = job_find_by_port(bp);
+ kern_return_t result;
+ unsigned int cnt = 0;
+
+ for (ji = j; ji; ji = job_parent(ji))
+ job_foreach_service(ji, x_bootstrap_info_countservices, &cnt, true);
+
+ result = vm_allocate(mach_task_self(), (vm_address_t *)&info_resp.service_names, cnt * sizeof(info_resp.service_names[0]), true);
+ if (!launchd_assumes(result == KERN_SUCCESS))
+ goto out_bad;
+
+ result = vm_allocate(mach_task_self(), (vm_address_t *)&info_resp.service_actives, cnt * sizeof(info_resp.service_actives[0]), true);
+ if (!launchd_assumes(result == KERN_SUCCESS))
+ goto out_bad;
+
+ for (ji = j; ji; ji = job_parent(ji))
+ job_foreach_service(ji, x_bootstrap_info_copyservices, &info_resp, true);
+
+ launchd_assumes(info_resp.i == cnt);
+
+ *servicenamesp = info_resp.service_names;
+ *serviceactivesp = info_resp.service_actives;
+ *servicenames_cnt = *serviceactives_cnt = cnt;
+
+ return BOOTSTRAP_SUCCESS;
+
+out_bad:
+ if (info_resp.service_names)
+ vm_deallocate(mach_task_self(), (vm_address_t)info_resp.service_names, cnt * sizeof(info_resp.service_names[0]));
+
+ return BOOTSTRAP_NO_MEMORY;
+}
+
+kern_return_t
+x_bootstrap_transfer_subset(mach_port_t bp, mach_port_t *reqport, mach_port_t *rcvright,
+ name_array_t *servicenamesp, unsigned int *servicenames_cnt,
+ mach_port_array_t *ports, unsigned int *ports_cnt)
+{
+ struct x_bootstrap_info_copyservices_cb info_resp = { NULL, NULL, NULL, 0 };
+ struct jobcb *j = job_find_by_port(bp);
+ unsigned int cnt = 0;
+ kern_return_t result;
+
+ if (getpid() != 1) {
+ job_log(j, LOG_ERR, "Only the system launchd will transfer Mach sub-bootstraps.");
+ return BOOTSTRAP_NOT_PRIVILEGED;
+ } else if (!job_parent(j)) {
+ job_log(j, LOG_ERR, "Root Mach bootstrap cannot be transferred.");
+ return BOOTSTRAP_NOT_PRIVILEGED;
+ }
+
+ job_log(j, LOG_DEBUG, "Transferring sub-bootstrap to the per session launchd.");
+
+ job_foreach_service(j, x_bootstrap_info_countservices, &cnt, false);
+
+ result = vm_allocate(mach_task_self(), (vm_address_t *)&info_resp.service_names, cnt * sizeof(info_resp.service_names[0]), true);
+ if (!launchd_assumes(result == KERN_SUCCESS))
+ goto out_bad;
+
+ result = vm_allocate(mach_task_self(), (vm_address_t *)&info_resp.ports, cnt * sizeof(info_resp.ports[0]), true);
+ if (!launchd_assumes(result == KERN_SUCCESS))
+ goto out_bad;
+
+ job_foreach_service(j, x_bootstrap_info_copyservices, &info_resp, false);
+
+ launchd_assumes(info_resp.i == cnt);
+
+ *servicenamesp = info_resp.service_names;
+ *ports = info_resp.ports;
+ *servicenames_cnt = *ports_cnt = cnt;
+
+ *reqport = job_get_reqport(j);
+ *rcvright = job_get_bsport(j);
+
+ launchd_assumes(launchd_mport_request_callback(*rcvright, NULL, true) == KERN_SUCCESS);
+
+ launchd_assumes(launchd_mport_make_send(*rcvright) == KERN_SUCCESS);
+
+ return BOOTSTRAP_SUCCESS;
+
+out_bad:
+ if (info_resp.service_names)
+ vm_deallocate(mach_task_self(), (vm_address_t)info_resp.service_names, cnt * sizeof(info_resp.service_names[0]));
+
+ return BOOTSTRAP_NO_MEMORY;
+}
+
+kern_return_t
+x_bootstrap_subset(mach_port_t bp, mach_port_t requestorport, mach_port_t *subsetportp)
+{
+ struct jobcb *js, *j = job_find_by_port(bp);
+ int bsdepth = 0;
+
+ while ((j = job_parent(j)) != NULL)
+ bsdepth++;
+
+ j = job_find_by_port(bp);
+
+ /* Since we use recursion, we need an artificial depth for subsets */
+ if (bsdepth > 100) {
+ job_log(j, LOG_ERR, "Mach sub-bootstrap create request failed. Depth greater than: %d", bsdepth);
+ return BOOTSTRAP_NO_MEMORY;
+ }
+
+ if ((js = job_new_bootstrap(j, requestorport, MACH_PORT_NULL)) == NULL) {
+ if (requestorport == MACH_PORT_NULL)
+ return BOOTSTRAP_NOT_PRIVILEGED;
+ return BOOTSTRAP_NO_MEMORY;
+ }
+
+ *subsetportp = job_get_bsport(js);
+ return BOOTSTRAP_SUCCESS;
+}
+
+kern_return_t
+x_bootstrap_create_service(mach_port_t bp, name_t servicename, mach_port_t *serviceportp)
+{
+ struct jobcb *j = job_find_by_port(bp);
+ struct machservice *ms;
+
+ if (job_prog(j)[0] == '\0') {
+ job_log(j, LOG_ERR, "Mach service creation requires a target server: %s", servicename);
+ return BOOTSTRAP_NOT_PRIVILEGED;
+ }
+
+ ms = job_lookup_service(j, servicename, false);
+ if (ms) {
+ job_log(j, LOG_DEBUG, "Mach service creation attempt for failed. Already exists: %s", servicename);
+ return BOOTSTRAP_NAME_IN_USE;
+ }
+
+ job_checkin(j);
+
+ *serviceportp = MACH_PORT_NULL;
+ ms = machservice_new(j, servicename, serviceportp);
+
+ if (!launchd_assumes(ms != NULL))
+ goto out_bad;
+
+ return BOOTSTRAP_SUCCESS;
+
+out_bad:
+ launchd_assumes(launchd_mport_close_recv(*serviceportp) == KERN_SUCCESS);
+ return BOOTSTRAP_NO_MEMORY;
+}
+
+kern_return_t
+x_mpm_wait(mach_port_t bp, mach_port_t srp, audit_token_t au_tok, integer_t *waitstatus)
+{
+ struct jobcb *j = job_find_by_port(bp);
+#if 0
+ struct ldcred ldc;
+ audit_token_to_launchd_cred(au_tok, &ldc);
+#endif
+ return job_handle_mpm_wait(j, srp, waitstatus);
+}
+
+kern_return_t
+x_mpm_uncork_fork(mach_port_t bp, audit_token_t au_tok)
+{
+ struct jobcb *j = job_find_by_port(bp);
+
+ if (!j)
+ return BOOTSTRAP_NOT_PRIVILEGED;
+
+ job_uncork_fork(j);
+
+ return 0;
+}
+
+kern_return_t
+x_mpm_spawn(mach_port_t bp, audit_token_t au_tok,
+ _internal_string_t charbuf, mach_msg_type_number_t charbuf_cnt,
+ uint32_t argc, uint32_t envc, uint64_t flags, uint16_t mig_umask,
+ pid_t *child_pid, mach_port_t *obsvr_port)
+{
+ struct jobcb *jr, *j = job_find_by_port(bp);
+ struct ldcred ldc;
+ size_t offset = 0;
+ char *tmpp;
+ const char **argv = NULL, **env = NULL;
+ const char *label = NULL;
+ const char *path = NULL;
+ const char *workingdir = NULL;
+ size_t argv_i = 0, env_i = 0;
+
+ audit_token_to_launchd_cred(au_tok, &ldc);
+
+#if 0
+ if (ldc.asid != inherited_asid) {
+ job_log(j, LOG_ERR, "Security: PID %d (ASID %d) was denied a request to spawn a process in this session (ASID %d)",
+ ldc.pid, ldc.asid, inherited_asid);
+ return BOOTSTRAP_NOT_PRIVILEGED;
+ }
+#endif
+
+ argv = alloca((argc + 1) * sizeof(char *));
+ memset(argv, 0, (argc + 1) * sizeof(char *));
+
+ if (envc > 0) {
+ env = alloca((envc + 1) * sizeof(char *));
+ memset(env, 0, (envc + 1) * sizeof(char *));
+ }
+
+ while (offset < charbuf_cnt) {
+ tmpp = charbuf + offset;
+ offset += strlen(tmpp) + 1;
+ if (!label) {
+ label = tmpp;
+ } else if (argc > 0) {
+ argv[argv_i] = tmpp;
+ argv_i++;
+ argc--;
+ } else if (envc > 0) {
+ env[env_i] = tmpp;
+ env_i++;
+ envc--;
+ } else if (flags & SPAWN_HAS_PATH) {
+ path = tmpp;
+ flags &= ~SPAWN_HAS_PATH;
+ } else if (flags & SPAWN_HAS_WDIR) {
+ workingdir = tmpp;
+ flags &= ~SPAWN_HAS_WDIR;
+ }
+ }
+
+ jr = job_new_spawn(label, path, workingdir, argv, env, flags & SPAWN_HAS_UMASK ? &mig_umask : NULL,
+ flags & SPAWN_WANTS_WAIT4DEBUGGER, flags & SPAWN_WANTS_FORCE_PPC);
+
+ if (jr == NULL) switch (errno) {
+ case EEXIST:
+ return BOOTSTRAP_NAME_IN_USE;
+ default:
+ return BOOTSTRAP_NO_MEMORY;
+ }
+
+ job_log(j, LOG_INFO, "Spawned with flags:%s%s",
+ flags & SPAWN_WANTS_FORCE_PPC ? " ppc": "",
+ flags & SPAWN_WANTS_WAIT4DEBUGGER ? " stopped": "");
+
+ *child_pid = job_get_pid(jr);
+ *obsvr_port = job_get_bsport(jr);
+
+ return BOOTSTRAP_SUCCESS;
+}
+
+kern_return_t
+do_mach_notify_port_destroyed(mach_port_t notify, mach_port_t rights)
+{
+ /* This message is sent to us when a receive right is returned to us. */
+
+ if (!job_ack_port_destruction(root_job, rights)) {
+ launchd_assumes(launchd_mport_close_recv(rights) == KERN_SUCCESS);
+ }
+
+ return KERN_SUCCESS;
+}
+
+kern_return_t
+do_mach_notify_port_deleted(mach_port_t notify, mach_port_name_t name)
+{
+ /* If we deallocate/destroy/mod_ref away a port with a pending notification,
+ * the original notification message is replaced with this message.
+ *
+ * To quote a Mach kernel expert, "the kernel has a send-once right that has
+ * to be used somehow."
+ */
+ return KERN_SUCCESS;
+}
+
+kern_return_t
+do_mach_notify_no_senders(mach_port_t notify, mach_port_mscount_t mscount)
+{
+ struct jobcb *j = job_find_by_port(notify);
+
+ /* This message is sent to us when the last customer of one of our objects
+ * goes away.
+ */
+
+ if (!launchd_assumes(j != NULL))
+ return KERN_FAILURE;
+
+ job_ack_no_senders(j);
+
+ return KERN_SUCCESS;
+}
+
+kern_return_t
+do_mach_notify_send_once(mach_port_t notify)
+{
+ /*
+ * This message is sent to us every time we close a port that we have
+ * outstanding Mach notification requests on. We can safely ignore
+ * this message.
+ */
+ return KERN_SUCCESS;
+}
+
+kern_return_t
+do_mach_notify_dead_name(mach_port_t notify, mach_port_name_t name)
+{
+ /* This message is sent to us when one of our send rights no longer has
+ * a receiver somewhere else on the system.
+ */
+
+ if (name == inherited_bootstrap_port) {
+ launchd_assumes(launchd_mport_deallocate(name) == KERN_SUCCESS);
+ inherited_bootstrap_port = MACH_PORT_NULL;
+ }
+
+ job_delete_anything_with_port(root_job, name);
+
+ /* A dead-name notification about a port appears to increment the
+ * rights on said port. Let's deallocate it so that we don't leak
+ * dead-name ports.
+ */
+ launchd_assumes(launchd_mport_deallocate(name) == KERN_SUCCESS);
+
+ return KERN_SUCCESS;
+}
+
+bool
+trusted_client_check(struct jobcb *j, struct ldcred *ldc)
+{
+ static pid_t last_warned_pid = 0;
+
+ /* In the long run, we wish to enforce the progeny rule, but for now,
+ * we'll let root and the user be forgiven. Once we get CoreProcesses
+ * to switch to using launchd rather than the WindowServer for indirect
+ * process invocation, we can then seriously look at cranking up the
+ * warning level here.
+ */
+
+ if (inherited_asid == ldc->asid)
+ return true;
+ if (progeny_check(ldc->pid))
+ return true;
+ if (ldc->euid == geteuid())
+ return true;
+ if (ldc->euid == 0 && ldc->uid == 0)
+ return true;
+ if (last_warned_pid == ldc->pid)
+ return false;
+
+ job_log(j, LOG_NOTICE, "Security: PID %d (ASID %d) was leaked into this session (ASID %d). This will be denied in the future.", ldc->pid, ldc->asid, inherited_asid);
+
+ last_warned_pid = ldc->pid;
+
+ return false;
+}
projects / apple / launchd.git / blobdiff