]> git.saurik.com Git - apple/security.git/blob - securityd/securityd_service/securityd_service/main.c
projects / apple / security.git / blob
? search:


46a444fb1c5b8e6bf2f910239c84bf536f2d4742
[apple/security.git] / securityd / securityd_service / securityd_service / main.c
1 /* Copyright (c) 2012-2014 Apple Inc. All Rights Reserved. */
2
3 #include "securityd_service.h"
4 #include "securityd_service_client.h"
5 #include <libaks.h>
6
7 #include <sandbox.h>
8 #include <vproc.h>
9 #include <xpc/xpc.h>
10 #include <xpc/private.h>
11 #include <dispatch/dispatch.h>
12 #include <sys/types.h>
13 #include <sys/stat.h>
14 #include <sys/codesign.h>
15 #include <stdio.h>
16 #include <errno.h>
17 #include <assert.h>
18 #include <syslog.h>
19 #include <unistd.h>
20 #include <pwd.h>
21 #include <uuid/uuid.h>
22 #include <bsm/libbsm.h>
23 #include <copyfile.h>
24 #include <AssertMacros.h>
25 #include <Security/Security.h>
26 #include <Security/SecTask.h>
27 #include <Security/SecTaskPriv.h>
28 #include <Security/SecKeychainPriv.h>
29
30 #include <IOKit/IOKitLib.h>
31 #include <Kernel/IOKit/crypto/AppleFDEKeyStoreDefs.h>
32
33 #if DEBUG
34 #define LOG(...) syslog(LOG_ERR, ##__VA_ARGS__);
35 #else
36 #define LOG(...)
37 #endif
38
39 static bool check_signature(xpc_connection_t connection);
40
41 static pid_t get_caller_pid(audit_token_t * token)
42 {
43 pid_t pid = 0;
44 if (token) {
45 audit_token_to_au32(*token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
46 }
47 return pid;
48 }
49
50 // exported from libaks.a
51 kern_return_t aks_register_for_notifications(mach_port_t server_port, uintptr_t message_id);
52 kern_return_t aks_stash_escrow(keybag_handle_t handle, bool create, const void * secret, int secret_len, const void * in_data, int in_data_len, void ** out_data, int * out_data_len);
53
54 const char * kb_home_path = "Library/Keychains";
55 const char * kb_user_bag = "user.kb";
56 const char * kb_stash_bag = "stash.kb";
57
58 #define HEXBUF_LEN 2048
59
60 typedef struct {
61 uid_t uid;
62 gid_t gid;
63 char * name;
64 char * home;
65 } service_user_record_t;
66
67 typedef enum {
68 kb_bag_type_user,
69 kb_bag_type_stash
70 } kb_bag_type_t;
71
72 static io_connect_t
73 openiodev(void)
74 {
75 io_registry_entry_t service;
76 io_connect_t conn;
77 kern_return_t kr;
78
79 service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(kAppleFDEKeyStoreServiceName));
80 if (service == IO_OBJECT_NULL)
81 return IO_OBJECT_NULL;
82
83 kr = IOServiceOpen(service, mach_task_self(), 0, &conn);
84 if (kr != KERN_SUCCESS)
85 return IO_OBJECT_NULL;
86
87 kr = IOConnectCallMethod(conn, kAppleFDEKeyStoreUserClientOpen, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL);
88 if (kr != KERN_SUCCESS) {
89 IOServiceClose(conn);
90 return IO_OBJECT_NULL;
91 }
92
93 return conn;
94 }
95
96 static void
97 closeiodev(io_connect_t conn)
98 {
99 kern_return_t kr;
100 kr = IOConnectCallMethod(conn, kAppleFDEKeyStoreUserClientClose, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL);
101 if (kr != KERN_SUCCESS)
102 return;
103 IOServiceClose(conn);
104 }
105
106 static dispatch_queue_t
107 _kb_service_get_dispatch_queue()
108 {
109 static dispatch_once_t onceToken = 0;
110 static dispatch_queue_t connection_queue = NULL;
111
112 dispatch_once(&onceToken, ^{
113 connection_queue = dispatch_queue_create("kb-service-queue", DISPATCH_QUEUE_SERIAL);
114 });
115
116 return connection_queue;
117 }
118
119 static service_user_record_t * get_user_record(uid_t uid)
120 {
121 service_user_record_t * ur = NULL;
122 long bufsize = 0;
123 if ((bufsize = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
124 bufsize = 4096;
125 }
126 char buf[bufsize];
127 struct passwd pwbuf, *pw = NULL;
128 if ((getpwuid_r(uid, &pwbuf, buf, bufsize, &pw) == 0) && pw != NULL) {
129 ur = calloc(1u, sizeof(service_user_record_t));
130 require(ur, done);
131 ur->uid = pw->pw_uid;
132 ur->gid = pw->pw_gid;
133 ur->home = strdup(pw->pw_dir);
134 ur->name = strdup(pw->pw_name);
135 } else {
136 syslog(LOG_ERR, "failed to lookup user record for uid: %d", uid);
137 }
138
139 done:
140 return ur;
141 }
142
143 static void free_user_record(service_user_record_t * ur)
144 {
145 if (ur != NULL) {
146 if (ur->home) {
147 free(ur->home);
148 }
149 if (ur->name) {
150 free(ur->name);
151 }
152 free(ur);
153 }
154 }
155
156 static const char * get_host_uuid()
157 {
158 static uuid_string_t hostuuid = {};
159 static dispatch_once_t onceToken;
160 dispatch_once(&onceToken, ^{
161 struct timespec timeout = {30, 0};
162 uuid_t uuid = {};
163 if (gethostuuid(uuid, &timeout) == 0) {
164 uuid_unparse(uuid, hostuuid);
165 } else {
166 syslog(LOG_ERR, "failed to get host uuid");
167 }
168 });
169
170 return hostuuid;
171 }
172
173 static char *
174 _kb_copy_bag_filename(service_user_record_t * ur, kb_bag_type_t type)
175 {
176 char * bag_file = NULL;
177 const char * name = NULL;
178
179 require(ur, done);
180 switch(type) {
181 case kb_bag_type_user:
182 name = kb_user_bag;
183 break;
184 case kb_bag_type_stash:
185 name = kb_stash_bag;
186 break;
187 default:
188 goto done;
189 }
190
191 bag_file = calloc(1u, PATH_MAX);
192 require(bag_file, done);
193
194 snprintf(bag_file, PATH_MAX, "%s/%s/%s/%s", ur->home, kb_home_path, get_host_uuid(), name);
195
196 done:
197 return bag_file;
198 }
199
200 static bool
201 _kb_verify_create_path(service_user_record_t * ur)
202 {
203 bool created = false;
204 struct stat st_info = {};
205 char new_path[PATH_MAX] = {};
206 char kb_path[PATH_MAX] = {};
207 snprintf(kb_path, sizeof(kb_path), "%s/%s/%s", ur->home, kb_home_path, get_host_uuid());
208 if (lstat(kb_path, &st_info) == 0) {
209 if (S_ISDIR(st_info.st_mode)) {
210 created = true;
211 } else {
212 syslog(LOG_ERR, "invalid directory at '%s' moving aside", kb_path);
213 snprintf(new_path, sizeof(new_path), "%s-invalid", kb_path);
214 unlink(new_path);
215 if (rename(kb_path, new_path) != 0) {
216 syslog(LOG_ERR, "failed to rename file: %s (%s)", kb_path, strerror(errno));
217 goto done;
218 }
219 }
220 }
221 if (!created) {
222 require_action(mkpath_np(kb_path, 0700) == 0, done, syslog(LOG_ERR, "could not create path: %s (%s)", kb_path, strerror(errno)));
223 created = true;
224 }
225
226 done:
227 return created;
228 }
229
230 static void
231 _set_thread_credentials(service_user_record_t * ur)
232 {
233 int rc = pthread_setugid_np(ur->uid, ur->gid);
234 if (rc) { syslog(LOG_ERR, "failed to set thread credential: %i (%s)", errno, strerror(errno)); }
235
236 rc = initgroups(ur->name, ur->gid);
237 if (rc) { syslog(LOG_ERR, "failed to initgroups: %i", rc); }
238 }
239
240 static void
241 _clear_thread_credentials()
242 {
243 int rc = pthread_setugid_np(KAUTH_UID_NONE, KAUTH_GID_NONE);
244 if (rc) { syslog(LOG_ERR, "failed to reset thread credential: %i (%s)", errno, strerror(errno)); }
245 }
246
247 static bool
248 _kb_bag_exists(service_user_record_t * ur, const char * bag_file)
249 {
250 bool exists = false;
251 struct stat st_info = {};
252 char new_file[PATH_MAX] = {};
253
254 require(ur, done);
255
256 _set_thread_credentials(ur);
257 if (lstat(bag_file, &st_info) == 0) {
258 if (S_ISREG(st_info.st_mode)) {
259 exists = true;
260 } else {
261 syslog(LOG_ERR, "invalid file at '%s' moving aside", bag_file);
262 snprintf(new_file, sizeof(new_file), "%s-invalid", bag_file);
263 unlink(new_file);
264 if (rename(bag_file, new_file) != 0) {
265 syslog(LOG_ERR, "failed to rename file: %s (%s)", bag_file, strerror(errno));
266 }
267 }
268 }
269
270 done:
271 _clear_thread_credentials();
272 return exists;
273 }
274
275 static bool
276 _kb_save_bag_to_disk(service_user_record_t * ur, const char * bag_file, void * data, size_t length)
277 {
278 bool result = false;
279 int fd = -1;
280
281 require(bag_file, done);
282
283 _set_thread_credentials(ur);
284 require(_kb_verify_create_path(ur), done);
285
286 fd = open(bag_file, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW, 0600);
287 require_action(fd != -1, done, syslog(LOG_ERR, "could not create file: %s (%s)", bag_file, strerror(errno)));
288 require_action(write(fd, data, length) != -1, done, syslog(LOG_ERR, "failed to write keybag to disk %s", strerror(errno)));
289
290 result = true;
291
292 done:
293 if (fd != -1) { close(fd); }
294 _clear_thread_credentials();
295 return result;
296 }
297
298 static bool
299 _kb_load_bag_from_disk(service_user_record_t * ur, const char * bag_file, uint8_t ** data, size_t * length)
300 {
301 bool result = false;
302 int fd = -1;
303 uint8_t * buf = NULL;
304 size_t buf_size = 0;
305 struct stat st_info = {};
306
307 require(bag_file, done);
308
309 _set_thread_credentials(ur);
310 require(_kb_verify_create_path(ur), done);
311 require_quiet(lstat(bag_file, &st_info) == 0, done);
312 require_action(S_ISREG(st_info.st_mode), done, syslog(LOG_ERR, "failed to load, not a file: %s", bag_file));
313 buf_size = (size_t)st_info.st_size;
314
315 fd = open(bag_file, O_RDONLY | O_NOFOLLOW);
316 require_action(fd != -1, done, syslog(LOG_ERR, "could not open file: %s (%s)", bag_file, strerror(errno)));
317
318 buf = (uint8_t *)calloc(1u, buf_size);
319 require(buf != NULL, done);
320 require(read(fd, buf, buf_size) == buf_size, done);
321
322 *data = buf;
323 *length = buf_size;
324 buf = NULL;
325 result = true;
326
327 done:
328 if (fd != -1) { close(fd); }
329 if (buf) { free(buf); }
330 _clear_thread_credentials();
331 return result;
332 }
333
334 static void
335 _kb_rename_bag_on_disk(service_user_record_t * ur, const char * bag_file)
336 {
337 char new_file[PATH_MAX] = {};
338 if (bag_file) {
339 _set_thread_credentials(ur);
340 snprintf(new_file, sizeof(new_file), "%s-invalid", bag_file);
341 unlink(new_file);
342 rename(bag_file, new_file);
343 _clear_thread_credentials();
344 }
345 }
346
347 static void
348 _kb_delete_bag_on_disk(service_user_record_t * ur, const char * bag_file)
349 {
350 if (bag_file) {
351 _set_thread_credentials(ur);
352 unlink(bag_file);
353 _clear_thread_credentials();
354 }
355 }
356
357 static int service_kb_load(service_context_t *context);
358 static int service_kb_load_uid(uid_t s_uid);
359
360 static int
361 _kb_get_session_handle(service_context_t * context, keybag_handle_t * handle_out)
362 {
363 int rc = KB_BagNotLoaded;
364 require_noerr_quiet(aks_get_system(context->s_uid, handle_out), done);
365
366 rc = KB_Success;
367
368 done:
369 if (rc == KB_BagNotLoaded) {
370 if (service_kb_load(context) == KB_Success) {
371 if (aks_get_system(context->s_uid, handle_out) == kIOReturnSuccess) {
372 rc = KB_Success;
373 }
374 }
375 }
376 return rc;
377 }
378
379 static void update_keybag_handle(keybag_handle_t handle)
380 {
381 dispatch_sync(_kb_service_get_dispatch_queue(), ^{
382 uid_t uid = abs(handle);
383 uint8_t * buf = NULL;
384 size_t buf_size = 0;
385 service_user_record_t * ur = NULL;
386 char * bag_file = NULL;
387
388 require_noerr(aks_save_bag(handle, (void**)&buf, (int*)&buf_size), done);
389 require(ur = get_user_record(uid), done);
390 require(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user), done);
391 require(_kb_save_bag_to_disk(ur, bag_file, buf, buf_size), done);
392
393 syslog(LOG_NOTICE, "successfully updated handle %d", handle);
394
395 done:
396 if (buf) free(buf);
397 if (ur) free_user_record(ur);
398 if (bag_file) free(bag_file);
399 });
400 }
401
402 static int
403 service_kb_create(service_context_t * context, const void * secret, int secret_len)
404 {
405 __block int rc = KB_GeneralError;
406
407 dispatch_sync(_kb_service_get_dispatch_queue(), ^{
408 uint8_t * buf = NULL;
409 size_t buf_size = 0;
410 keybag_handle_t session_handle = bad_keybag_handle;
411 service_user_record_t * ur = get_user_record(context->s_uid);
412 char * bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user);
413
414 require(bag_file, done);
415
416 // check for the existance of the bagfile
417 require_action(!_kb_bag_exists(ur, bag_file), done, rc = KB_BagExists);
418
419 require_noerr(rc = aks_create_bag(secret, secret_len, kAppleKeyStoreDeviceBag, &session_handle), done);
420 require_noerr(rc = aks_save_bag(session_handle, (void**)&buf, (int*)&buf_size), done);
421 require_action(_kb_save_bag_to_disk(ur, bag_file, buf, buf_size), done, rc = KB_BagError);
422 require_noerr(rc = aks_set_system(session_handle, context->s_uid), done);
423 aks_unload_bag(session_handle);
424 require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
425
426 if (secret && rc == KB_Success) {
427 aks_unlock_bag(session_handle, secret, secret_len);
428 }
429
430 done:
431 if (buf) free(buf);
432 if (bag_file) { free(bag_file); }
433 if (ur) free_user_record(ur);
434 });
435
436 return rc;
437 }
438
439 /* Load s_uid's keybag, unless already loaded */
440 static int
441 _service_kb_load_uid(uid_t s_uid)
442 {
443 __block int rc = KB_GeneralError;
444
445 dispatch_sync(_kb_service_get_dispatch_queue(), ^{
446 uint8_t * buf = NULL;
447 size_t buf_size = 0;
448 keybag_handle_t session_handle = bad_keybag_handle;
449 service_user_record_t * ur = NULL;
450 char * bag_file = NULL;
451
452 rc = aks_get_system(s_uid, &session_handle);
453 if (rc == kIOReturnNotFound) {
454 require_action(ur = get_user_record(s_uid), done, rc = KB_GeneralError);
455 require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user), done, rc = KB_GeneralError);
456 require_action_quiet(_kb_load_bag_from_disk(ur, bag_file, &buf, &buf_size), done, rc = KB_BagNotFound);
457 rc = aks_load_bag(buf, (int)buf_size, &session_handle);
458 if (rc == kIOReturnNotPermitted) {
459 syslog(LOG_ERR, "error loading keybag for uid (%i)", s_uid);
460 _kb_rename_bag_on_disk(ur, bag_file);
461 rc = KB_BagNotFound;
462 }
463 require_noerr(rc, done);
464 require_noerr(rc = aks_set_system(session_handle, s_uid), done);
465 aks_unload_bag(session_handle);
466 }
467 require(rc == KB_Success, done);
468
469 done:
470 if (buf) free(buf);
471 if (ur) free_user_record(ur);
472 if (bag_file) free(bag_file);
473 });
474
475 return rc;
476 }
477
478 static int
479 service_kb_load_uid(uid_t s_uid)
480 {
481 return _service_kb_load_uid(s_uid);
482 }
483
484 static int
485 service_kb_load(service_context_t * context)
486 {
487 return _service_kb_load_uid(context->s_uid);
488 }
489
490 static int
491 service_kb_unload(service_context_t *context)
492 {
493 __block int rc = KB_GeneralError;
494
495 dispatch_sync(_kb_service_get_dispatch_queue(), ^{
496 keybag_handle_t session_handle = bad_keybag_handle;
497
498 rc = aks_get_system(context->s_uid, &session_handle);
499 if (rc == kIOReturnNotFound) {
500 // No session bag, nothing to do
501 rc = KB_Success;
502 return;
503 } else if (rc != kIOReturnSuccess) {
504 syslog(LOG_ERR, "error locating session keybag for uid (%i) in session (%i)", context->s_uid, context->s_id);
505 rc = KB_BagError;
506 return;
507 }
508
509 rc = aks_unload_bag(session_handle);
510 if (rc != kAKSReturnSuccess) {
511 syslog(LOG_ERR, "error unloading keybag for uid (%i) in session (%i)", context->s_uid, context->s_id);
512 rc = KB_BagError;
513 } else {
514 syslog(LOG_ERR, "successfully unloaded keybag (%ld) for uid (%i) in session (%i)", (long)session_handle, context->s_uid, context->s_id);
515 }
516 });
517
518 return rc;
519 }
520
521 static int
522 service_kb_save(service_context_t * context)
523 {
524 __block int rc = KB_GeneralError;
525 keybag_handle_t session_handle;
526 require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
527
528 dispatch_sync(_kb_service_get_dispatch_queue(), ^{
529 uint8_t * buf = NULL;
530 size_t buf_size = 0;
531 service_user_record_t * ur = NULL;
532 char * bag_file = NULL;
533
534 require_noerr(rc = aks_save_bag(session_handle, (void**)&buf, (int*)&buf_size), done);
535 require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError);
536 require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user), done, rc = KB_GeneralError);
537 require_action(_kb_save_bag_to_disk(ur, bag_file, buf, buf_size), done, rc = KB_BagError);
538
539 rc = KB_Success;
540
541 done:
542 if (buf) free(buf);
543 if (ur) free_user_record(ur);
544 if (bag_file) free(bag_file);
545 return;
546 });
547
548 done:
549 return rc;
550 }
551
552 static int
553 service_kb_unlock(service_context_t * context, const void * secret, int secret_len)
554 {
555 int rc = KB_GeneralError;
556 keybag_handle_t session_handle;
557 require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
558
559 rc = aks_unlock_bag(session_handle, secret, secret_len);
560
561 done:
562 return rc;
563 }
564
565 static int
566 service_kb_lock(service_context_t * context)
567 {
568 // this call has been disabled
569 return -1;
570 }
571
572 static int
573 service_kb_change_secret(service_context_t * context, const void * secret, int secret_len, const void * new_secret, int new_secret_len)
574 {
575 __block int rc = KB_GeneralError;
576 keybag_handle_t session_handle;
577 require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
578
579 dispatch_sync(_kb_service_get_dispatch_queue(), ^{
580 uint8_t * buf = NULL;
581 size_t buf_size = 0;
582 service_user_record_t * ur = NULL;
583 char * bag_file = NULL;
584
585 require_noerr(rc = aks_change_secret(session_handle, secret, secret_len, new_secret, new_secret_len, NULL, NULL), done);
586 require_noerr(rc = aks_save_bag(session_handle, (void**)&buf, (int*)&buf_size), done);
587 require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError);
588 require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user), done, rc = KB_GeneralError);
589 require_action(_kb_save_bag_to_disk(ur, bag_file, buf, buf_size), done, rc = KB_BagError);
590
591 rc = KB_Success;
592
593 done:
594 if (buf) free(buf);
595 if (ur) free_user_record(ur);
596 if (bag_file) free(bag_file);
597 return;
598 });
599
600 done:
601 return rc;
602 }
603
604 static int
605 service_kb_reset(service_context_t * context, const void * secret, int secret_len)
606 {
607 __block int rc = KB_GeneralError;
608 service_user_record_t * ur = NULL;
609 char * bag_file = NULL;
610
611 require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError);
612 require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user), done, rc = KB_GeneralError);
613
614 dispatch_sync(_kb_service_get_dispatch_queue(), ^{
615 uint8_t * buf = NULL;
616 size_t buf_size = 0;
617 keybag_handle_t session_handle = bad_keybag_handle;
618
619 syslog(LOG_ERR, "resetting keybag for uid (%i) in session (%i)", context->s_uid, context->s_id);
620 _kb_rename_bag_on_disk(ur, bag_file);
621
622 require_noerr(rc = aks_create_bag(secret, secret_len, kAppleKeyStoreDeviceBag, &session_handle), done);
623 require_noerr(rc = aks_save_bag(session_handle, (void**)&buf, (int*)&buf_size), done);
624 require_action(_kb_save_bag_to_disk(ur, bag_file, buf, buf_size), done, rc = KB_BagError);
625 require_noerr(rc = aks_set_system(session_handle, context->s_uid), done);
626 aks_unload_bag(session_handle);
627 require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
628
629 if (secret && rc == KB_Success) {
630 aks_unlock_bag(session_handle, secret, secret_len);
631 }
632
633 done:
634 if (buf) free(buf);
635 return;
636 });
637
638 done:
639 if (ur) free_user_record(ur);
640 if (bag_file) free(bag_file);
641 return rc;
642 }
643
644 static int
645 service_kb_is_locked(service_context_t * context, xpc_object_t reply)
646 {
647 int rc = KB_GeneralError;
648 keybag_state_t state;
649 keybag_handle_t session_handle;
650 require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
651
652 require_noerr(rc = aks_get_lock_state(session_handle, &state), done);
653
654 xpc_dictionary_set_bool(reply, SERVICE_XPC_LOCKED, state & keybag_state_locked);
655 xpc_dictionary_set_bool(reply, SERVICE_XPC_NO_PIN, state & keybag_state_no_pin);
656
657 done:
658 return rc;
659 }
660
661 static int
662 service_kb_stash_create(service_context_t * context, const void * key, unsigned key_size)
663 {
664 int rc = KB_GeneralError;
665 char * bag_file = NULL;
666 keybag_handle_t session_handle;
667 service_user_record_t * ur = NULL;
668 void * stashbag = NULL;
669 int stashbag_size = 0;
670 __block bool saved = false;
671
672 require(key, done);
673 require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
674 require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError);
675 require_noerr(rc = aks_stash_escrow(session_handle, true, key, key_size, NULL, 0, (void**)&stashbag, &stashbag_size), done);
676 require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_stash), done, rc = KB_GeneralError);
677
678 // sync writing the bag to disk
679 dispatch_sync(_kb_service_get_dispatch_queue(), ^{
680 saved = _kb_save_bag_to_disk(ur, bag_file, stashbag, stashbag_size);
681 });
682 require_action(saved, done, rc = KB_BagError);
683 rc = KB_Success;
684
685 done:
686 if (stashbag) { free(stashbag); }
687 if (bag_file) { free(bag_file); }
688 if (ur) free_user_record(ur);
689 return rc;
690 }
691
692 static int
693 service_kb_stash_load(service_context_t * context, const void * key, unsigned key_size, bool nondestructive)
694 {
695 __block int rc = KB_GeneralError;
696 char * bag_file = NULL;
697 keybag_handle_t session_handle;
698 service_user_record_t * ur = NULL;
699 __block uint8_t * stashbag = NULL;
700 __block size_t stashbag_size = 0;
701
702 require(key, done);
703 require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
704 require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError);
705 require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_stash), done, rc = KB_GeneralError);
706
707 // sync loading the bag from disk
708 dispatch_sync(_kb_service_get_dispatch_queue(), ^{
709 if (!_kb_load_bag_from_disk(ur, bag_file, &stashbag, &stashbag_size)) {
710 rc = KB_BagError;
711 }
712 });
713 require_noerr(rc, done);
714
715 require_noerr(rc = aks_stash_escrow(session_handle, false, key, key_size, stashbag, (int)stashbag_size, NULL, NULL), done);
716 rc = KB_Success;
717
718 done:
719 if (stashbag) { free(stashbag); }
720 if ((bag_file) && (!nondestructive)) {
721 _kb_delete_bag_on_disk(ur, bag_file);
722 free(bag_file);
723 }
724 if (ur) free_user_record(ur);
725 return rc;
726 }
727
728 //
729 // Get the keychain master key from the AppleFDEKeyStore.
730 // Note that this is a one-time call - the master key is
731 // removed from the keystore after it is returned.
732 // Requires the entitlement: com.apple.private.securityd.keychain
733 //
734 OSStatus service_stash_get_key(service_context_t * context, xpc_object_t event, xpc_object_t reply)
735 {
736 getStashKey_InStruct_t inStruct;
737 getStashKey_OutStruct_t outStruct;
738 size_t outSize = sizeof(outStruct);
739 kern_return_t kr = KERN_INVALID_ARGUMENT;
740
741 io_connect_t conn = openiodev();
742 require(conn, done);
743 inStruct.type = kAppleFDEKeyStoreStash_master;
744
745 kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_getStashKey,
746 NULL, 0,
747 &inStruct, sizeof(inStruct),
748 NULL, NULL,
749 &outStruct, &outSize);
750
751 if (kr == KERN_SUCCESS) {
752 xpc_dictionary_set_data(reply, SERVICE_XPC_KEY, outStruct.outBuf.key.key, outStruct.outBuf.key.keysize);
753 service_kb_stash_load(context, outStruct.outBuf.key.key, outStruct.outBuf.key.keysize, false);
754 }
755
756 done:
757 if (conn)
758 closeiodev(conn);
759
760 return kr;
761 }
762
763 //
764 // Stash the keychain master key in the AppleFDEKeyStore and
765 // flag it as the keychain master key to be added to the
766 // reboot NVRAM blob.
767 // This requires two calls to the AKS: the first to store the
768 // key and get its uuid. The second uses the uuid to flag the
769 // key for blob inclusion.
770 //
771 OSStatus service_stash_set_key(service_context_t * context, xpc_object_t event, xpc_object_t reply)
772 {
773 kern_return_t kr = KERN_INVALID_ARGUMENT;
774 io_connect_t conn = IO_OBJECT_NULL;
775 size_t keydata_len = 0;
776 size_t len;
777
778 keybag_state_t state;
779 keybag_handle_t session_handle;
780 require_noerr(_kb_get_session_handle(context, &session_handle), done);
781 require_noerr(aks_get_lock_state(session_handle, &state), done);
782 require_action(!(state & keybag_lock_locked), done, kr = CSSMERR_CSP_OS_ACCESS_DENIED; LOG("stash failed keybag locked"));
783
784 conn = openiodev();
785 require(conn, done);
786
787 // Store the key in the keystore and get its uuid
788 setKeyGetUUID_InStruct_t inStruct1;
789 uuid_OutStruct_t outStruct1;
790
791
792 const uint8_t *keydata = xpc_dictionary_get_data(event, SERVICE_XPC_KEY, &keydata_len);
793 require(keydata, done);
794
795 memcpy(&inStruct1.inKey.key.key, keydata, keydata_len);
796 inStruct1.inKey.key.keysize = (cryptosize_t) keydata_len;
797 len = sizeof(outStruct1);
798 kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_setKeyGetUUID,
799 NULL, 0,
800 &inStruct1, sizeof(inStruct1),
801 NULL, NULL,
802 &outStruct1, &len);
803 require(kr == KERN_SUCCESS, done);
804
805 // Now using the uuid stash it as the master key
806 setStashKey_InStruct_t inStruct2;
807 memcpy(&inStruct2.uuid, &outStruct1.uuid, sizeof(outStruct1.uuid));
808 inStruct2.type = kAppleFDEKeyStoreStash_master;
809
810 kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_setStashKey,
811 NULL, 0,
812 &inStruct2, sizeof(inStruct2),
813 NULL, NULL,
814 NULL, NULL);
815
816 if (kr == KERN_SUCCESS) {
817 service_kb_stash_create(context, keydata, (unsigned)keydata_len);
818 }
819 done:
820 if (conn)
821 closeiodev(conn);
822
823 return kr;
824 }
825
826 //
827 // Load the master stash key
828 //
829 OSStatus service_stash_load_key(service_context_t * context, xpc_object_t event, xpc_object_t reply)
830 {
831 kern_return_t kr = KERN_SUCCESS;
832 size_t keydata_len = 0;
833
834 const uint8_t *keydata = xpc_dictionary_get_data(event, SERVICE_XPC_KEY, &keydata_len);
835 require(keydata, done);
836
837 kr = service_kb_stash_load(context, keydata, (cryptosize_t) keydata_len, true);
838 done:
839
840 return kr;
841 }
842
843 //
844 // Signal the AppleFDEKeyStore to take the tagged FDE key
845 // and keychain master key, stash them in an encrypted
846 // blob structure and write the blob to NVRAM. The random
847 // encryption key is written to the SMC.
848 //
849 #if DEBUG
850 OSStatus service_stash_blob(xpc_object_t event, xpc_object_t reply)
851 {
852 kern_return_t kr = KERN_INVALID_ARGUMENT;
853
854 io_connect_t conn = openiodev();
855 require(conn, done);
856
857 kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_commitStash,
858 NULL, 0,
859 NULL, 0,
860 NULL, NULL,
861 NULL, NULL);
862 done:
863 if (conn)
864 closeiodev(conn);
865
866 return kr;
867 }
868 #endif
869
870 bool peer_has_entitlement(xpc_connection_t peer, const char * entitlement)
871 {
872 bool entitled = false;
873
874 xpc_object_t value = xpc_connection_copy_entitlement_value(peer, entitlement);
875 if (value && (xpc_get_type(value) == XPC_TYPE_BOOL)) {
876 entitled = xpc_bool_get_value(value);
877 }
878
879 if (value) xpc_release(value);
880 return entitled;
881 }
882
883 static char * sel_to_char(uint64_t sel)
884 {
885 switch (sel) {
886 case SERVICE_STASH_SET_KEY:
887 return "set_key";
888 case SERVICE_STASH_GET_KEY:
889 return "get_key";
890 case SERVICE_STASH_BLOB:
891 return "stash_blob";
892 case SERVICE_KB_LOAD:
893 return "kb_load";
894 case SERVICE_KB_SAVE:
895 return "kb_save";
896 case SERVICE_KB_UNLOCK:
897 return "kb_unlock";
898 case SERVICE_KB_LOCK:
899 return "kb_lock";
900 case SERVICE_KB_CHANGE_SECRET:
901 return "kb_change_secret";
902 case SERVICE_KB_CREATE:
903 return "kb_create";
904 case SERVICE_KB_IS_LOCKED:
905 return "kb_is_locked";
906 case SERVICE_KB_RESET:
907 return "kb_reset";
908 case SERVICE_KB_UNLOAD:
909 return "kb_unload";
910 case SERVICE_KB_LOAD_UID:
911 return "kb_load_uid";
912 default:
913 return "unknown";
914 }
915 }
916
917 static char * err_to_char(int err)
918 {
919 switch (err) {
920 case KB_Success:
921 return "success";
922 case KB_GeneralError:
923 return "general error";
924 case KB_BagNotFound:
925 return "bag not found";
926 case KB_BagError:
927 return "bag error";
928 case KB_BagNotLoaded:
929 return "bag not loaded";
930 case KB_BagExists:
931 return "bag exists";
932 case KB_InvalidSession:
933 return "invalid session";
934 default:
935 return "";
936 }
937 }
938
939 void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event)
940 {
941 xpc_type_t type = xpc_get_type(event);
942 uid_t uid;
943
944 if (type == XPC_TYPE_ERROR) {
945 if (event == XPC_ERROR_CONNECTION_INVALID) {
946 }
947 } else {
948 assert(type == XPC_TYPE_DICTIONARY);
949
950 int rc = KB_GeneralError;
951 uint64_t request = 0;
952 const uint8_t * secret = NULL, * new_secret = NULL;
953 size_t secret_len = 0, new_secret_len = 0, data_len = 0;
954 service_context_t * context = NULL;
955 bool free_context = false;
956 const void * data;
957 const char *entitlement;
958
959 xpc_object_t reply = xpc_dictionary_create_reply(event);
960
961 request = xpc_dictionary_get_uint64(event, SERVICE_XPC_REQUEST);
962
963
964 // For SERVICE_KB_{UNLOAD,LOAD} only, allow non-securityd, non-root but
965 // entitled callers.
966 if (request == SERVICE_KB_UNLOAD || request == SERVICE_KB_LOAD_UID) {
967 switch (request) {
968 case SERVICE_KB_UNLOAD:
969 entitlement = "com.apple.private.securityd.keybag-unload";
970 break;
971 case SERVICE_KB_LOAD_UID:
972 entitlement = "com.apple.private.securityd.keybag-load";
973 break;
974 }
975 if (!peer_has_entitlement(connection, entitlement) && !peer_has_entitlement(connection, "com.apple.keystore.device")) {
976 xpc_connection_cancel(connection);
977 return;
978 }
979 } else {
980 if (xpc_connection_get_euid(connection) != 0) {
981 xpc_connection_cancel(connection);
982 return;
983 }
984 if (!check_signature(connection)) {
985 xpc_connection_cancel(connection);
986 return;
987 }
988 }
989
990 data = xpc_dictionary_get_data(event, SERVICE_XPC_CONTEXT, &data_len);
991 require_action(data || request == SERVICE_KB_UNLOAD || request == SERVICE_KB_LOAD_UID, done, rc = KB_GeneralError);
992 if (data) {
993 require(data_len == sizeof(service_context_t), done);
994 context = (service_context_t*)data;
995 } else {
996 audit_token_t audit_token = { 0 };
997 xpc_connection_get_audit_token(connection, &audit_token);
998 context = calloc(1, sizeof(service_context_t));
999 context->s_id = xpc_connection_get_asid(connection);
1000 context->s_uid = xpc_connection_get_euid(connection);
1001 context->procToken = audit_token;
1002 free_context = true;
1003 }
1004
1005 require_action(context->s_id != AU_DEFAUDITSID, done, rc = KB_InvalidSession);
1006 require_action(context->s_uid != AU_DEFAUDITID, done, rc = KB_InvalidSession); // we only want to work in actual user sessions.
1007
1008 switch (request) {
1009 case SERVICE_KB_CREATE:
1010 // if (kb_service_has_entitlement(peer, "com.apple.keystore.device")) {
1011 secret = xpc_dictionary_get_data(event, SERVICE_XPC_SECRET, &secret_len);
1012 rc = service_kb_create(context, secret, (int)secret_len);
1013 // }
1014 break;
1015 case SERVICE_KB_LOAD:
1016 rc = service_kb_load(context);
1017 break;
1018 case SERVICE_KB_UNLOAD:
1019 rc = service_kb_unload(context);
1020 break;
1021 case SERVICE_KB_SAVE:
1022 rc = service_kb_save(context);
1023 break;
1024 case SERVICE_KB_UNLOCK:
1025 secret = xpc_dictionary_get_data(event, SERVICE_XPC_SECRET, &secret_len);
1026 rc = service_kb_unlock(context, secret, (int)secret_len);
1027 break;
1028 case SERVICE_KB_LOCK:
1029 rc = service_kb_lock(context);
1030 break;
1031 case SERVICE_KB_CHANGE_SECRET:
1032 secret = xpc_dictionary_get_data(event, SERVICE_XPC_SECRET, &secret_len);
1033 new_secret = xpc_dictionary_get_data(event, SERVICE_XPC_SECRET_NEW, &new_secret_len);
1034 rc = service_kb_change_secret(context, secret, (int)secret_len, new_secret, (int)new_secret_len);
1035 break;
1036 case SERVICE_KB_RESET:
1037 secret = xpc_dictionary_get_data(event, SERVICE_XPC_SECRET, &secret_len);
1038 rc = service_kb_reset(context, secret, (int)secret_len);
1039 break;
1040 case SERVICE_KB_IS_LOCKED:
1041 rc = service_kb_is_locked(context, reply);
1042 break;
1043 case SERVICE_STASH_GET_KEY:
1044 rc = service_stash_get_key(context, event, reply);
1045 break;
1046 case SERVICE_STASH_SET_KEY:
1047 rc = service_stash_set_key(context, event, reply);
1048 break;
1049 case SERVICE_STASH_LOAD_KEY:
1050 rc = service_stash_load_key(context, event, reply);
1051 break;
1052 case SERVICE_KB_LOAD_UID:
1053 uid = (uid_t)xpc_dictionary_get_uint64(event, SERVICE_XPC_UID);
1054 rc = service_kb_load_uid(uid);
1055 break;
1056 #if DEBUG
1057 case SERVICE_STASH_BLOB:
1058 rc = service_stash_blob(event, reply);
1059 break;
1060 #endif
1061 default:
1062 LOG("unknown service type");
1063 break;
1064 }
1065
1066 done:
1067 #if DEBUG
1068 LOG("selector: %s (%llu), error: %s (%x), sid: %d, suid: %d, pid: %d", sel_to_char(request), request, err_to_char(rc), rc, context ? context->s_id : 0, context ? context->s_uid : 0, context ? get_caller_pid(&context->procToken) : 0);
1069 #else
1070 if (rc != 0) {
1071 syslog(LOG_NOTICE, "selector: %s (%llu), error: %s (%x), sid: %d, suid: %d, pid: %d", sel_to_char(request), request, err_to_char(rc), rc, context ? context->s_id : 0, context ? context->s_uid : 0, context ? get_caller_pid(&context->procToken) : 0);
1072 }
1073 #endif
1074 xpc_dictionary_set_int64(reply, SERVICE_XPC_RC, rc);
1075 xpc_connection_send_message(connection, reply);
1076 xpc_release(reply);
1077 if (free_context) {
1078 free(context);
1079 }
1080 }
1081 }
1082
1083 bool check_signature(xpc_connection_t connection)
1084 {
1085 #if !(DEBUG || RC_BUILDIT_YES)
1086 audit_token_t token;
1087
1088 xpc_connection_get_audit_token(connection, &token);
1089
1090 SecTaskRef task = SecTaskCreateWithAuditToken(NULL, token);
1091 if (task == NULL) {
1092 syslog(LOG_NOTICE, "failed getting SecTaskRef of the client");
1093 return false;
1094 }
1095
1096 uint32_t flags = SecTaskGetCodeSignStatus(task);
1097 /* check if valid and platform binary, but not platform path */
1098 if ((flags & (CS_VALID | CS_PLATFORM_BINARY | CS_PLATFORM_PATH)) != (CS_VALID | CS_PLATFORM_BINARY)) {
1099 syslog(LOG_NOTICE, "client is not a platform binary: %0x08x", flags);
1100 CFRelease(task);
1101 return false;
1102 }
1103
1104 CFStringRef signingIdentity = SecTaskCopySigningIdentifier(task, NULL);
1105 CFRelease(task);
1106 if (signingIdentity == NULL) {
1107 syslog(LOG_NOTICE, "client have no code sign identity");
1108 return false;
1109 }
1110
1111 bool res = CFEqual(signingIdentity, CFSTR("com.apple.securityd"));
1112 CFRelease(signingIdentity);
1113
1114 if (!res)
1115 syslog(LOG_NOTICE, "client is not not securityd");
1116
1117 return res;
1118 #else
1119 return true;
1120 #endif
1121 }
1122
1123 static void register_for_notifications()
1124 {
1125 __block kern_return_t kr;
1126 static mach_port_t mp = MACH_PORT_NULL;
1127
1128 static dispatch_once_t onceToken = 0;
1129 dispatch_once(&onceToken, ^{
1130 kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &mp);
1131 if (kr == KERN_SUCCESS) {
1132 dispatch_source_t mach_src = dispatch_source_create(DISPATCH_SOURCE_TYPE_MACH_RECV, mp, 0, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0));
1133 dispatch_source_set_event_handler(mach_src, ^{
1134 mach_msg_return_t mr;
1135 uint8_t buf[sizeof(aks_notification_msg_t) + MAX_TRAILER_SIZE] = {};
1136 aks_notification_msg_t * msg = (aks_notification_msg_t*)buf;
1137 mr = mach_msg((mach_msg_header_t*)&buf, MACH_RCV_MSG, 0, sizeof(buf), mp, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
1138 if (mr == MACH_MSG_SUCCESS && msg->hdr.msgh_id == AKS_NOTIFICATION_MSGID) {
1139 // ignored for now
1140 } else if (mr == MACH_MSG_SUCCESS && msg->hdr.msgh_id == AKS_NOTIFICATION_WRITE_SYSTEM_KEYBAG) {
1141 syslog(LOG_NOTICE, "request to update handle %d", msg->handle);
1142 update_keybag_handle(msg->handle);
1143 } else {
1144 syslog(LOG_ERR, "mach_msg error: %x", mr);
1145 }
1146 });
1147 dispatch_resume(mach_src);
1148 } else {
1149 syslog(LOG_NOTICE, "failed to create notification port");
1150 }
1151
1152 });
1153
1154 kr = aks_register_for_notifications(mp, AKS_NOTIFICATION_WRITE_SYSTEM_KEYBAG);
1155 if (kr == KERN_SUCCESS) {
1156 syslog(LOG_NOTICE, "registered for notifications");
1157 } else {
1158 syslog(LOG_NOTICE, "failed to register for notifications %d", kr);
1159 }
1160 }
1161
1162 int main(int argc, const char * argv[])
1163 {
1164 char * errorbuf;
1165 if (sandbox_init(SECURITYD_SERVICE_NAME, SANDBOX_NAMED, &errorbuf) != 0) {
1166 syslog(LOG_ERR, "sandbox_init failed %s", errorbuf);
1167 sandbox_free_error(errorbuf);
1168 #ifndef DEBUG
1169 abort();
1170 #endif
1171 }
1172
1173 register_for_notifications();
1174
1175 xpc_connection_t listener = xpc_connection_create_mach_service(SECURITYD_SERVICE_NAME, NULL, XPC_CONNECTION_MACH_SERVICE_LISTENER);
1176 xpc_connection_set_event_handler(listener, ^(xpc_object_t peer) {
1177 // It is safe to cast 'peer' to xpc_connection_t assuming
1178 // we have a correct configuration in our launchd.plist.
1179 xpc_connection_set_event_handler(peer, ^(xpc_object_t event) {
1180 vproc_transaction_t transaction = vproc_transaction_begin(NULL);
1181 service_peer_event_handler(peer, event);
1182 vproc_transaction_end(NULL, transaction);
1183 });
1184 xpc_connection_resume(peer);
1185 });
1186 xpc_connection_resume(listener);
1187
1188 dispatch_main();
1189 exit(EXIT_FAILURE);
1190 }
1191
mirror of Security