[apple/security.git] / OSX / sec / Security / SecItemRateLimit.m

/*
 * Copyright (c) 2020 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#import "SecItemRateLimit.h"
#import "SecItemRateLimit_tests.h"

#import <utilities/debugging.h>
#import <utilities/SecInternalReleasePriv.h>
#import "ipc/securityd_client.h"

#import <sys/codesign.h>
#import <os/feature_private.h>

// Dressed-down version of RateLimiter which directly computes the rate of one bucket and resets when it runs out of tokens

// Broken out so the test-only reset method can reinit this
static SecItemRateLimit* ratelimit;

@implementation SecItemRateLimit {
    bool _forceEnabled;
    dispatch_queue_t _dataQueue;
}

+ (instancetype)instance {
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        ratelimit = [SecItemRateLimit new];
    });
    return ratelimit;
}

- (instancetype)init {
    if (self = [super init]) {
        _roCapacity = 25; 	// allow burst of this size
        _roRate = 3.0;      // allow sustained rate of this many per second
        _rwCapacity = 25;
        _rwRate = 1.0;
        _roBucket = nil;
        _rwBucket = nil;
        _forceEnabled = false;
        _limitMultiplier = 5.0;     // Multiply capacity and rate by this much after exceeding limit
        _dataQueue = dispatch_queue_create("com.apple.keychain.secitemratelimit.dataqueue", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL);
    }

    return self;
}

- (bool)isEnabled {
    return _forceEnabled || [self shouldCountAPICalls];
}

- (void)forceEnabled:(bool)force {
    _forceEnabled = force;
    secnotice("secitemratelimit", "%sorcing SIRL to be enabled (effective: %i)", force ? "F" : "Not f", [self isEnabled]);
}

- (bool)isReadOnlyAPICallWithinLimits {
    if (![self consumeTokenFromBucket:false]) {
        secnotice("secitemratelimit", "Readonly API rate exceeded");
        return false;
    } else {
        return true;
    }
}

- (bool)isModifyingAPICallWithinLimits {
    if (![self consumeTokenFromBucket:true]) {
        secnotice("secitemratelimit", "Modifying API rate exceeded");
        return false;
    } else {
        return true;
    }
}

- (bool)consumeTokenFromBucket:(bool)readwrite {
    if (![self shouldCountAPICalls] && !_forceEnabled) {
        return true;
    }

    __block bool ok = false;
    dispatch_sync(_dataQueue, ^{
        int* capacity = readwrite ? &_rwCapacity : &_roCapacity;
        double* rate = readwrite ? &_rwRate : &_roRate;
        NSDate* __strong* bucket = readwrite ? &_rwBucket : &_roBucket;

        NSDate* now = [NSDate now];
        NSDate* fullBucket = [now dateByAddingTimeInterval:-(*capacity * (1.0 / *rate))];
        // bucket has more tokens than a 'full' bucket? This prevents occasional-but-bursty activity slipping through
        if (!*bucket || [*bucket timeIntervalSinceDate: fullBucket] < 0) {
            *bucket = fullBucket;
        }

        *bucket = [*bucket dateByAddingTimeInterval:1.0 / *rate];
        ok = [*bucket timeIntervalSinceDate:now] <= 0;

        // Get a new bucket next time so we only complain every now and then
        if (!ok) {
            *bucket = nil;
            *capacity *= _limitMultiplier;
            *rate *= _limitMultiplier;
        }
    });

    return ok;
}

- (bool)shouldCountAPICalls {
    static bool shouldCount = false;
    static dispatch_once_t shouldCountToken;
    dispatch_once(&shouldCountToken, ^{
        if (!SecIsInternalRelease()) {
            secnotice("secitemratelimit", "Not internal release, disabling SIRL");
            return;
        }

        // gSecurityd is the XPC elision mechanism for testing; don't want simcrashes during tests
        if (gSecurityd != nil) {
            secnotice("secitemratelimit", "gSecurityd non-nil, disabling SIRL for testing");
            return;
        }

        if (!os_feature_enabled(Security, SecItemRateLimiting)) {
            secnotice("secitemratelimit", "SIRL disabled via feature flag");
            return;
        }

        SecTaskRef task = SecTaskCreateFromSelf(NULL);
        NSMutableArray* exempt = [NSMutableArray arrayWithArray:@[@"com.apple.pcsstatus", @"com.apple.protectedcloudstorage.protectedcloudkeysyncing", @"com.apple.cloudd", @"com.apple.pcsctl"]];
        CFStringRef identifier = NULL;
        require_action_quiet(task, cleanup, secerror("secitemratelimit: unable to get task from self, disabling SIRL"));

        // If not a valid or debugged platform binary, don't count
        uint32_t flags = SecTaskGetCodeSignStatus(task);
        require_action_quiet((flags & (CS_VALID | CS_PLATFORM_BINARY | CS_PLATFORM_PATH)) == (CS_VALID | CS_PLATFORM_BINARY) ||
                             (flags & (CS_DEBUGGED | CS_PLATFORM_BINARY | CS_PLATFORM_PATH)) == (CS_DEBUGGED | CS_PLATFORM_BINARY),
                             cleanup, secnotice("secitemratelimit", "Not valid/debugged platform binary, disabling SIRL"));

        // Some processes have legitimate need to query or modify a large number of items
        identifier = SecTaskCopySigningIdentifier(task, NULL);
        require_action_quiet(identifier, cleanup, secerror("secitemratelimit: unable to get signing identifier, disabling SIRL"));
#if TARGET_OS_OSX
        [exempt addObjectsFromArray:@[@"com.apple.keychainaccess", @"com.apple.Safari"]];
#elif TARGET_OS_IOS
        [exempt addObjectsFromArray:@[@"com.apple.mobilesafari", @"com.apple.Preferences"]];
#endif
        if ([exempt containsObject:(__bridge NSString*)identifier]) {
            secnotice("secitemratelimit", "%@ exempt from SIRL", identifier);
            goto cleanup;
        }

        secnotice("secitemratelimit", "valid/debugged platform binary %@ on internal release, enabling SIRL", identifier);
        shouldCount = true;

cleanup:
        CFReleaseNull(task);
        CFReleaseNull(identifier);
    });
    return shouldCount;
}

// Testing
+ (instancetype)getStaticRateLimit {
    return [SecItemRateLimit instance];
}

// Testing and super thread-UNsafe. Caveat emptor.
+ (void)resetStaticRateLimit {
	ratelimit = [SecItemRateLimit new];
}

@end

bool isReadOnlyAPIRateWithinLimits(void) {
    return [[SecItemRateLimit instance] isReadOnlyAPICallWithinLimits];
}

bool isModifyingAPIRateWithinLimits(void) {
    return [[SecItemRateLimit instance] isModifyingAPICallWithinLimits];
}
Commit	Line	Data
d64be36e A	1	/*
	2	* Copyright (c) 2020 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#import "SecItemRateLimit.h"
	25	#import "SecItemRateLimit_tests.h"
	26
	27	#import <utilities/debugging.h>
	28	#import <utilities/SecInternalReleasePriv.h>
	29	#import "ipc/securityd_client.h"
	30
	31	#import <sys/codesign.h>
	32	#import <os/feature_private.h>
	33
	34	// Dressed-down version of RateLimiter which directly computes the rate of one bucket and resets when it runs out of tokens
	35
	36	// Broken out so the test-only reset method can reinit this
	37	static SecItemRateLimit* ratelimit;
	38
	39	@implementation SecItemRateLimit {
	40	bool _forceEnabled;
	41	dispatch_queue_t _dataQueue;
	42	}
	43
	44	+ (instancetype)instance {
	45	static dispatch_once_t onceToken;
	46	dispatch_once(&onceToken, ^{
	47	ratelimit = [SecItemRateLimit new];
	48	});
	49	return ratelimit;
	50	}
	51
	52	- (instancetype)init {
	53	if (self = [super init]) {
	54	_roCapacity = 25; // allow burst of this size
	55	_roRate = 3.0; // allow sustained rate of this many per second
	56	_rwCapacity = 25;
	57	_rwRate = 1.0;
	58	_roBucket = nil;
	59	_rwBucket = nil;
	60	_forceEnabled = false;
	61	_limitMultiplier = 5.0; // Multiply capacity and rate by this much after exceeding limit
	62	_dataQueue = dispatch_queue_create("com.apple.keychain.secitemratelimit.dataqueue", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL);
	63	}
	64
65	return self;
66	}
67
68	- (bool)isEnabled {
69	return _forceEnabled \|\| [self shouldCountAPICalls];
70	}
71
72	- (void)forceEnabled:(bool)force {
73	_forceEnabled = force;
74	secnotice("secitemratelimit", "%sorcing SIRL to be enabled (effective: %i)", force ? "F" : "Not f", [self isEnabled]);
75	}
76
77	- (bool)isReadOnlyAPICallWithinLimits {
78	if (![self consumeTokenFromBucket:false]) {
79	secnotice("secitemratelimit", "Readonly API rate exceeded");
80	return false;
81	} else {
82	return true;
83	}
84	}
85
86	- (bool)isModifyingAPICallWithinLimits {
87	if (![self consumeTokenFromBucket:true]) {
88	secnotice("secitemratelimit", "Modifying API rate exceeded");
89	return false;
90	} else {
91	return true;
92	}
93	}
94
95	- (bool)consumeTokenFromBucket:(bool)readwrite {
96	if (![self shouldCountAPICalls] && !_forceEnabled) {
97	return true;
98	}
99
100	__block bool ok = false;
101	dispatch_sync(_dataQueue, ^{
102	int* capacity = readwrite ? &_rwCapacity : &_roCapacity;
103	double* rate = readwrite ? &_rwRate : &_roRate;
104	NSDate* __strong* bucket = readwrite ? &_rwBucket : &_roBucket;
105
106	NSDate* now = [NSDate now];
107	NSDate* fullBucket = [now dateByAddingTimeInterval:-(capacity (1.0 / *rate))];
108	// bucket has more tokens than a 'full' bucket? This prevents occasional-but-bursty activity slipping through
109	if (!bucket \|\| [bucket timeIntervalSinceDate: fullBucket] < 0) {
110	*bucket = fullBucket;
111	}
112
113	bucket = [bucket dateByAddingTimeInterval:1.0 / *rate];
114	ok = [*bucket timeIntervalSinceDate:now] <= 0;
115
116	// Get a new bucket next time so we only complain every now and then
117	if (!ok) {
118	*bucket = nil;
119	capacity = _limitMultiplier;
120	rate = _limitMultiplier;
121	}
122	});
123
124	return ok;
125	}
126
127	- (bool)shouldCountAPICalls {
128	static bool shouldCount = false;
129	static dispatch_once_t shouldCountToken;
130	dispatch_once(&shouldCountToken, ^{
131	if (!SecIsInternalRelease()) {
132	secnotice("secitemratelimit", "Not internal release, disabling SIRL");
133	return;
134	}
135
136	// gSecurityd is the XPC elision mechanism for testing; don't want simcrashes during tests
137	if (gSecurityd != nil) {
138	secnotice("secitemratelimit", "gSecurityd non-nil, disabling SIRL for testing");
139	return;
140	}
141
142	if (!os_feature_enabled(Security, SecItemRateLimiting)) {
143	secnotice("secitemratelimit", "SIRL disabled via feature flag");
144	return;
145	}
146
147	SecTaskRef task = SecTaskCreateFromSelf(NULL);
148	NSMutableArray* exempt = [NSMutableArray arrayWithArray:@[@"com.apple.pcsstatus", @"com.apple.protectedcloudstorage.protectedcloudkeysyncing", @"com.apple.cloudd", @"com.apple.pcsctl"]];
149	CFStringRef identifier = NULL;
150	require_action_quiet(task, cleanup, secerror("secitemratelimit: unable to get task from self, disabling SIRL"));
151
152	// If not a valid or debugged platform binary, don't count
153	uint32_t flags = SecTaskGetCodeSignStatus(task);
154	require_action_quiet((flags & (CS_VALID \| CS_PLATFORM_BINARY \| CS_PLATFORM_PATH)) == (CS_VALID \| CS_PLATFORM_BINARY) \|\|
155	(flags & (CS_DEBUGGED \| CS_PLATFORM_BINARY \| CS_PLATFORM_PATH)) == (CS_DEBUGGED \| CS_PLATFORM_BINARY),
156	cleanup, secnotice("secitemratelimit", "Not valid/debugged platform binary, disabling SIRL"));
157
158	// Some processes have legitimate need to query or modify a large number of items
159	identifier = SecTaskCopySigningIdentifier(task, NULL);
160	require_action_quiet(identifier, cleanup, secerror("secitemratelimit: unable to get signing identifier, disabling SIRL"));
161	#if TARGET_OS_OSX
162	[exempt addObjectsFromArray:@[@"com.apple.keychainaccess", @"com.apple.Safari"]];
163	#elif TARGET_OS_IOS
164	[exempt addObjectsFromArray:@[@"com.apple.mobilesafari", @"com.apple.Preferences"]];
165	#endif
166	if ([exempt containsObject:(__bridge NSString*)identifier]) {
167	secnotice("secitemratelimit", "%@ exempt from SIRL", identifier);
168	goto cleanup;
169	}
170
171	secnotice("secitemratelimit", "valid/debugged platform binary %@ on internal release, enabling SIRL", identifier);
172	shouldCount = true;
173
174	cleanup:
175	CFReleaseNull(task);
176	CFReleaseNull(identifier);
177	});
178	return shouldCount;
179	}
180
181	// Testing
182	+ (instancetype)getStaticRateLimit {
183	return [SecItemRateLimit instance];
184	}
185
186	// Testing and super thread-UNsafe. Caveat emptor.
187	+ (void)resetStaticRateLimit {
188	ratelimit = [SecItemRateLimit new];
189	}
190
191	@end
192
193	bool isReadOnlyAPIRateWithinLimits(void) {
194	return [[SecItemRateLimit instance] isReadOnlyAPICallWithinLimits];
195	}
196
197	bool isModifyingAPIRateWithinLimits(void) {
198	return [[SecItemRateLimit instance] isModifyingAPICallWithinLimits];
199	}