2 * Copyright (c) 2004-2007 Apple Inc. All rights reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
20 * @APPLE_LICENSE_HEADER_END@
24 #include <sys/errno.h>
25 #include <mach/mach.h>
26 #include "membership.h"
27 #include "membershipPriv.h"
28 #include <servers/bootstrap.h>
29 #include <libkern/OSByteOrder.h>
31 #include <DSmemberdMIG.h>
32 #include <DSmemberdMIG_types.h>
36 extern mach_port_t _mbr_port
;
37 extern int _ds_running(void);
39 static const uint8_t _mbr_root_uuid
[] = {0xff, 0xff, 0xee, 0xee, 0xdd, 0xdd, 0xcc, 0xcc, 0xbb, 0xbb, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00};
41 #define MAX_LOOKUP_ATTEMPTS 10
44 __private_extern__ uid_t
45 audit_token_uid(audit_token_t a
)
48 * This should really call audit_token_to_au32,
49 * but that's in libbsm, not in a Libsystem library.
51 return (uid_t
)a
.val
[1];
56 _mbr_MembershipCall(struct kauth_identity_extlookup
*req
)
62 if (_ds_running() == 0) return EIO
;
63 if (_mbr_port
== MACH_PORT_NULL
) return EIO
;
65 memset(&token
, 0, sizeof(audit_token_t
));
67 status
= MIG_SERVER_DIED
;
68 for (i
= 0; (_mbr_port
!= MACH_PORT_NULL
) && (status
== MIG_SERVER_DIED
) && (i
< MAX_LOOKUP_ATTEMPTS
); i
++)
70 status
= memberdDSmig_MembershipCall(_mbr_port
, req
, &token
);
71 if (status
== MACH_SEND_INVALID_DEST
)
73 mach_port_mod_refs(mach_task_self(), _mbr_port
, MACH_PORT_RIGHT_SEND
, -1);
74 _mbr_port
= MACH_PORT_NULL
;
76 status
= MIG_SERVER_DIED
;
80 if (status
!= KERN_SUCCESS
) return EIO
;
81 if (audit_token_uid(token
) != 0) return EAUTH
;
89 _mbr_MapName(char *name
, int type
, guid_t
*uu
)
95 if (name
== NULL
) return EINVAL
;
96 if (strlen(name
) > 255) return EINVAL
;
98 if (_ds_running() == 0) return EIO
;
99 if (_mbr_port
== MACH_PORT_NULL
) return EIO
;
101 memset(&token
, 0, sizeof(audit_token_t
));
103 status
= MIG_SERVER_DIED
;
104 for (i
= 0; (_mbr_port
!= MACH_PORT_NULL
) && (status
== MIG_SERVER_DIED
) && (i
< MAX_LOOKUP_ATTEMPTS
); i
++)
106 status
= memberdDSmig_MapName(_mbr_port
, type
, name
, uu
, &token
);
107 if (status
== KERN_FAILURE
) return ENOENT
;
109 if (status
== MACH_SEND_INVALID_DEST
)
111 mach_port_mod_refs(mach_task_self(), _mbr_port
, MACH_PORT_RIGHT_SEND
, -1);
112 _mbr_port
= MACH_PORT_NULL
;
114 status
= MIG_SERVER_DIED
;
118 if (status
!= KERN_SUCCESS
) return EIO
;
119 if (audit_token_uid(token
) != 0) return EAUTH
;
129 kern_return_t status
;
132 if (_ds_running() == 0) return EIO
;
133 if (_mbr_port
== MACH_PORT_NULL
) return EIO
;
135 status
= MIG_SERVER_DIED
;
136 for (i
= 0; (_mbr_port
!= MACH_PORT_NULL
) && (status
== MIG_SERVER_DIED
) && (i
< MAX_LOOKUP_ATTEMPTS
); i
++)
138 status
= memberdDSmig_ClearCache(_mbr_port
);
139 if (status
== MACH_SEND_INVALID_DEST
)
141 mach_port_mod_refs(mach_task_self(), _mbr_port
, MACH_PORT_RIGHT_SEND
, -1);
142 _mbr_port
= MACH_PORT_NULL
;
144 status
= MIG_SERVER_DIED
;
148 if (status
!= KERN_SUCCESS
) return EIO
;
155 mbr_uid_to_uuid(uid_t id
, uuid_t uu
)
158 struct kauth_identity_extlookup request
;
163 memcpy(uu
, _mbr_root_uuid
, sizeof(uuid_t
));
167 /* used as a byte order field */
168 request
.el_seqno
= 1;
169 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UID
| KAUTH_EXTLOOKUP_WANT_UGUID
;
172 status
= _mbr_MembershipCall(&request
);
173 if (status
!= 0) return status
;
174 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_UGUID
) == 0) return ENOENT
;
176 memcpy(uu
, &request
.el_uguid
, sizeof(guid_t
));
184 mbr_gid_to_uuid(gid_t id
, uuid_t uu
)
187 struct kauth_identity_extlookup request
;
190 request
.el_seqno
= 1;
191 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_GID
| KAUTH_EXTLOOKUP_WANT_GGUID
;
194 status
= _mbr_MembershipCall(&request
);
195 if (status
!= 0) return status
;
196 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GGUID
) == 0) return ENOENT
;
198 memcpy(uu
, &request
.el_gguid
, sizeof(guid_t
));
206 mbr_uuid_to_id(const uuid_t uu
, uid_t
*id
, int *id_type
)
209 struct kauth_identity_extlookup request
;
212 if (id
== NULL
) return EIO
;
213 if (id_type
== NULL
) return EIO
;
215 if (!memcmp(uu
, _mbr_root_uuid
, sizeof(uuid_t
)))
218 *id_type
= ID_TYPE_UID
;
222 request
.el_seqno
= 1;
223 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_UID
| KAUTH_EXTLOOKUP_WANT_GID
;
224 memcpy(&request
.el_uguid
, uu
, sizeof(guid_t
));
225 memcpy(&request
.el_gguid
, uu
, sizeof(guid_t
));
227 status
= _mbr_MembershipCall(&request
);
228 if (status
!= 0) return status
;
230 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_UID
) != 0)
232 *id
= request
.el_uid
;
233 *id_type
= ID_TYPE_UID
;
235 else if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GID
) != 0)
237 *id
= request
.el_gid
;
238 *id_type
= ID_TYPE_GID
;
252 mbr_sid_to_uuid(const nt_sid_t
*sid
, uuid_t uu
)
255 struct kauth_identity_extlookup request
;
258 request
.el_seqno
= 1;
259 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_GSID
| KAUTH_EXTLOOKUP_WANT_GGUID
| KAUTH_EXTLOOKUP_VALID_USID
| KAUTH_EXTLOOKUP_WANT_UGUID
;
260 memset(&request
.el_gsid
, 0, sizeof(ntsid_t
));
261 memcpy(&request
.el_gsid
, sid
, KAUTH_NTSID_SIZE(sid
));
262 memset(&request
.el_usid
, 0, sizeof(ntsid_t
));
263 memcpy(&request
.el_usid
, sid
, KAUTH_NTSID_SIZE(sid
));
265 status
= _mbr_MembershipCall(&request
);
266 if (status
!= 0) return status
;
268 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GGUID
) != 0) memcpy(uu
, &request
.el_gguid
, sizeof(guid_t
));
269 else if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_UGUID
) != 0) memcpy(uu
, &request
.el_uguid
, sizeof(guid_t
));
279 mbr_identifier_to_uuid(int id_type
, const void *identifier
, size_t identifier_size
, uuid_t uu
)
282 kern_return_t status
;
285 mach_msg_type_number_t oolCnt
= 0;
291 if (identifier
== NULL
) return EINVAL
;
292 if (identifier_size
== 0) return EINVAL
;
293 else if (identifier_size
== -1) identifier_size
= strlen((char*) identifier
) + 1;
295 if (_ds_running() == 0) return EIO
;
296 if (_mbr_port
== MACH_PORT_NULL
) return EIO
;
298 memset(&token
, 0, sizeof(audit_token_t
));
305 if (identifier_size
< sizeof(id_t
)) return EINVAL
;
306 newID
= OSSwapInt32(*((id_t
*) identifier
));
312 if (identifier_size
> MAX_MIG_INLINE_DATA
)
314 if (vm_read(mach_task_self(), (vm_offset_t
) identifier
, identifier_size
, &ool
, &oolCnt
) != 0) return ENOMEM
;
319 status
= MIG_SERVER_DIED
;
320 for (i
= 0; (_mbr_port
!= MACH_PORT_NULL
) && (status
== MIG_SERVER_DIED
) && (i
< MAX_LOOKUP_ATTEMPTS
); i
++)
322 status
= memberdDSmig_MapIdentifier(_mbr_port
, id_type
, (vm_offset_t
)identifier
, identifier_size
, ool
, oolCnt
, uu
, &token
);
323 if (status
== KERN_FAILURE
) return ENOENT
;
325 if (status
== MACH_SEND_INVALID_DEST
)
327 if (ool
!= 0) vm_deallocate(mach_task_self(), ool
, oolCnt
);
329 mach_port_mod_refs(mach_task_self(), _mbr_port
, MACH_PORT_RIGHT_SEND
, -1);
330 _mbr_port
= MACH_PORT_NULL
;
332 status
= MIG_SERVER_DIED
;
336 if (status
!= KERN_SUCCESS
) return EIO
;
337 if (audit_token_uid(token
) != 0) return EAUTH
;
346 mbr_uuid_to_sid_type(const uuid_t uu
, nt_sid_t
*sid
, int *id_type
)
349 struct kauth_identity_extlookup request
;
352 request
.el_seqno
= 1;
353 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_USID
| KAUTH_EXTLOOKUP_WANT_GSID
;
354 memcpy(&request
.el_uguid
, uu
, sizeof(guid_t
));
355 memcpy(&request
.el_gguid
, uu
, sizeof(guid_t
));
357 status
= _mbr_MembershipCall(&request
);
358 if (status
!= 0) return status
;
360 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_USID
) != 0)
362 *id_type
= SID_TYPE_USER
;
363 memcpy(sid
, &request
.el_usid
, sizeof(nt_sid_t
));
365 else if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GSID
) != 0)
367 *id_type
= SID_TYPE_GROUP
;
368 memcpy(sid
, &request
.el_gsid
, sizeof(nt_sid_t
));
382 mbr_uuid_to_sid(const uuid_t uu
, nt_sid_t
*sid
)
389 status
= mbr_uuid_to_sid_type(uu
, sid
, &type
);
390 if (status
!= 0) return status
;
399 mbr_check_membership(uuid_t user
, uuid_t group
, int *ismember
)
402 struct kauth_identity_extlookup request
;
405 request
.el_seqno
= 1;
406 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_MEMBERSHIP
;
407 memcpy(&request
.el_uguid
, user
, sizeof(guid_t
));
408 memcpy(&request
.el_gguid
, group
, sizeof(guid_t
));
410 status
= _mbr_MembershipCall(&request
);
411 if (status
!= 0) return status
;
412 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_MEMBERSHIP
) == 0) return ENOENT
;
414 *ismember
= ((request
.el_flags
& KAUTH_EXTLOOKUP_ISMEMBER
) != 0);
422 mbr_check_membership_refresh(const uuid_t user
, uuid_t group
, int *ismember
)
425 struct kauth_identity_extlookup request
;
428 request
.el_seqno
= 1;
429 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_MEMBERSHIP
| (1<<15);
430 memcpy(&request
.el_uguid
, user
, sizeof(guid_t
));
431 memcpy(&request
.el_gguid
, group
, sizeof(guid_t
));
433 status
= _mbr_MembershipCall(&request
);
434 if (status
!= 0) return status
;
435 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_MEMBERSHIP
) == 0) return ENOENT
;
437 *ismember
= ((request
.el_flags
& KAUTH_EXTLOOKUP_ISMEMBER
) != 0);
445 mbr_check_membership_by_id(uuid_t user
, gid_t group
, int *ismember
)
448 struct kauth_identity_extlookup request
;
451 request
.el_seqno
= 1;
452 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GID
| KAUTH_EXTLOOKUP_WANT_MEMBERSHIP
;
453 memcpy(&request
.el_uguid
, user
, sizeof(guid_t
));
454 request
.el_gid
= group
;
456 status
= _mbr_MembershipCall(&request
);
457 if (status
!= 0) return status
;
458 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_MEMBERSHIP
) == 0) return ENOENT
;
460 *ismember
= ((request
.el_flags
& KAUTH_EXTLOOKUP_ISMEMBER
) != 0);
471 return _mbr_ClearCache();
478 mbr_user_name_to_uuid(const char *name
, uuid_t uu
)
481 return _mbr_MapName((char *)name
, 1, (guid_t
*)uu
);
488 mbr_group_name_to_uuid(const char *name
, uuid_t uu
)
491 return _mbr_MapName((char *)name
, 0, (guid_t
*)uu
);
498 mbr_check_service_membership(const uuid_t user
, const char *servicename
, int *ismember
)
501 char *prefix
= "com.apple.access_";
502 char *all_services
= "com.apple.access_all_services";
507 if (servicename
== NULL
) return EINVAL
;
508 if (strlen(servicename
) > 255 - strlen(prefix
)) return EINVAL
;
510 /* start by checking "all services" */
511 result
= mbr_group_name_to_uuid(all_services
, group_uu
);
513 if (result
== EAUTH
) return result
;
515 if (result
== ENOENT
)
517 /* all_services group didn't exist, check individual group */
518 memcpy(groupName
, prefix
, strlen(prefix
));
519 strcpy(groupName
+ strlen(prefix
), servicename
);
520 result
= mbr_group_name_to_uuid(groupName
, group_uu
);
525 result
= mbr_check_membership_refresh(user
, group_uu
, ismember
);
527 else if (result
== EAUTH
)
533 /* just force cache update with bogus membership check */
534 memset(group_uu
, 0, sizeof(group_uu
));
535 mbr_check_membership_refresh(user
, group_uu
, &dummy
);
546 ConvertBytesToDecimal(char *buffer
, unsigned long long value
)
559 *temp
= '0' + (value
% 10);
568 mbr_sid_to_string(const nt_sid_t
*sid
, char *string
)
571 char *current
= string
;
576 if (sid
->sid_authcount
> NTSID_MAX_AUTHORITIES
) return EINVAL
;
578 for (i
= 0; i
< 6; i
++)
579 temp
= (temp
<< 8) | sid
->sid_authority
[i
];
584 strcpy(current
, ConvertBytesToDecimal(tempBuffer
, sid
->sid_kind
));
585 current
= current
+ strlen(current
);
588 strcpy(current
, ConvertBytesToDecimal(tempBuffer
, temp
));
590 for(i
=0; i
< sid
->sid_authcount
; i
++)
592 current
= current
+ strlen(current
);
595 strcpy(current
, ConvertBytesToDecimal(tempBuffer
, sid
->sid_authorities
[i
]));
605 mbr_string_to_sid(const char *string
, nt_sid_t
*sid
)
608 char *current
= (char *)string
+2;
612 if (string
== NULL
) return EINVAL
;
614 memset(sid
, 0, sizeof(nt_sid_t
));
615 if (string
[0] != 'S' || string
[1] != '-') return EINVAL
;
617 sid
->sid_kind
= strtol(current
, ¤t
, 10);
618 if (*current
== '\0') return EINVAL
;
620 temp
= strtoll(current
, ¤t
, 10);
622 /* convert to BigEndian before copying */
623 temp
= OSSwapHostToBigInt64(temp
);
624 memcpy(sid
->sid_authority
, ((char*)&temp
)+2, 6);
625 while (*current
!= '\0' && count
< NTSID_MAX_AUTHORITIES
)
628 sid
->sid_authorities
[count
] = (u_int32_t
)strtoll(current
, ¤t
, 10);
632 if (*current
!= '\0') return EINVAL
;
634 sid
->sid_authcount
= count
;
644 ConvertBytesToHex(char **string
, char **data
, int numBytes
)
648 for (i
=0; i
< numBytes
; i
++)
650 unsigned char hi
= ((**data
) >> 4) & 0xf;
651 unsigned char low
= (**data
) & 0xf;
655 **string
= 'A' + hi
- 10;
660 **string
= '0' + low
;
662 **string
= 'A' + low
- 10;
671 mbr_uuid_to_string(const uuid_t uu
, char *string
)
674 char *guid
= (char*)uu
;
675 char *strPtr
= string
;
676 ConvertBytesToHex(&strPtr
, &guid
, 4);
677 *strPtr
= '-'; strPtr
++;
678 ConvertBytesToHex(&strPtr
, &guid
, 2);
679 *strPtr
= '-'; strPtr
++;
680 ConvertBytesToHex(&strPtr
, &guid
, 2);
681 *strPtr
= '-'; strPtr
++;
682 ConvertBytesToHex(&strPtr
, &guid
, 2);
683 *strPtr
= '-'; strPtr
++;
684 ConvertBytesToHex(&strPtr
, &guid
, 6);
694 mbr_string_to_uuid(const char *string
, uuid_t uu
)
698 int isFirstNibble
= 1;
700 if (string
== NULL
) return EINVAL
;
701 if (strlen(string
) > MBR_UU_STRING_SIZE
) return EINVAL
;
703 while (*string
!= '\0' && dataIndex
< 16)
707 if (*string
>= '0' && *string
<= '9')
708 nibble
= *string
- '0';
709 else if (*string
>= 'A' && *string
<= 'F')
710 nibble
= *string
- 'A' + 10;
711 else if (*string
>= 'a' && *string
<= 'f')
712 nibble
= *string
- 'a' + 10;
723 uu
[dataIndex
] = nibble
<< 4;
728 uu
[dataIndex
] |= nibble
;
736 if (dataIndex
!= 16) return EINVAL
;