OSX/sec/ipc/server_security_helpers.c

   1 /*
   2  * Copyright (c) 2017 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <pthread/pthread.h>
  25
  26 #include "server_security_helpers.h"
  27 #include "server_entitlement_helpers.h"
  28
  29 #include <Security/SecTask.h>
  30 #include <Security/SecTaskPriv.h>
  31 #include <ipc/securityd_client.h>
  32 #include <Security/SecEntitlements.h>
  33 #include <Security/SecItem.h>
  34 #include <utilities/SecCFRelease.h>
  35 #include <utilities/SecCFWrappers.h>
  36 #include <utilities/debugging.h>
  37 #include <securityd/SecDbQuery.h>
  38
  39 #if __has_include(<MobileKeyBag/MobileKeyBag.h>) && TARGET_HAS_KEYSTORE
  40 #include <MobileKeyBag/MobileKeyBag.h>
  41 #define HAVE_MOBILE_KEYBAG_SUPPORT 1
  42 #endif
  43
  44 #if HAVE_MOBILE_KEYBAG_SUPPORT && TARGET_OS_EMBEDDED
  45 static bool
  46 device_is_multiuser(void)
  47 {
  48     static dispatch_once_t once;
  49     static bool result;
  50
  51     dispatch_once(&once, ^{
  52         CFDictionaryRef deviceMode = MKBUserTypeDeviceMode(NULL, NULL);
  53         CFTypeRef value = NULL;
  54
  55         if (deviceMode && CFDictionaryGetValueIfPresent(deviceMode, kMKBDeviceModeKey, &value) && CFEqual(value, kMKBDeviceModeMultiUser)) {
  56             result = true;
  57         }
  58         CFReleaseNull(deviceMode);
  59     });
  60
  61     return result;
  62 }
  63 #endif /* HAVE_MOBILE_KEYBAG_SUPPORT && TARGET_OS_EMBEDDED */
  64
  65 void fill_security_client(SecurityClient * client, const uid_t uid, audit_token_t auditToken) {
  66     if(!client) {
  67         return;
  68     }
  69
  70     client->uid = uid;
  71
  72 #if HAVE_MOBILE_KEYBAG_SUPPORT && TARGET_OS_EMBEDDED
  73
  74     if (device_is_multiuser()) {
  75         CFErrorRef error = NULL;
  76
  77         client->inMultiUser = true;
  78         client->activeUser = MKBForegroundUserSessionID(&error);
  79         if (client->activeUser == -1 || client->activeUser == 0) {
  80             assert(0);
  81             client->activeUser = 0;
  82         }
  83
  84         /*
  85          * If we are a edu mode user, and its not the active user,
  86          * then the request is coming from inside the syncbubble.
  87          *
  88          * otherwise we are going to execute the request as the
  89          * active user.
  90          */
  91
  92         if (client->uid > 501 && (uid_t)client->activeUser != client->uid) {
  93             secinfo("serverxpc", "securityd client: sync bubble user");
  94             client->musr = SecMUSRCreateSyncBubbleUserUUID(client->uid);
  95             client->keybag = KEYBAG_DEVICE;
  96         } else {
  97             secinfo("serverxpc", "securityd client: active user");
  98             client->musr = SecMUSRCreateActiveUserUUID(client->activeUser);
  99             client->uid = (uid_t)client->activeUser;
 100             client->keybag = KEYBAG_DEVICE;
 101         }
 102     }
 103 #endif
 104
 105     client->task = SecTaskCreateWithAuditToken(kCFAllocatorDefault, auditToken);
 106
 107 #if TARGET_OS_IPHONE
 108     pthread_setspecific(taskThreadKey, client->task);
 109 #endif
 110
 111     client->accessGroups = SecTaskCopyAccessGroups(client->task);
 112
 113 #if TARGET_OS_IPHONE
 114     client->allowSystemKeychain = SecTaskGetBooleanValueForEntitlement(client->task, kSecEntitlementPrivateSystemKeychain);
 115     client->isNetworkExtension = SecTaskGetBooleanValueForEntitlement(client->task, kSecEntitlementPrivateNetworkExtension);
 116     client->canAccessNetworkExtensionAccessGroups = SecTaskGetBooleanValueForEntitlement(client->task, kSecEntitlementNetworkExtensionAccessGroups);
 117 #endif
 118 #if HAVE_MOBILE_KEYBAG_SUPPORT && TARGET_OS_EMBEDDED
 119     if (client->inMultiUser) {
 120         client->allowSyncBubbleKeychain = SecTaskGetBooleanValueForEntitlement(client->task, kSecEntitlementPrivateKeychainSyncBubble);
 121     }
 122 #endif
 123 }
 124