]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_mds/lib/MDSSession.cpp
Security-57336.1.9.tar.gz
[apple/security.git] / OSX / libsecurity_mds / lib / MDSSession.cpp
1 /*
2 * Copyright (c) 2000-2001,2011-2014 Apple Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 #include "MDSSession.h"
20
21 #include <security_cdsa_plugin/DbContext.h>
22 #include "MDSModule.h"
23 #include "MDSAttrParser.h"
24 #include "MDSAttrUtils.h"
25
26 #include <memory>
27 #include <Security/cssmerr.h>
28 #include <security_utilities/logging.h>
29 #include <security_utilities/debugging.h>
30 #include <security_utilities/cfutilities.h>
31 #include <security_cdsa_client/dlquery.h>
32 #include <securityd_client/ssclient.h>
33 #include <Security/mds_schema.h>
34 #include <CoreFoundation/CFBundle.h>
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <dirent.h>
39 #include <fcntl.h>
40 #include <assert.h>
41 #include <time.h>
42 #include <string>
43 #include <unistd.h>
44 #include <syslog.h>
45
46 using namespace CssmClient;
47
48 /*
49 * The layout of the various MDS DB files on disk is as follows:
50 *
51 * /var/db/mds -- owner = root, mode = 01777, world writable, sticky
52 * system/ -- owner = root, mode = 0755
53 * mdsObject.db -- owner = root, mode = 0644, object DB
54 * mdsDirectory.db -- owner = root, mode = 0644, MDS directory DB
55 * mds.lock -- temporary, owner = root, protects creation of and
56 * updates to previous two files
57 * mds.install.lock -- owner = root, protects MDS_Install operation
58 * <uid>/ -- owner = <uid>, mode = 0700
59 * mdsObject.db -- owner = <uid>, mode = 000, object DB
60 * mdsDirectory.db -- owner = <uid>, mode = 000, MDS directory DB
61 * mds.lock -- owner = <uid>, protects updates of previous two files
62 *
63 * The /var/db/mds/system directory is created at OS install time. The DB files in
64 * it are created by root at MDS_Install time. The ownership and mode of this directory and
65 * of its parent is also re-checked and forced to the correct state at MDS_Install time.
66 * Each user has their own private directory with two DB files and a lock. The first time
67 * a user accesses MDS, the per-user directory is created and the per-user DB files are
68 * created as copies of the system DB files. Fcntl() with a F_RDLCK is used to lock the system
69 * DB files when they are the source of these copies; this is the same mechanism
70 * used by the underlying AtomicFile.
71 *
72 * The sticky bit in /var/db/mds ensures that users cannot modify other userss private
73 * MDS directories.
74 */
75 namespace Security
76 {
77
78 /*
79 * Nominal location of Security.framework.
80 */
81 #define MDS_SYSTEM_PATH "/System/Library/Frameworks"
82 #define MDS_SYSTEM_FRAME "Security.framework"
83
84 /*
85 * Nominal location of standard plugins.
86 */
87 #define MDS_BUNDLE_PATH "/System/Library/Security"
88 #define MDS_BUNDLE_EXTEN ".bundle"
89
90
91 /*
92 * Location of MDS database and lock files.
93 */
94 #define MDS_BASE_DB_DIR "/private/var/db/mds"
95 #define MDS_SYSTEM_DB_COMP "system"
96 #define MDS_SYSTEM_DB_DIR MDS_BASE_DB_DIR "/" MDS_SYSTEM_DB_COMP
97 #define MDS_USER_DB_COMP "mds"
98
99 #define MDS_LOCK_FILE_NAME "mds.lock"
100 #define MDS_INSTALL_LOCK_NAME "mds.install.lock"
101 #define MDS_OBJECT_DB_NAME "mdsObject.db"
102 #define MDS_DIRECT_DB_NAME "mdsDirectory.db"
103
104 #define MDS_INSTALL_LOCK_PATH MDS_SYSTEM_DB_DIR "/" MDS_INSTALL_LOCK_NAME
105 #define MDS_OBJECT_DB_PATH MDS_SYSTEM_DB_DIR "/" MDS_OBJECT_DB_NAME
106 #define MDS_DIRECT_DB_PATH MDS_SYSTEM_DB_DIR "/" MDS_DIRECT_DB_NAME
107
108 /* hard coded modes and a symbolic UID for root */
109 #define MDS_BASE_DB_DIR_MODE (mode_t)0755
110 #define MDS_SYSTEM_DB_DIR_MODE (mode_t)0755
111 #define MDS_SYSTEM_DB_MODE (mode_t)0644
112 #define MDS_USER_DB_DIR_MODE (mode_t)0700
113 #define MDS_USER_DB_MODE (mode_t)0600
114 #define MDS_SYSTEM_UID (uid_t)0
115
116 /*
117 * Location of per-user bundles, relative to home directory.
118 * Per-user DB files are in MDS_BASE_DB_DIR/<uid>/.
119 */
120 #define MDS_USER_BUNDLE "Library/Security"
121
122 /* time to wait in ms trying to acquire lock */
123 #define DB_LOCK_TIMEOUT (2 * 1000)
124
125 /* Minimum interval, in seconds, between rescans for plugin changes */
126 #define MDS_SCAN_INTERVAL 5
127
128 /* trace file I/O */
129 #define MSIoDbg(args...) secdebug("MDS_IO", ## args)
130
131 /* Trace cleanDir() */
132 #define MSCleanDirDbg(args...) secdebug("MDS_CleanDir", ## args)
133
134 static std::string GetMDSBaseDBDir(bool isRoot)
135 {
136 // what we return depends on whether or not we are root
137 string retValue;
138 if (isRoot)
139 {
140 retValue = MDS_SYSTEM_DB_DIR;
141 }
142 else
143 {
144 char strBuffer[PATH_MAX + 1];
145 size_t result = confstr(_CS_DARWIN_USER_CACHE_DIR, strBuffer, sizeof(strBuffer));
146 if (result == 0)
147 {
148 // we have an error, log it
149 syslog(LOG_CRIT, "confstr on _CS_DARWIN_USER_CACHE_DIR returned an error.");
150 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
151 }
152
153 retValue = strBuffer;
154 }
155
156 return retValue;
157 }
158
159
160
161 static std::string GetMDSDBDir()
162 {
163 string retValue;
164 bool isRoot = geteuid() == 0;
165
166 if (isRoot)
167 {
168 retValue = MDS_SYSTEM_DB_DIR;
169 }
170 else
171 {
172 retValue = GetMDSBaseDBDir(isRoot) + "/" + MDS_USER_DB_COMP;
173 }
174
175 return retValue;
176 }
177
178
179
180 static std::string GetMDSObjectDBPath()
181 {
182 return GetMDSDBDir() + "/" + MDS_OBJECT_DB_NAME;
183 }
184
185
186
187 static std::string GetMDSDirectDBPath()
188 {
189 return GetMDSDBDir() + "/" + MDS_DIRECT_DB_PATH;
190 }
191
192
193
194 static std::string GetMDSDBLockPath()
195 {
196 return GetMDSDBDir() + "/" + MDS_LOCK_FILE_NAME;
197 }
198
199
200
201 /*
202 * Given a path to a directory, remove everything in the directory except for the optional
203 * keepFileNames. Returns 0 on success, else an errno.
204 */
205 static int cleanDir(
206 const char *dirPath,
207 const char **keepFileNames, // array of strings, size numKeepFileNames
208 unsigned numKeepFileNames)
209 {
210 DIR *dirp;
211 struct dirent *dp;
212 char fullPath[MAXPATHLEN];
213 int rtn = 0;
214
215 MSCleanDirDbg("cleanDir(%s) top", dirPath);
216 if ((dirp = opendir(dirPath)) == NULL) {
217 rtn = errno;
218 MSCleanDirDbg("opendir(%s) returned %d", dirPath, rtn);
219 return rtn;
220 }
221
222 for(;;) {
223 bool skip = false;
224 const char *d_name = NULL;
225
226 /* this block is for breaking on unqualified entries */
227 do {
228 errno = 0;
229 dp = readdir(dirp);
230 if(dp == NULL) {
231 /* end of directory or error */
232 rtn = errno;
233 if(rtn) {
234 MSCleanDirDbg("cleanDir(%s): readdir err %d", dirPath, rtn);
235 }
236 break;
237 }
238 d_name = dp->d_name;
239
240 /* skip "." and ".." */
241 if( (d_name[0] == '.') &&
242 ( (d_name[1] == '\0') ||
243 ( (d_name[1] == '.') && (d_name[2] == '\0') ) ) ) {
244 skip = true;
245 break;
246 }
247
248 /* skip entries in keepFileNames */
249 for(unsigned dex=0; dex<numKeepFileNames; dex++) {
250 if(!strcmp(keepFileNames[dex], d_name)) {
251 skip = true;
252 break;
253 }
254 }
255 } while(0);
256 if(rtn || (dp == NULL)) {
257 /* one way or another, we're done */
258 break;
259 }
260 if(skip) {
261 /* try again */
262 continue;
263 }
264
265 /* We have an entry to delete. Delete it, or recurse. */
266
267 snprintf(fullPath, sizeof(fullPath), "%s/%s", dirPath, d_name);
268 if(dp->d_type == DT_DIR) {
269 /* directory. Clean it, then delete. */
270 MSCleanDirDbg("cleanDir recursing for dir %s", fullPath);
271 rtn = cleanDir(fullPath, NULL, 0);
272 if(rtn) {
273 break;
274 }
275 MSCleanDirDbg("cleanDir deleting dir %s", fullPath);
276 if(rmdir(fullPath)) {
277 rtn = errno;
278 MSCleanDirDbg("unlink(%s) returned %d", fullPath, rtn);
279 break;
280 }
281 }
282 else {
283 MSCleanDirDbg("cleanDir deleting file %s", fullPath);
284 if(unlink(fullPath)) {
285 rtn = errno;
286 MSCleanDirDbg("unlink(%s) returned %d", fullPath, rtn);
287 break;
288 }
289 }
290
291 /*
292 * Back to beginning of directory for clean scan.
293 * Normally we'd just do a rewinddir() here but the RAMDisk filesystem,
294 * used when booting from DVD, does not implement that properly.
295 */
296 closedir(dirp);
297 if ((dirp = opendir(dirPath)) == NULL) {
298 rtn = errno;
299 MSCleanDirDbg("opendir(%s) returned %d", dirPath, rtn);
300 return rtn;
301 }
302 } /* main loop */
303
304 closedir(dirp);
305 return rtn;
306 }
307
308 /*
309 * Determine if a file exists as regular file with specified owner. Returns true if so.
310 * If the purge argument is true, and there is something at the specified path that
311 * doesn't meet spec, we do everything we can to delete it. If that fails we throw
312 * CssmError(CSSM_ERRCODE_MDS_ERROR). If the delete succeeds we return false.
313 * Returns the stat info on success for further processing by caller.
314 */
315 static bool doesFileExist(
316 const char *filePath,
317 uid_t forUid,
318 bool purge,
319 struct stat &sb) // RETURNED
320 {
321 MSIoDbg("stat %s in doesFileExist", filePath);
322 if(lstat(filePath, &sb)) {
323 /* doesn't exist or we can't even get to it. */
324 if(errno == ENOENT) {
325 return false;
326 }
327 if(purge) {
328 /* If we can't stat it we sure can't delete it. */
329 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
330 }
331 return false;
332 }
333
334 /* it's there...how does it look? */
335 mode_t fileType = sb.st_mode & S_IFMT;
336 if((fileType == S_IFREG) && (sb.st_uid == forUid)) {
337 return true;
338 }
339 if(!purge) {
340 return false;
341 }
342
343 /* not what we want: get rid of it. */
344 if(fileType == S_IFDIR) {
345 /* directory: clean then remove */
346 if(cleanDir(filePath, NULL, 0)) {
347 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
348 }
349 if(rmdir(filePath)) {
350 MSDebug("rmdir(%s) returned %d", filePath, errno);
351 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
352 }
353 }
354 else {
355 if(unlink(filePath)) {
356 MSDebug("unlink(%s) returned %d", filePath, errno);
357 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
358 }
359 }
360
361 /* caller should be somewhat happy */
362 return false;
363 }
364
365 /*
366 * Determine if both of the specified DB files exist as accessible regular files with specified
367 * owner. Returns true if they do.
368 *
369 * If the purge argument is true, we'll ensure that either both files exist with
370 * the right owner, or neither of the files exist on exit. An error on that operation
371 * throws a CSSM_ERRCODE_MDS_ERROR CssmError exception (i.e., we're hosed).
372 * Returns the stat info for both files on success for further processing by caller.
373 */
374 static bool doFilesExist(
375 const char *objDbFile,
376 const char *directDbFile,
377 uid_t forUid,
378 bool purge, // false means "passive" check
379 struct stat &objDbSb, // RETURNED
380 struct stat &directDbSb) // RETURNED
381
382 {
383 bool objectExist = doesFileExist(objDbFile, forUid, purge, objDbSb);
384 bool directExist = doesFileExist(directDbFile, forUid, purge, directDbSb);
385 if(objectExist && directExist) {
386 return true;
387 }
388 else if(!purge) {
389 return false;
390 }
391
392 /*
393 * At least one does not exist - ensure neither of them do.
394 * Note that if we got this far, we know the one that exists is a regular file
395 * so it's safe to just unlink it.
396 */
397 if(objectExist) {
398 if(unlink(objDbFile)) {
399 MSDebug("unlink(%s) returned %d", objDbFile, errno);
400 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
401 }
402 }
403 if(directExist) {
404 if(unlink(directDbFile)) {
405 MSDebug("unlink(%s) returned %d", directDbFile, errno);
406 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
407 }
408 }
409 return false;
410 }
411
412 /*
413 * Determine if specified directory exists with specified owner and mode.
414 * Returns true if copacetic, else returns false and also indicates
415 * via the directStatus out param what went wrong.
416 */
417 typedef enum {
418 MDS_NotPresent, /* nothing there */
419 MDS_NotDirectory, /* not a directory */
420 MDS_BadOwnerMode, /* wrong owner or mode */
421 MDS_Access /* couldn't search the directories */
422 } MdsDirectStatus;
423
424 static bool doesDirectExist(
425 const char *dirPath,
426 uid_t forUid,
427 mode_t mode,
428 MdsDirectStatus &directStatus) /* RETURNED */
429 {
430 struct stat sb;
431
432 MSIoDbg("stat %s in doesDirectExist", dirPath);
433 if (lstat(dirPath, &sb)) {
434 int err = errno;
435 switch(err) {
436 case EACCES:
437 directStatus = MDS_Access;
438 break;
439 case ENOENT:
440 directStatus = MDS_NotPresent;
441 break;
442 /* Any others? Is this a good SWAG to handle the default? */
443 default:
444 directStatus = MDS_NotDirectory;
445 break;
446 }
447 return false;
448 }
449 mode_t fileType = sb.st_mode & S_IFMT;
450 if(fileType != S_IFDIR) {
451 directStatus = MDS_NotDirectory;
452 return false;
453 }
454 if(sb.st_uid != forUid) {
455 directStatus = MDS_BadOwnerMode;
456 return false;
457 }
458 if((sb.st_mode & 07777) != mode) {
459 directStatus = MDS_BadOwnerMode;
460 return false;
461 }
462 return true;
463 }
464
465 /*
466 * Create specified directory if it doesn't already exist. If there is something
467 * already there that doesn't meet spec (not a directory, wrong mode, wrong owner)
468 * we'll do everything we can do delete what is there and then try to create it
469 * correctly.
470 *
471 * Returns an errno on any unrecoverable error.
472 */
473 static int createDir(
474 const char *dirPath,
475 uid_t forUid, // for checking - we don't try to set this
476 mode_t dirMode)
477 {
478 MdsDirectStatus directStatus;
479
480 if(doesDirectExist(dirPath, forUid, dirMode, directStatus)) {
481 /* we're done */
482 return 0;
483 }
484
485 /*
486 * Attempt recovery if there is *something* there.
487 * Anything other than "not present" should be considered to be a possible
488 * attack; syslog it.
489 */
490 int rtn;
491 switch(directStatus) {
492 case MDS_NotPresent:
493 /* normal trivial case: proceed. */
494 break;
495
496 case MDS_NotDirectory:
497 /* there's a file or symlink in the way */
498 if(unlink(dirPath)) {
499 rtn = errno;
500 MSDebug("createDir(%s): unlink() returned %d", dirPath, rtn);
501 return rtn;
502 }
503 break;
504
505 case MDS_BadOwnerMode:
506 /*
507 * It's a directory; try to clean it out (which may well fail if we're
508 * not root).
509 */
510 rtn = cleanDir(dirPath, NULL, 0);
511 if(rtn) {
512 return rtn;
513 }
514 if(rmdir(dirPath)) {
515 rtn = errno;
516 MSDebug("createDir(%s): rmdir() returned %d", dirPath, rtn);
517 return rtn;
518 }
519 /* good to go */
520 break;
521
522 case MDS_Access: /* hopeless */
523 MSDebug("createDir(%s): access failure, bailing", dirPath);
524 return EACCES;
525 }
526 rtn = mkdir(dirPath, dirMode);
527 if(rtn) {
528 rtn = errno;
529 MSDebug("createDir(%s): mkdir() returned %d", dirPath, errno);
530 }
531 else {
532 /* make sure umask does't trick us */
533 rtn = chmod(dirPath, dirMode);
534 if(rtn) {
535 MSDebug("chmod(%s) returned %d", dirPath, errno);
536 }
537 }
538 return rtn;
539 }
540
541 /*
542 * Create an MDS session.
543 */
544 MDSSession::MDSSession (const Guid *inCallerGuid,
545 const CSSM_MEMORY_FUNCS &inMemoryFunctions) :
546 DatabaseSession(MDSModule::get().databaseManager()),
547 mCssmMemoryFunctions (inMemoryFunctions),
548 mModule(MDSModule::get())
549 {
550 MSDebug("MDSSession::MDSSession");
551
552 mCallerGuidPresent = inCallerGuid != nil;
553 if (mCallerGuidPresent) {
554 mCallerGuid = *inCallerGuid;
555 }
556 }
557
558 MDSSession::~MDSSession ()
559 {
560 MSDebug("MDSSession::~MDSSession");
561 }
562
563 void
564 MDSSession::terminate ()
565 {
566 MSDebug("MDSSession::terminate");
567 closeAll();
568 }
569
570 const char* kExceptionDeletePath = "messages";
571
572
573 /*
574 * Called by security server via MDS_Install().
575 */
576 void
577 MDSSession::install ()
578 {
579 //
580 // Installation requires root
581 //
582 if(geteuid() != (uid_t)0) {
583 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
584 }
585
586 //
587 // install() is only (legitimately) called from securityd.
588 // Mark "server mode" so we don't end up waiting for ourselves when the databases open.
589 //
590 mModule.setServerMode();
591
592 try {
593 /* ensure MDS base directory exists with correct permissions */
594 if(createDir(MDS_BASE_DB_DIR, MDS_SYSTEM_UID, MDS_BASE_DB_DIR_MODE)) {
595 MSDebug("Error creating base MDS dir; aborting.");
596 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
597 }
598
599 /* ensure the the system MDS DB directory exists with correct permissions */
600 if(createDir(MDS_SYSTEM_DB_DIR, MDS_SYSTEM_UID, MDS_SYSTEM_DB_DIR_MODE)) {
601 MSDebug("Error creating system MDS dir; aborting.");
602 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
603 }
604
605 LockHelper lh;
606
607 if(!lh.obtainLock(MDS_INSTALL_LOCK_PATH, DB_LOCK_TIMEOUT)) {
608 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
609 }
610
611 /*
612 * We own the whole MDS system. Clean everything out except for our lock
613 * (and the directory it's in :-)
614 */
615
616 const char *savedFile = MDS_INSTALL_LOCK_NAME;
617 if(cleanDir(MDS_SYSTEM_DB_DIR, &savedFile, 1)) {
618 /* this should never happen - we're root */
619 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
620 }
621
622 const char *savedFiles[] = {MDS_SYSTEM_DB_COMP, kExceptionDeletePath};
623 if(cleanDir(MDS_BASE_DB_DIR, savedFiles, 2)) {
624 /* this should never happen - we're root */
625 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
626 }
627
628 /*
629 * Do initial population of system DBs.
630 */
631 createSystemDatabases(CSSM_FALSE, MDS_SYSTEM_DB_MODE);
632 DbFilesInfo dbFiles(*this, MDS_SYSTEM_DB_DIR);
633 dbFiles.updateSystemDbInfo(MDS_SYSTEM_PATH, MDS_BUNDLE_PATH);
634 }
635 catch(...) {
636 throw;
637 }
638 }
639
640 //
641 // In this implementation, the uninstall() call is not supported since
642 // we do not allow programmatic deletion of the MDS databases.
643 //
644
645 void
646 MDSSession::uninstall ()
647 {
648 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
649 }
650
651 /*
652 * Common private open routine given a full specified path.
653 */
654 CSSM_DB_HANDLE MDSSession::dbOpen(const char *dbName, bool batched)
655 {
656 static CSSM_APPLEDL_OPEN_PARAMETERS batchOpenParams = {
657 sizeof(CSSM_APPLEDL_OPEN_PARAMETERS),
658 CSSM_APPLEDL_OPEN_PARAMETERS_VERSION,
659 CSSM_FALSE, // do not auto-commit
660 0 // mask - do not use following fields
661 };
662
663 MSDebug("Opening %s%s", dbName, batched ? " in batch mode" : "");
664 MSIoDbg("open %s in dbOpen(name, batched)", dbName);
665 CSSM_DB_HANDLE dbHand;
666 DatabaseSession::DbOpen(dbName,
667 NULL, // DbLocation
668 CSSM_DB_ACCESS_READ,
669 NULL, // AccessCred - hopefully optional
670 batched ? &batchOpenParams : NULL,
671 dbHand);
672 return dbHand;
673 }
674
675 /* DatabaseSession routines we need to override */
676 void MDSSession::DbOpen(const char *DbName,
677 const CSSM_NET_ADDRESS *DbLocation,
678 CSSM_DB_ACCESS_TYPE AccessRequest,
679 const AccessCredentials *AccessCred,
680 const void *OpenParameters,
681 CSSM_DB_HANDLE &DbHandle)
682 {
683 if (!mModule.serverMode()) {
684 /*
685 * Make sure securityd has finished initializing (system) MDS data.
686 * Note that activate() only does IPC once and retains global state after that.
687 */
688 SecurityServer::ClientSession client(Allocator::standard(), Allocator::standard());
689 client.activate(); /* contact securityd - won't return until MDS is ready */
690 }
691
692 /* make sure DBs are up-to-date */
693 updateDataBases();
694
695 /*
696 * Only task here is map incoming DbName - specified in the CDSA
697 * spec - to a filename we actually use (which is a path to either
698 * a system MDS DB file or a per-user MDS DB file).
699 */
700 if(DbName == NULL) {
701 CssmError::throwMe(CSSMERR_DL_INVALID_DB_NAME);
702 }
703 const char *dbName;
704 if(!strcmp(DbName, MDS_OBJECT_DIRECTORY_NAME)) {
705 dbName = MDS_OBJECT_DB_NAME;
706 }
707 else if(!strcmp(DbName, MDS_CDSA_DIRECTORY_NAME)) {
708 dbName = MDS_DIRECT_DB_NAME;
709 }
710 else {
711 CssmError::throwMe(CSSMERR_DL_INVALID_DB_NAME);
712 }
713 char fullPath[MAXPATHLEN];
714 dbFullPath(dbName, fullPath);
715 MSIoDbg("open %s in dbOpen(name, loc, accessReq...)", dbName);
716 DatabaseSession::DbOpen(fullPath, DbLocation, AccessRequest, AccessCred,
717 OpenParameters, DbHandle);
718 }
719
720 CSSM_HANDLE MDSSession::DataGetFirst(CSSM_DB_HANDLE DBHandle,
721 const CssmQuery *Query,
722 CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes,
723 CssmData *Data,
724 CSSM_DB_UNIQUE_RECORD_PTR &UniqueId)
725 {
726 updateDataBases();
727 return DatabaseSession::DataGetFirst(DBHandle, Query, Attributes, Data, UniqueId);
728 }
729
730
731 void
732 MDSSession::GetDbNames(CSSM_NAME_LIST_PTR &outNameList)
733 {
734 outNameList = new CSSM_NAME_LIST[1];
735 outNameList->NumStrings = 2;
736 outNameList->String = new char*[2];
737 outNameList->String[0] = MDSCopyCstring(MDS_OBJECT_DIRECTORY_NAME);
738 outNameList->String[1] = MDSCopyCstring(MDS_CDSA_DIRECTORY_NAME);
739 }
740
741 void
742 MDSSession::FreeNameList(CSSM_NAME_LIST &inNameList)
743 {
744 delete [] inNameList.String[0];
745 delete [] inNameList.String[1];
746 delete [] inNameList.String;
747 }
748
749 void MDSSession::GetDbNameFromHandle(CSSM_DB_HANDLE DBHandle,
750 char **DbName)
751 {
752 printf("GetDbNameFromHandle: code on demand\n");
753 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
754 }
755
756 //
757 // Attempt to obtain an exclusive lock over the the MDS databases. The
758 // parameter is the maximum amount of time, in milliseconds, to spend
759 // trying to obtain the lock. A value of zero means to return failure
760 // right away if the lock cannot be obtained.
761 //
762 bool
763 MDSSession::LockHelper::obtainLock(
764 const char *lockFile, // e.g. MDS_INSTALL_LOCK_PATH
765 int timeout) // default 0
766 {
767 mFD = -1;
768 for(;;) {
769 secdebug("mdslock", "obtainLock: calling open(%s)", lockFile);
770 mFD = open(lockFile, O_EXLOCK | O_CREAT | O_RDWR, 0644);
771 if(mFD == -1) {
772 int err = errno;
773 secdebug("mdslock", "obtainLock: open error %d", errno);
774 if(err == EINTR) {
775 /* got a signal, go again */
776 continue;
777 }
778 else {
779 /* theoretically should never happen */
780 return false;
781 }
782 }
783 else {
784 secdebug("mdslock", "obtainLock: success");
785 return true;
786 }
787 }
788
789 /* not reached */
790 return false;
791 }
792
793 //
794 // Release the exclusive lock over the MDS databases. If this session
795 // does not hold the lock, this method does nothing.
796 //
797
798 MDSSession::LockHelper::~LockHelper()
799 {
800 secdebug("mdslock", "releaseLock");
801 if (mFD == -1)
802 {
803 return;
804 }
805
806 flock(mFD, LOCK_UN);
807 close(mFD);
808 mFD = -1;
809 }
810
811 /* given DB file name, fill in fully specified path */
812 void MDSSession::dbFullPath(
813 const char *dbName,
814 char fullPath[MAXPATHLEN+1])
815 {
816 mModule.getDbPath(fullPath);
817 assert(fullPath[0] != '\0');
818 strcat(fullPath, "/");
819 strcat(fullPath, dbName);
820 }
821
822 /*
823 * See if any per-user bundles exist in specified directory. Returns true if so.
824 * First the check for one entry....
825 */
826 static bool isBundle(
827 const struct dirent *dp)
828 {
829 if(dp == NULL) {
830 return false;
831 }
832 /* NFS directories show up as DT_UNKNOWN */
833 switch(dp->d_type) {
834 case DT_UNKNOWN:
835 case DT_DIR:
836 break;
837 default:
838 return false;
839 }
840 int suffixLen = strlen(MDS_BUNDLE_EXTEN);
841 size_t len = strlen(dp->d_name);
842
843 return (len >= suffixLen) &&
844 !strcmp(dp->d_name + len - suffixLen, MDS_BUNDLE_EXTEN);
845 }
846
847 /* now the full directory search */
848 static bool checkUserBundles(
849 const char *bundlePath)
850 {
851 MSDebug("searching for user bundles in %s", bundlePath);
852 DIR *dir = opendir(bundlePath);
853 if (dir == NULL) {
854 return false;
855 }
856 struct dirent *dp;
857 bool rtn = false;
858 while ((dp = readdir(dir)) != NULL) {
859 if(isBundle(dp)) {
860 /* any other checking to do? */
861 rtn = true;
862 break;
863 }
864 }
865 closedir(dir);
866 MSDebug("...%s bundle(s) found", rtn ? "" : "No");
867 return rtn;
868 }
869
870 #define COPY_BUF_SIZE 65536
871
872 /*
873 * Single file copy with locking.
874 * Ensures that the source is a regular file with specified owner.
875 * Caller specifies mode of destination file.
876 * Throws a CssmError if the source file doesn't meet spec; throws a
877 * UnixError on any other error (which is generally recoverable by
878 * having the user MDS session use the system DB files).
879 */
880 static void safeCopyFile(
881 const char *fromPath,
882 uid_t fromUid,
883 const char *toPath,
884 mode_t toMode)
885 {
886 int error = 0;
887 bool haveLock = false;
888 int destFd = 0;
889 int srcFd = 0;
890 struct stat sb;
891 char tmpToPath[MAXPATHLEN+1];
892
893 MSIoDbg("open %s, %s in safeCopyFile", fromPath, toPath);
894
895 if(!doesFileExist(fromPath, fromUid, false, sb)) {
896 MSDebug("safeCopyFile: bad system DB file %s", fromPath);
897 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
898 }
899
900 /* create temp destination */
901 snprintf(tmpToPath, sizeof(tmpToPath), "%s_", toPath);
902 destFd = open(tmpToPath, O_WRONLY | O_APPEND | O_CREAT | O_TRUNC | O_EXCL, toMode);
903 if(destFd < 0) {
904 error = errno;
905 MSDebug("Error %d opening user DB file %s\n", error, tmpToPath);
906 UnixError::throwMe(error);
907 }
908
909 struct flock fl;
910 try {
911 /* don't get tripped up by umask */
912 if(fchmod(destFd, toMode)) {
913 error = errno;
914 MSDebug("Error %d chmoding user DB file %s\n", error, tmpToPath);
915 UnixError::throwMe(error);
916 }
917
918 /* open source for reading */
919 srcFd = open(fromPath, O_RDONLY, 0);
920 if(srcFd < 0) {
921 error = errno;
922 MSDebug("Error %d opening system DB file %s\n", error, fromPath);
923 UnixError::throwMe(error);
924 }
925
926 /* acquire the same kind of lock AtomicFile uses */
927 fl.l_start = 0;
928 fl.l_len = 1;
929 fl.l_pid = getpid();
930 fl.l_type = F_RDLCK; // AtomicFile gets F_WRLCK
931 fl.l_whence = SEEK_SET;
932
933 // Keep trying to obtain the lock if we get interupted.
934 for (;;) {
935 if (::fcntl(srcFd, F_SETLKW, &fl) == -1) {
936 error = errno;
937 if (error == EINTR) {
938 error = 0;
939 continue;
940 }
941 MSDebug("Error %d locking system DB file %s\n", error, fromPath);
942 UnixError::throwMe(error);
943 }
944 else {
945 break;
946 haveLock = true;
947 }
948 }
949
950 /* copy */
951 char *buf = new char[COPY_BUF_SIZE];
952 while(1) {
953 ssize_t bytesRead;
954
955 do {
956 bytesRead = read(srcFd, buf, COPY_BUF_SIZE);
957 } while (bytesRead < 0 && errno == EINTR);
958
959 if(bytesRead == 0) {
960 break;
961 }
962 if(bytesRead < 0) {
963 delete [] buf;
964 error = errno;
965 MSDebug("Error %d reading system DB file %s\n", error, fromPath);
966 UnixError::throwMe(error);
967 }
968
969 ssize_t bytesWritten;
970
971 do {
972 bytesWritten = write(destFd, buf, bytesRead);
973 } while (bytesWritten < 0 && errno == EINTR);
974
975 if(bytesWritten < 0) {
976 delete [] buf;
977 error = errno;
978 MSDebug("Error %d writing user DB file %s\n", error, tmpToPath);
979 UnixError::throwMe(error);
980 }
981 }
982 delete [] buf;
983 }
984 catch(...) {
985 /* error is nonzero, we'll re-throw below...still have some cleanup */
986 }
987
988 /* unlock source and close both */
989 if(haveLock) {
990 fl.l_type = F_UNLCK;
991 if (::fcntl(srcFd, F_SETLK, &fl) == -1) {
992 MSDebug("Error %d unlocking system DB file %s\n", errno, fromPath);
993 }
994 }
995 MSIoDbg("close %s, %s in safeCopyFile", fromPath, tmpToPath);
996 if(srcFd) {
997 close(srcFd);
998 }
999 if(destFd) {
1000 close(destFd);
1001 }
1002 if(error == 0) {
1003 /* commit temp file */
1004 if(::rename(tmpToPath, toPath)) {
1005 error = errno;
1006 MSDebug("Error %d committing %s\n", error, toPath);
1007 }
1008 }
1009 if(error) {
1010 UnixError::throwMe(error);
1011 }
1012 }
1013
1014 /*
1015 * Copy system DB files to specified user dir. Caller holds user DB lock.
1016 * Throws a UnixError on error.
1017 */
1018 static void copySystemDbs(
1019 const char *userDbFileDir)
1020 {
1021 char toPath[MAXPATHLEN+1];
1022
1023 snprintf(toPath, sizeof(toPath), "%s/%s", userDbFileDir, MDS_OBJECT_DB_NAME);
1024 safeCopyFile(MDS_OBJECT_DB_PATH, MDS_SYSTEM_UID, toPath, MDS_USER_DB_MODE);
1025 snprintf(toPath, sizeof(toPath), "%s/%s", userDbFileDir, MDS_DIRECT_DB_NAME);
1026 safeCopyFile(MDS_DIRECT_DB_PATH, MDS_SYSTEM_UID, toPath, MDS_USER_DB_MODE);
1027 }
1028
1029 /*
1030 * Ensure current DB files exist and are up-to-date.
1031 * Called from MDSSession constructor and from DataGetFirst, DbOpen, and any
1032 * other public functions which access a DB from scratch.
1033 */
1034 void MDSSession::updateDataBases()
1035 {
1036 RecursionBlock::Once once(mUpdating);
1037 if (once())
1038 return; // already updating; don't recurse
1039
1040 uid_t ourUid = geteuid();
1041 bool isRoot = (ourUid == 0);
1042
1043 /* if we scanned recently, we're done */
1044 double delta = mModule.timeSinceLastScan();
1045 if(delta < (double)MDS_SCAN_INTERVAL) {
1046 return;
1047 }
1048
1049 /*
1050 * If we're root, the first thing we do is to ensure that system DBs are present.
1051 * Note that this is a necessary artifact of the problem behind Radar 3800811.
1052 * When that is fixed, install() should ONLY be called from the public MDS_Install()
1053 * routine.
1054 * Anyway, if we *do* have to install here, we're done.
1055 */
1056 if(isRoot && !systemDatabasesPresent(false)) {
1057 install();
1058 mModule.setDbPath(MDS_SYSTEM_DB_DIR);
1059 mModule.lastScanIsNow();
1060 return;
1061 }
1062
1063 /*
1064 * Obtain various per-user paths. Root is a special case but follows most
1065 * of the same logic from here on.
1066 */
1067 std::string userDBFileDir = GetMDSDBDir();
1068 std::string userObjDBFilePath = GetMDSObjectDBPath();
1069 std::string userDirectDBFilePath = GetMDSDirectDBPath();
1070 char userBundlePath[MAXPATHLEN+1];
1071 std::string userDbLockPath = GetMDSDBLockPath();
1072
1073 /* this means "no user bundles" */
1074 userBundlePath[0] = '\0';
1075 if(!isRoot) {
1076 char *userHome = getenv("HOME");
1077 if((userHome == NULL) ||
1078 (strlen(userHome) + strlen(MDS_USER_BUNDLE) + 2) > sizeof(userBundlePath)) {
1079 /* Can't check for user bundles */
1080 MSDebug("missing or invalid HOME; skipping user bundle check");
1081 }
1082 /* TBD: any other checking of userHome? */
1083 else {
1084 snprintf(userBundlePath, sizeof(userBundlePath),
1085 "%s/%s", userHome, MDS_USER_BUNDLE);
1086 }
1087 }
1088
1089 /*
1090 * Create the per-user directory...that's where the lock we'll be using lives.
1091 */
1092 if(!isRoot) {
1093 if(createDir(userDBFileDir.c_str(), ourUid, MDS_USER_DB_DIR_MODE)) {
1094 /*
1095 * We'll just have to limp along using the read-only system DBs.
1096 * Note that this protects (somewhat) against the DoS attack in
1097 * Radar 3801292. The only problem is that this user won't be able
1098 * to use per-user bundles.
1099 */
1100 MSDebug("Error creating user DBs; using system DBs");
1101 mModule.setDbPath(MDS_SYSTEM_DB_DIR);
1102 return;
1103 }
1104 }
1105
1106 /* always release userLockFd no matter what happens */
1107 LockHelper lh;
1108
1109 if(!lh.obtainLock(userDbLockPath.c_str(), DB_LOCK_TIMEOUT)) {
1110 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
1111 }
1112 try {
1113 if(!isRoot) {
1114 try {
1115 /*
1116 * We copy the system DBs to the per-user DBs in two cases:
1117 * -- user DBs don't exist, or
1118 * -- system DBs have changed since the the last update to the user DBs.
1119 * This happens on smart card insertion and removal.
1120 */
1121 bool doCopySystem = false;
1122 struct stat userObjStat, userDirectStat;
1123 if(!doFilesExist(userObjDBFilePath.c_str(), userDirectDBFilePath.c_str(), ourUid, true,
1124 userObjStat, userDirectStat)) {
1125 doCopySystem = true;
1126 }
1127 else {
1128 /* compare the two mdsDirectory.db files */
1129 MSIoDbg("stat %s, %s in updateDataBases",
1130 MDS_DIRECT_DB_PATH, userDirectDBFilePath.c_str());
1131 struct stat sysStat;
1132 if (!stat(MDS_DIRECT_DB_PATH, &sysStat)) {
1133 doCopySystem = (sysStat.st_mtimespec.tv_sec > userDirectStat.st_mtimespec.tv_sec) ||
1134 ((sysStat.st_mtimespec.tv_sec == userDirectStat.st_mtimespec.tv_sec) &&
1135 (sysStat.st_mtimespec.tv_nsec > userDirectStat.st_mtimespec.tv_nsec));
1136 if(doCopySystem) {
1137 MSDebug("user DB files obsolete at %s", userDBFileDir.c_str());
1138 }
1139 }
1140 }
1141 if(doCopySystem) {
1142 /* copy system DBs to user DBs */
1143 MSDebug("copying system DBs to user at %s", userDBFileDir.c_str());
1144 copySystemDbs(userDBFileDir.c_str());
1145 }
1146 else {
1147 MSDebug("Using existing user DBs at %s", userDBFileDir.c_str());
1148 }
1149 }
1150 catch(const CssmError &cerror) {
1151 /*
1152 * Bad system DB file detected. Fatal.
1153 */
1154 throw;
1155 }
1156 catch(...) {
1157 /*
1158 * Error on delete or create user DBs; fall back on system DBs.
1159 */
1160 MSDebug("doFilesExist(purge) error; using system DBs");
1161 mModule.setDbPath(MDS_SYSTEM_DB_DIR);
1162 return;
1163 }
1164 }
1165 else {
1166 MSDebug("Using system DBs only");
1167 }
1168
1169 /*
1170 * Update per-user DBs from both bundle sources (System bundles, user bundles)
1171 * as appropriate.
1172 */
1173 DbFilesInfo dbFiles(*this, userDBFileDir.c_str());
1174 dbFiles.removeOutdatedPlugins();
1175 dbFiles.updateSystemDbInfo(NULL, MDS_BUNDLE_PATH);
1176 if(userBundlePath[0]) {
1177 /* skip for invalid or missing $HOME... */
1178 if(checkUserBundles(userBundlePath)) {
1179 dbFiles.updateForBundleDir(userBundlePath);
1180 }
1181 }
1182 mModule.setDbPath(userDBFileDir.c_str());
1183 } /* main block protected by mLockFd */
1184 catch(...) {
1185 throw;
1186 }
1187 mModule.lastScanIsNow();
1188 }
1189
1190 /*
1191 * Remove all records with specified guid (a.k.a. ModuleID) from specified DB.
1192 */
1193 void MDSSession::removeRecordsForGuid(
1194 const char *guid,
1195 CSSM_DB_HANDLE dbHand)
1196 {
1197 // tell the DB to flush its intermediate data to disk
1198 PassThrough(dbHand, CSSM_APPLEFILEDL_COMMIT, NULL, NULL);
1199 CssmClient::Query query = Attribute("ModuleID") == guid;
1200 clearRecords(dbHand, query.cssmQuery());
1201 }
1202
1203
1204 void MDSSession::clearRecords(CSSM_DB_HANDLE dbHand, const CssmQuery &query)
1205 {
1206 CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
1207 CSSM_HANDLE resultHand = DataGetFirst(dbHand,
1208 &query,
1209 NULL,
1210 NULL, // No data
1211 record);
1212 if (resultHand == CSSM_INVALID_HANDLE)
1213 return; // no matches
1214 try {
1215 do {
1216 DataDelete(dbHand, *record);
1217 FreeUniqueRecord(dbHand, *record);
1218 record = NULL;
1219 } while (DataGetNext(dbHand,
1220 resultHand,
1221 NULL,
1222 NULL,
1223 record));
1224 } catch (...) {
1225 if (record)
1226 FreeUniqueRecord(dbHand, *record);
1227 DataAbortQuery(dbHand, resultHand);
1228 }
1229 }
1230
1231
1232 /*
1233 * Determine if system databases are present.
1234 * If the purge argument is true, we'll ensure that either both or neither
1235 * DB files exist on exit; in that case caller must be holding MDS_INSTALL_LOCK_PATH.
1236 */
1237 bool MDSSession::systemDatabasesPresent(bool purge)
1238 {
1239 bool rtn = false;
1240
1241 try {
1242 /*
1243 * This can throw on a failed attempt to delete sole existing file....
1244 * But if that happens while we're root, our goose is fully cooked.
1245 */
1246 struct stat objDbSb, directDbSb;
1247 if(doFilesExist(MDS_OBJECT_DB_PATH, MDS_DIRECT_DB_PATH,
1248 MDS_SYSTEM_UID, purge, objDbSb, directDbSb)) {
1249 rtn = true;
1250 }
1251 }
1252 catch(...) {
1253
1254 }
1255 return rtn;
1256 }
1257
1258 /*
1259 * Given a DB name (which is used as an absolute path) and an array of
1260 * RelationInfos, create a DB.
1261 */
1262 void
1263 MDSSession::createSystemDatabase(
1264 const char *dbName,
1265 const RelationInfo *relationInfo,
1266 unsigned numRelations,
1267 CSSM_BOOL autoCommit,
1268 mode_t mode,
1269 CSSM_DB_HANDLE &dbHand) // RETURNED
1270 {
1271 CSSM_DBINFO dbInfo;
1272 CSSM_DBINFO_PTR dbInfoP = &dbInfo;
1273
1274 memset(dbInfoP, 0, sizeof(CSSM_DBINFO));
1275 dbInfoP->NumberOfRecordTypes = numRelations;
1276 dbInfoP->IsLocal = CSSM_TRUE; // TBD - what does this mean?
1277 dbInfoP->AccessPath = NULL; // TBD
1278
1279 /* alloc numRelations elements for parsingModule, recordAttr, and recordIndex
1280 * info arrays */
1281 unsigned size = sizeof(CSSM_DB_PARSING_MODULE_INFO) * numRelations;
1282 dbInfoP->DefaultParsingModules = (CSSM_DB_PARSING_MODULE_INFO_PTR)malloc(size);
1283 memset(dbInfoP->DefaultParsingModules, 0, size);
1284 size = sizeof(CSSM_DB_RECORD_ATTRIBUTE_INFO) * numRelations;
1285 dbInfoP->RecordAttributeNames = (CSSM_DB_RECORD_ATTRIBUTE_INFO_PTR)malloc(size);
1286 memset(dbInfoP->RecordAttributeNames, 0, size);
1287 size = sizeof(CSSM_DB_RECORD_INDEX_INFO) * numRelations;
1288 dbInfoP->RecordIndexes = (CSSM_DB_RECORD_INDEX_INFO_PTR)malloc(size);
1289 memset(dbInfoP->RecordIndexes, 0, size);
1290
1291 /* cook up attribute and index info for each relation */
1292 unsigned relation;
1293 for(relation=0; relation<numRelations; relation++) {
1294 const struct RelationInfo *relp = &relationInfo[relation]; // source
1295 CSSM_DB_RECORD_ATTRIBUTE_INFO_PTR attrInfo =
1296 &dbInfoP->RecordAttributeNames[relation]; // dest 1
1297 CSSM_DB_RECORD_INDEX_INFO_PTR indexInfo =
1298 &dbInfoP->RecordIndexes[relation]; // dest 2
1299
1300 attrInfo->DataRecordType = relp->DataRecordType;
1301 attrInfo->NumberOfAttributes = relp->NumberOfAttributes;
1302 attrInfo->AttributeInfo = (CSSM_DB_ATTRIBUTE_INFO_PTR)relp->AttributeInfo;
1303
1304 indexInfo->DataRecordType = relp->DataRecordType;
1305 indexInfo->NumberOfIndexes = relp->NumberOfIndexes;
1306 indexInfo->IndexInfo = (CSSM_DB_INDEX_INFO_PTR)relp->IndexInfo;
1307 }
1308
1309 /* set autocommit and mode */
1310 CSSM_APPLEDL_OPEN_PARAMETERS openParams;
1311 memset(&openParams, 0, sizeof(openParams));
1312 openParams.length = sizeof(openParams);
1313 openParams.version = CSSM_APPLEDL_OPEN_PARAMETERS_VERSION;
1314 openParams.autoCommit = autoCommit;
1315 openParams.mask = kCSSM_APPLEDL_MASK_MODE;
1316 openParams.mode = mode;
1317
1318 try {
1319 DbCreate(dbName,
1320 NULL, // DbLocation
1321 *dbInfoP,
1322 CSSM_DB_ACCESS_READ | CSSM_DB_ACCESS_WRITE,
1323 NULL, // CredAndAclEntry
1324 &openParams,
1325 dbHand);
1326 }
1327 catch(...) {
1328 MSDebug("Error on DbCreate");
1329 free(dbInfoP->DefaultParsingModules);
1330 free(dbInfoP->RecordAttributeNames);
1331 free(dbInfoP->RecordIndexes);
1332 CssmError::throwMe(CSSM_ERRCODE_MDS_ERROR);
1333 }
1334 free(dbInfoP->DefaultParsingModules);
1335 free(dbInfoP->RecordAttributeNames);
1336 free(dbInfoP->RecordIndexes);
1337
1338 }
1339
1340 /*
1341 * Create system databases from scratch if they do not already exist.
1342 * MDS_INSTALL_LOCK_PATH held on entry and exit. MDS_SYSTEM_DB_DIR assumed to
1343 * exist (that's our caller's job, before acquiring MDS_INSTALL_LOCK_PATH).
1344 * Returns true if we actually built the files, false if they already
1345 * existed.
1346 */
1347 bool MDSSession::createSystemDatabases(
1348 CSSM_BOOL autoCommit,
1349 mode_t mode)
1350 {
1351 CSSM_DB_HANDLE objectDbHand = 0;
1352 CSSM_DB_HANDLE directoryDbHand = 0;
1353
1354 assert(geteuid() == (uid_t)0);
1355 if(systemDatabasesPresent(true)) {
1356 /* both databases exist as regular files with correct owner - we're done */
1357 MSDebug("system DBs already exist");
1358 return false;
1359 }
1360
1361 /* create two DBs - any exception here results in deleting both of them */
1362 MSDebug("Creating MDS DBs");
1363 try {
1364 createSystemDatabase(MDS_OBJECT_DB_PATH, &kObjectRelation, 1,
1365 autoCommit, mode, objectDbHand);
1366 MSIoDbg("close objectDbHand in createSystemDatabases");
1367 DbClose(objectDbHand);
1368 objectDbHand = 0;
1369 createSystemDatabase(MDS_DIRECT_DB_PATH, kMDSRelationInfo, kNumMdsRelations,
1370 autoCommit, mode, directoryDbHand);
1371 MSIoDbg("close directoryDbHand in createSystemDatabases");
1372 DbClose(directoryDbHand);
1373 directoryDbHand = 0;
1374 }
1375 catch (...) {
1376 MSDebug("Error creating MDS DBs - deleting both DB files");
1377 unlink(MDS_OBJECT_DB_PATH);
1378 unlink(MDS_DIRECT_DB_PATH);
1379 throw;
1380 }
1381 return true;
1382 }
1383
1384 /*
1385 * DbFilesInfo helper class
1386 */
1387
1388 /* Note both DB files MUST exist at construction time */
1389 MDSSession::DbFilesInfo::DbFilesInfo(
1390 MDSSession &session,
1391 const char *dbPath) :
1392 mSession(session),
1393 mObjDbHand(0),
1394 mDirectDbHand(0),
1395 mLaterTimestamp(0)
1396 {
1397 assert(strlen(dbPath) < MAXPATHLEN);
1398 strcpy(mDbPath, dbPath);
1399
1400 /* stat the two DB files, snag the later timestamp */
1401 char path[MAXPATHLEN];
1402 sprintf(path, "%s/%s", mDbPath, MDS_OBJECT_DB_NAME);
1403 struct stat sb;
1404 MSIoDbg("stat %s in DbFilesInfo()", path);
1405 int rtn = ::stat(path, &sb);
1406 if(rtn) {
1407 int error = errno;
1408 MSDebug("Error %d statting DB file %s", error, path);
1409 UnixError::throwMe(error);
1410 }
1411 mLaterTimestamp = sb.st_mtimespec.tv_sec;
1412 sprintf(path, "%s/%s", mDbPath, MDS_DIRECT_DB_NAME);
1413 MSIoDbg("stat %s in DbFilesInfo()", path);
1414 rtn = ::stat(path, &sb);
1415 if(rtn) {
1416 int error = errno;
1417 MSDebug("Error %d statting DB file %s", error, path);
1418 UnixError::throwMe(error);
1419 }
1420 if(sb.st_mtimespec.tv_sec > mLaterTimestamp) {
1421 mLaterTimestamp = sb.st_mtimespec.tv_sec;
1422 }
1423 }
1424
1425 MDSSession::DbFilesInfo::~DbFilesInfo()
1426 {
1427 if(mObjDbHand != 0) {
1428 /* autocommit on, henceforth */
1429 mSession.PassThrough(mObjDbHand,
1430 CSSM_APPLEFILEDL_COMMIT, NULL, NULL);
1431 MSIoDbg("close objectDbHand in ~DbFilesInfo()");
1432 mSession.DbClose(mObjDbHand);
1433 mObjDbHand = 0;
1434 }
1435 if(mDirectDbHand != 0) {
1436 mSession.PassThrough(mDirectDbHand,
1437 CSSM_APPLEFILEDL_COMMIT, NULL, NULL);
1438 MSIoDbg("close mDirectDbHand in ~DbFilesInfo()");
1439 mSession.DbClose(mDirectDbHand);
1440 mDirectDbHand = 0;
1441 }
1442 }
1443
1444 /* lazy evaluation of both DB handlesÊ*/
1445 CSSM_DB_HANDLE MDSSession::DbFilesInfo::objDbHand()
1446 {
1447 if(mObjDbHand != 0) {
1448 return mObjDbHand;
1449 }
1450 char fullPath[MAXPATHLEN + 1];
1451 sprintf(fullPath, "%s/%s", mDbPath, MDS_OBJECT_DB_NAME);
1452 MSIoDbg("open %s in objDbHand()", fullPath);
1453 mObjDbHand = mSession.dbOpen(fullPath, true); // batch mode
1454 return mObjDbHand;
1455 }
1456
1457 CSSM_DB_HANDLE MDSSession::DbFilesInfo::directDbHand()
1458 {
1459 if(mDirectDbHand != 0) {
1460 return mDirectDbHand;
1461 }
1462 char fullPath[MAXPATHLEN + 1];
1463 sprintf(fullPath, "%s/%s", mDbPath, MDS_DIRECT_DB_NAME);
1464 MSIoDbg("open %s in directDbHand()", fullPath);
1465 mDirectDbHand = mSession.dbOpen(fullPath, true); // batch mode
1466 return mDirectDbHand;
1467 }
1468
1469 /*
1470 * Update the info for Security.framework and the system bundles.
1471 */
1472 void MDSSession::DbFilesInfo::updateSystemDbInfo(
1473 const char *systemPath, // e.g., /System/Library/Frameworks
1474 const char *bundlePath) // e.g., /System/Library/Security
1475 {
1476 /*
1477 * Security.framework - CSSM and built-in modules - only for initial population of
1478 * system DB files.
1479 */
1480 if (systemPath) {
1481 string path;
1482 if (CFRef<CFBundleRef> me = CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security")))
1483 if (CFRef<CFURLRef> url = CFBundleCopyBundleURL(me))
1484 if (CFRef<CFStringRef> cfpath = CFURLCopyFileSystemPath(url, kCFURLPOSIXPathStyle))
1485 path = cfString(cfpath); // path to my bundle
1486
1487 if (path.empty()) // use system default
1488 path = string(systemPath) + "/" MDS_SYSTEM_FRAME;
1489 updateForBundle(path.c_str());
1490 }
1491
1492 /* Standard loadable bundles */
1493 updateForBundleDir(bundlePath);
1494 }
1495
1496
1497 MDSSession::DbFilesInfo::TbdRecord::TbdRecord(
1498 const CSSM_DATA &guid)
1499 {
1500 assert(guid.Length <= MAX_GUID_LEN);
1501 assert(guid.Length != 0);
1502 memmove(mGuid, guid.Data, guid.Length);
1503 if(mGuid[guid.Length - 1] != '\0') {
1504 mGuid[guid.Length] = '\0';
1505 }
1506 }
1507
1508 /*
1509 * Test if plugin specified by pluginPath needs to be deleted from DBs.
1510 * If so, add to tbdVector.
1511 */
1512 void MDSSession::DbFilesInfo::checkOutdatedPlugin(
1513 const CSSM_DATA &pathValue,
1514 const CSSM_DATA &guidValue,
1515 TbdVector &tbdVector)
1516 {
1517 /* stat the specified plugin */
1518 struct stat sb;
1519 bool obsolete = false;
1520 string path = CssmData::overlay(pathValue).toString();
1521 if (!path.empty() && path[0] == '*') {
1522 /* builtin pseudo-path; never obsolete this */
1523 return;
1524 }
1525 MSIoDbg("stat %s in checkOutdatedPlugin()", path.c_str());
1526 int rtn = ::stat(path.c_str(), &sb);
1527 if(rtn) {
1528 /* not there or inaccessible; delete */
1529 obsolete = true;
1530 }
1531 else if(sb.st_mtimespec.tv_sec > mLaterTimestamp) {
1532 /* timestamp of plugin's main directory later than that of DBs */
1533 obsolete = true;
1534 }
1535 if(obsolete) {
1536 TbdRecord *tbdRecord = new TbdRecord(guidValue);
1537 tbdVector.push_back(tbdRecord);
1538 MSDebug("checkOutdatedPlugin: flagging %s obsolete", path.c_str());
1539 }
1540 }
1541
1542 /*
1543 * Examine dbFiles.objDbHand; remove all fields associated with any bundle
1544 * i.e., with any path) which are either not present on disk, or which
1545 * have changed since dbFiles.laterTimestamp().
1546 */
1547 void MDSSession::DbFilesInfo::removeOutdatedPlugins()
1548 {
1549 CSSM_QUERY query;
1550 CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
1551 CSSM_HANDLE resultHand;
1552 CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
1553 CSSM_DB_ATTRIBUTE_DATA theAttrs[2];
1554 CSSM_DB_ATTRIBUTE_INFO_PTR attrInfo;
1555 TbdVector tbdRecords;
1556
1557 /*
1558 * First, scan object directory. All we need are the path and GUID attributes.
1559 */
1560 recordAttrs.DataRecordType = MDS_OBJECT_RECORDTYPE;
1561 recordAttrs.SemanticInformation = 0;
1562 recordAttrs.NumberOfAttributes = 2;
1563 recordAttrs.AttributeData = theAttrs;
1564
1565 attrInfo = &theAttrs[0].Info;
1566 attrInfo->AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
1567 attrInfo->Label.AttributeName = (char*) "ModuleID";
1568 attrInfo->AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_STRING;
1569 theAttrs[0].NumberOfValues = 0;
1570 theAttrs[0].Value = NULL;
1571 attrInfo = &theAttrs[1].Info;
1572 attrInfo->AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
1573 attrInfo->Label.AttributeName = (char*) "Path";
1574 attrInfo->AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_STRING;
1575 theAttrs[1].NumberOfValues = 0;
1576 theAttrs[1].Value = NULL;
1577
1578 /* just search by recordType, no predicates */
1579 query.RecordType = MDS_OBJECT_RECORDTYPE;
1580 query.Conjunctive = CSSM_DB_NONE;
1581 query.NumSelectionPredicates = 0;
1582 query.SelectionPredicate = NULL;
1583 query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
1584 query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
1585 query.QueryFlags = 0; // CSSM_QUERY_RETURN_DATA...FIXME - used?
1586
1587 CssmQuery perryQuery(query);
1588 try {
1589 resultHand = mSession.DataGetFirst(objDbHand(),
1590 &perryQuery,
1591 &recordAttrs,
1592 NULL, // No data
1593 record);
1594 }
1595 catch(...) {
1596 MSDebug("removeOutdatedPlugins: DataGetFirst threw");
1597 return; // ???
1598 }
1599 if(record) {
1600 mSession.FreeUniqueRecord(mObjDbHand, *record);
1601 }
1602 if(resultHand) {
1603 if(theAttrs[0].NumberOfValues && theAttrs[1].NumberOfValues) {
1604 checkOutdatedPlugin(*theAttrs[1].Value, *theAttrs[0].Value,
1605 tbdRecords);
1606 }
1607 else {
1608 MSDebug("removeOutdatedPlugins: incomplete record found (1)!");
1609 }
1610 for(unsigned dex=0; dex<2; dex++) {
1611 CSSM_DB_ATTRIBUTE_DATA *attr = &theAttrs[dex];
1612 for (unsigned attrDex=0; attrDex<attr->NumberOfValues; attrDex++) {
1613 if(attr->Value[attrDex].Data) {
1614 mSession.free(attr->Value[attrDex].Data);
1615 }
1616 }
1617 if(attr->Value) {
1618 mSession.free(attr->Value);
1619 }
1620 }
1621 }
1622 else {
1623 /* empty Object DB - we're done */
1624 MSDebug("removeOutdatedPlugins: empty object DB");
1625 return;
1626 }
1627
1628 /* now the rest of the object DB records */
1629 for(;;) {
1630 bool brtn = mSession.DataGetNext(objDbHand(),
1631 resultHand,
1632 &recordAttrs,
1633 NULL,
1634 record);
1635 if(!brtn) {
1636 /* end of data */
1637 break;
1638 }
1639 if(record) {
1640 mSession.FreeUniqueRecord(mObjDbHand, *record);
1641 }
1642 if(theAttrs[0].NumberOfValues && theAttrs[1].NumberOfValues) {
1643 checkOutdatedPlugin(*theAttrs[1].Value,
1644 *theAttrs[0].Value,
1645 tbdRecords);
1646 }
1647 else {
1648 MSDebug("removeOutdatedPlugins: incomplete record found (2)!");
1649 }
1650 for(unsigned dex=0; dex<2; dex++) {
1651 CSSM_DB_ATTRIBUTE_DATA *attr = &theAttrs[dex];
1652 for (unsigned attrDex=0; attrDex<attr->NumberOfValues; attrDex++) {
1653 if(attr->Value[attrDex].Data) {
1654 mSession.free(attr->Value[attrDex].Data);
1655 }
1656 }
1657 if(attr->Value) {
1658 mSession.free(attr->Value);
1659 }
1660 }
1661 }
1662 /* no DataAbortQuery needed; we scanned until completion */
1663
1664 /*
1665 * We have a vector of plugins to be deleted. Remove all records from both
1666 * DBs associated with the plugins, as specified by guid.
1667 */
1668 size_t numRecords = tbdRecords.size();
1669 for(size_t i=0; i<numRecords; i++) {
1670 TbdRecord *tbdRecord = tbdRecords[i];
1671 mSession.removeRecordsForGuid(tbdRecord->guid(), objDbHand());
1672 mSession.removeRecordsForGuid(tbdRecord->guid(), directDbHand());
1673 }
1674 for(size_t i=0; i<numRecords; i++) {
1675 delete tbdRecords[i];
1676 }
1677 }
1678
1679
1680 /*
1681 * Update DBs for all bundles in specified directory.
1682 */
1683 void MDSSession::DbFilesInfo::updateForBundleDir(
1684 const char *bundleDirPath)
1685 {
1686 /* do this with readdir(); CFBundleCreateBundlesFromDirectory is
1687 * much too heavyweight */
1688 MSDebug("...updating DBs for dir %s", bundleDirPath);
1689 DIR *dir = opendir(bundleDirPath);
1690 if (dir == NULL) {
1691 MSDebug("updateForBundleDir: error %d opening %s", errno, bundleDirPath);
1692 return;
1693 }
1694 struct dirent *dp;
1695 char fullPath[MAXPATHLEN];
1696 while ((dp = readdir(dir)) != NULL) {
1697 if(isBundle(dp)) {
1698 sprintf(fullPath, "%s/%s", bundleDirPath, dp->d_name);
1699 updateForBundle(fullPath);
1700 }
1701 }
1702 closedir(dir);
1703 }
1704
1705 /*
1706 * lookup by path - just returns true if there is a record assoociated with the path
1707 * in mObjDbHand.
1708 */
1709 bool MDSSession::DbFilesInfo::lookupForPath(
1710 const char *path)
1711 {
1712 CSSM_QUERY query;
1713 CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
1714 CSSM_HANDLE resultHand = 0;
1715 CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
1716 CSSM_DB_ATTRIBUTE_DATA theAttr;
1717 CSSM_DB_ATTRIBUTE_INFO_PTR attrInfo = &theAttr.Info;
1718 CSSM_SELECTION_PREDICATE predicate;
1719 CSSM_DATA predData;
1720
1721 recordAttrs.DataRecordType = MDS_OBJECT_RECORDTYPE;
1722 recordAttrs.SemanticInformation = 0;
1723 recordAttrs.NumberOfAttributes = 1;
1724 recordAttrs.AttributeData = &theAttr;
1725
1726 attrInfo->AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
1727 attrInfo->Label.AttributeName = (char*) "Path";
1728 attrInfo->AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_STRING;
1729
1730 theAttr.NumberOfValues = 0;
1731 theAttr.Value = NULL;
1732
1733 predicate.DbOperator = CSSM_DB_EQUAL;
1734 predicate.Attribute.Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
1735 predicate.Attribute.Info.Label.AttributeName = (char*) "Path";
1736 predicate.Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_STRING;
1737 predData.Data = (uint8 *)path;
1738 predData.Length = strlen(path);
1739 predicate.Attribute.Value = &predData;
1740 predicate.Attribute.NumberOfValues = 1;
1741
1742 query.RecordType = MDS_OBJECT_RECORDTYPE;
1743 query.Conjunctive = CSSM_DB_NONE;
1744 query.NumSelectionPredicates = 1;
1745 query.SelectionPredicate = &predicate;
1746 query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
1747 query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
1748 query.QueryFlags = 0; // CSSM_QUERY_RETURN_DATA...FIXME - used?
1749
1750 bool ourRtn = true;
1751 try {
1752 CssmQuery perryQuery(query);
1753 resultHand = mSession.DataGetFirst(objDbHand(),
1754 &perryQuery,
1755 &recordAttrs,
1756 NULL, // No data
1757 record);
1758 }
1759 catch (...) {
1760 ourRtn = false;
1761 }
1762 if(record) {
1763 mSession.FreeUniqueRecord(mObjDbHand, *record);
1764 }
1765 else {
1766 ourRtn = false;
1767 }
1768 if(resultHand && ourRtn) {
1769 /* more resulting pending; terminate the search */
1770 try {
1771 mSession.DataAbortQuery(mObjDbHand, resultHand);
1772 }
1773 catch(...) {
1774 MSDebug("exception on DataAbortQuery in lookupForPath");
1775 }
1776 }
1777 for(unsigned dex=0; dex<theAttr.NumberOfValues; dex++) {
1778 if(theAttr.Value[dex].Data) {
1779 mSession.free(theAttr.Value[dex].Data);
1780 }
1781 }
1782 mSession.free(theAttr.Value);
1783 return ourRtn;
1784 }
1785
1786 /* update entry for one bundle, which is known to exist */
1787 void MDSSession::DbFilesInfo::updateForBundle(
1788 const char *bundlePath)
1789 {
1790 MSDebug("...updating DBs for bundle %s", bundlePath);
1791
1792 /* Quick lookup - do we have ANY entry for a bundle with this path? */
1793 if(lookupForPath(bundlePath)) {
1794 /* Yep, we're done */
1795 return;
1796 }
1797 MDSAttrParser parser(bundlePath,
1798 mSession,
1799 objDbHand(),
1800 directDbHand());
1801 try {
1802 parser.parseAttrs();
1803 }
1804 catch (const CssmError &err) {
1805 // a corrupt MDS info file invalidates the entire plugin
1806 const char *guid = parser.guid();
1807 if (guid) {
1808 mSession.removeRecordsForGuid(guid, objDbHand());
1809 mSession.removeRecordsForGuid(guid, directDbHand());
1810 }
1811 }
1812 }
1813
1814
1815 //
1816 // Private API: add MDS records from contents of file
1817 // These files are typically written by securityd and handed to us in this call.
1818 //
1819 void MDSSession::installFile(const MDS_InstallDefaults *defaults,
1820 const char *inBundlePath, const char *subdir, const char *file)
1821 {
1822 string bundlePath = inBundlePath ? inBundlePath : cfString(CFBundleGetMainBundle());
1823 DbFilesInfo dbFiles(*this, MDS_SYSTEM_DB_DIR);
1824 MDSAttrParser parser(bundlePath.c_str(),
1825 *this,
1826 dbFiles.objDbHand(),
1827 dbFiles.directDbHand());
1828 parser.setDefaults(defaults);
1829
1830 try {
1831 if (file == NULL) // parse a directory
1832 if (subdir) // a particular directory
1833 parser.parseAttrs(CFTempString(subdir));
1834 else // all resources in bundle
1835 parser.parseAttrs(NULL);
1836 else // parse just one file
1837 parser.parseFile(CFRef<CFURLRef>(makeCFURL(file)), CFTempString(subdir));
1838 }
1839 catch (const CssmError &err) {
1840 const char *guid = parser.guid();
1841 if (guid) {
1842 removeRecordsForGuid(guid, dbFiles.objDbHand());
1843 removeRecordsForGuid(guid, dbFiles.directDbHand());
1844 }
1845 }
1846 }
1847
1848
1849 //
1850 // Private API: Remove all records for a guid/subservice
1851 //
1852 // Note: Multicursors searching for SSID fail because not all records in the
1853 // database have this attribute. So we have to explicitly run through all tables
1854 // that do.
1855 //
1856 void MDSSession::removeSubservice(const char *guid, uint32 ssid)
1857 {
1858 DbFilesInfo dbFiles(*this, MDS_SYSTEM_DB_DIR);
1859
1860 CssmClient::Query query =
1861 Attribute("ModuleID") == guid &&
1862 Attribute("SSID") == ssid;
1863
1864 // only CSP and DL tables are cleared here
1865 // (this function is private to securityd, which only handles those types)
1866 clearRecords(dbFiles.directDbHand(),
1867 CssmQuery(query.cssmQuery(), MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE));
1868 clearRecords(dbFiles.directDbHand(),
1869 CssmQuery(query.cssmQuery(), MDS_CDSADIR_CSP_CAPABILITY_RECORDTYPE));
1870 clearRecords(dbFiles.directDbHand(),
1871 CssmQuery(query.cssmQuery(), MDS_CDSADIR_CSP_ENCAPSULATED_PRODUCT_RECORDTYPE));
1872 clearRecords(dbFiles.directDbHand(),
1873 CssmQuery(query.cssmQuery(), MDS_CDSADIR_CSP_SC_INFO_RECORDTYPE));
1874 clearRecords(dbFiles.directDbHand(),
1875 CssmQuery(query.cssmQuery(), MDS_CDSADIR_DL_PRIMARY_RECORDTYPE));
1876 clearRecords(dbFiles.directDbHand(),
1877 CssmQuery(query.cssmQuery(), MDS_CDSADIR_DL_ENCAPSULATED_PRODUCT_RECORDTYPE));
1878 }
1879
1880
1881 } // end namespace Security