]> git.saurik.com Git - apple/security.git/blob - OSX/authd/engine.c
Security-59306.41.2.tar.gz
[apple/security.git] / OSX / authd / engine.c
1 /* Copyright (c) 2012-2014 Apple Inc. All Rights Reserved. */
2
3 #include "engine.h"
4 #include "rule.h"
5 #include "authitems.h"
6 #include "authtoken.h"
7 #include "agent.h"
8 #include "process.h"
9 #include "debugging.h"
10 #include "server.h"
11 #include "credential.h"
12 #include "session.h"
13 #include "mechanism.h"
14 #include "authutilities.h"
15 #include "ccaudit.h"
16 #include "connection.h"
17
18 #include <pwd.h>
19 #include <Security/checkpw.h>
20 int checkpw_internal( const struct passwd *pw, const char* password );
21
22 #include <Security/AuthorizationTags.h>
23 #include <Security/AuthorizationTagsPriv.h>
24 #include <Security/AuthorizationPriv.h>
25 #include <Security/AuthorizationPlugin.h>
26 #include <LocalAuthentication/LAPublicDefines.h>
27 #include <LocalAuthentication/LAPrivateDefines.h>
28 #include <sandbox.h>
29 #include <coreauthd_spi.h>
30 #include <ctkloginhelper.h>
31
32 AUTHD_DEFINE_LOG
33
34 static void _set_process_hints(auth_items_t, process_t);
35 static void _set_process_immutable_hints(auth_items_t, process_t);
36 static void _set_auth_token_hints(auth_items_t, auth_items_t, auth_token_t);
37 static OSStatus _evaluate_user_credential_for_rule(engine_t, credential_t, rule_t, bool, bool, enum Reason *);
38 static void _engine_set_credential(engine_t, credential_t, bool);
39 static OSStatus _evaluate_rule(engine_t, rule_t, bool *);
40 static bool _preevaluate_class_rule(engine_t engine, rule_t rule);
41 static bool _preevaluate_rule(engine_t engine, rule_t rule);
42
43 static uint64_t global_engine_count;
44
45 enum {
46 kEngineHintsFlagTemporary = (1 << 30)
47 };
48
49 #pragma mark -
50 #pragma mark engine creation
51
52 struct _engine_s {
53 __AUTH_BASE_STRUCT_HEADER__;
54
55 connection_t conn;
56 process_t proc;
57 auth_token_t auth;
58
59 AuthorizationFlags flags;
60 auth_items_t hints;
61 auth_items_t context;
62 auth_items_t sticky_context;
63 auth_items_t immutable_hints;
64
65 auth_rights_t grantedRights;
66
67 CFTypeRef la_context;
68 bool preauthorizing;
69
70 enum Reason reason;
71 int32_t tries;
72
73 CFAbsoluteTime now;
74
75 credential_t sessionCredential;
76 CFMutableSetRef credentials;
77 CFMutableSetRef effectiveCredentials;
78
79 CFMutableDictionaryRef mechanism_agents;
80
81 // set only in engine_authorize
82 const char * currentRightName; // weak ref
83 rule_t currentRule; // weak ref
84
85 rule_t authenticateRule;
86
87 bool dismissed;
88
89 uint64_t engine_index;
90 };
91
92 static void
93 _engine_finalizer(CFTypeRef value)
94 {
95 engine_t engine = (engine_t)value;
96
97 CFReleaseNull(engine->mechanism_agents);
98 CFReleaseNull(engine->conn);
99 CFReleaseNull(engine->auth);
100 CFReleaseNull(engine->hints);
101 CFReleaseNull(engine->context);
102 CFReleaseNull(engine->immutable_hints);
103 CFReleaseNull(engine->sticky_context);
104 CFReleaseNull(engine->grantedRights);
105 CFReleaseNull(engine->sessionCredential);
106 CFReleaseNull(engine->credentials);
107 CFReleaseNull(engine->effectiveCredentials);
108 CFReleaseNull(engine->authenticateRule);
109 CFReleaseNull(engine->la_context);
110 }
111
112 AUTH_TYPE_INSTANCE(engine,
113 .init = NULL,
114 .copy = NULL,
115 .finalize = _engine_finalizer,
116 .equal = NULL,
117 .hash = NULL,
118 .copyFormattingDesc = NULL,
119 .copyDebugDesc = NULL
120 );
121
122 static CFTypeID engine_get_type_id() {
123 static CFTypeID type_id = _kCFRuntimeNotATypeID;
124 static dispatch_once_t onceToken;
125
126 dispatch_once(&onceToken, ^{
127 type_id = _CFRuntimeRegisterClass(&_auth_type_engine);
128 });
129
130 return type_id;
131 }
132
133 engine_t
134 engine_create(connection_t conn, auth_token_t auth)
135 {
136 engine_t engine = NULL;
137 require(conn != NULL, done);
138 require(auth != NULL, done);
139
140 engine = (engine_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, engine_get_type_id(), AUTH_CLASS_SIZE(engine), NULL);
141 require(engine != NULL, done);
142
143 engine->conn = (connection_t)CFRetain(conn);
144 engine->proc = connection_get_process(conn);
145 engine->auth = (auth_token_t)CFRetain(auth);
146
147 engine->hints = auth_items_create();
148 engine->context = auth_items_create();
149 engine->immutable_hints = auth_items_create();
150 engine->sticky_context = auth_items_create();
151 _set_process_hints(engine->hints, engine->proc);
152 _set_process_immutable_hints(engine->immutable_hints, engine->proc);
153 _set_auth_token_hints(engine->hints, engine->immutable_hints, auth);
154
155 engine->grantedRights = auth_rights_create();
156
157 engine->reason = noReason;
158
159 engine->preauthorizing = false;
160
161 engine->la_context = NULL;
162
163 engine->now = CFAbsoluteTimeGetCurrent();
164
165 session_update(auth_token_get_session(engine->auth));
166 engine->sessionCredential = credential_create(session_get_uid(auth_token_get_session(engine->auth)));
167 engine->credentials = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
168 engine->effectiveCredentials = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
169
170 session_credentials_iterate(auth_token_get_session(engine->auth), ^bool(credential_t cred) {
171 CFSetAddValue(engine->effectiveCredentials, cred);
172 return true;
173 });
174
175 auth_token_credentials_iterate(engine->auth, ^bool(credential_t cred) {
176 // we added all session credentials already now just add all previously acquired credentials
177 if (!credential_get_shared(cred)) {
178 CFSetAddValue(engine->credentials, cred);
179 }
180 return true;
181 });
182
183 engine->mechanism_agents = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
184
185 engine->engine_index = global_engine_count++;
186 done:
187 return engine;
188 }
189
190 #pragma mark -
191 #pragma mark agent hints
192
193 void
194 _set_process_hints(auth_items_t hints, process_t proc)
195 {
196 // process information
197 RequestorType type = bundle;
198 auth_items_set_data(hints, AGENT_HINT_CLIENT_TYPE, &type, sizeof(type));
199 auth_items_set_int(hints, AGENT_HINT_CLIENT_PID, process_get_pid(proc));
200 auth_items_set_uint(hints, AGENT_HINT_CLIENT_UID, process_get_uid(proc));
201 }
202
203 void
204 _set_process_immutable_hints(auth_items_t immutable_hints, process_t proc)
205 {
206 // process information - immutable
207 auth_items_set_bool(immutable_hints, AGENT_HINT_CLIENT_SIGNED, process_apple_signed(proc));
208 auth_items_set_bool(immutable_hints, AGENT_HINT_CLIENT_FROM_APPLE, process_firstparty_signed(proc));
209 }
210
211 void
212 _set_auth_token_hints(auth_items_t hints, auth_items_t immutable_hints, auth_token_t auth)
213 {
214 auth_items_set_string(hints, AGENT_HINT_CLIENT_PATH, auth_token_get_code_url(auth));
215 auth_items_set_int(hints, AGENT_HINT_CREATOR_PID, auth_token_get_pid(auth));
216 const audit_info_s * info = auth_token_get_audit_info(auth);
217 auth_items_set_data(hints, AGENT_HINT_CREATOR_AUDIT_TOKEN, &info->opaqueToken, sizeof(info->opaqueToken));
218
219 process_t proc = process_create(info, auth_token_get_session(auth));
220 if (proc) {
221 auth_items_set_bool(immutable_hints, AGENT_HINT_CREATOR_SIGNED, process_apple_signed(proc));
222 auth_items_set_bool(immutable_hints, AGENT_HINT_CREATOR_FROM_APPLE, process_firstparty_signed(proc));
223 }
224 CFReleaseSafe(proc);
225 }
226
227 static void
228 _set_right_hints(auth_items_t hints, const char * right)
229 {
230 auth_items_set_string(hints, AGENT_HINT_AUTHORIZE_RIGHT, right);
231 }
232
233 static void
234 _set_rule_hints(auth_items_t hints, rule_t rule)
235 {
236 auth_items_set_string(hints, AGENT_HINT_AUTHORIZE_RULE, rule_get_name(rule));
237 const char * group = rule_get_group(rule);
238 if (rule_get_class(rule) == RC_USER && group != NULL) {
239 auth_items_set_string(hints, AGENT_HINT_REQUIRE_USER_IN_GROUP, group);
240 } else {
241 auth_items_remove(hints, AGENT_HINT_REQUIRE_USER_IN_GROUP);
242 }
243 }
244
245 static void
246 _set_localization_hints(authdb_connection_t dbconn, auth_items_t hints, rule_t rule)
247 {
248 char * key = calloc(1u, 128);
249
250 authdb_step(dbconn, "SELECT lang,value FROM prompts WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
251 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
252 }, ^bool(auth_items_t data) {
253 snprintf(key, 128, "%s%s", kAuthorizationRuleParameterDescription, auth_items_get_string(data, "lang"));
254 auth_items_set_string(hints, key, auth_items_get_string(data, "value"));
255 auth_items_set_flags(hints, key, kEngineHintsFlagTemporary);
256 return true;
257 });
258
259 authdb_step(dbconn, "SELECT lang,value FROM buttons WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
260 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
261 }, ^bool(auth_items_t data) {
262 snprintf(key, 128, "%s%s", kAuthorizationRuleParameterButton, auth_items_get_string(data, "lang"));
263 auth_items_set_string(hints, key, auth_items_get_string(data, "value"));
264 auth_items_set_flags(hints, key, kEngineHintsFlagTemporary);
265 return true;
266 });
267
268 free_safe(key);
269 }
270
271 static void
272 _set_session_hints(engine_t engine, rule_t rule)
273 {
274 os_log_debug(AUTHD_LOG, "engine %lld: ** prepare agent hints for rule %{public}s", engine->engine_index, rule_get_name(rule));
275 if (_evaluate_user_credential_for_rule(engine, engine->sessionCredential, rule, true, true, NULL) == errAuthorizationSuccess) {
276 const char * tmp = credential_get_name(engine->sessionCredential);
277 if (tmp != NULL) {
278 auth_items_set_string(engine->hints, AGENT_HINT_SUGGESTED_USER, tmp);
279 }
280 tmp = credential_get_realname(engine->sessionCredential);
281 if (tmp != NULL) {
282 auth_items_set_string(engine->hints, AGENT_HINT_SUGGESTED_USER_LONG, tmp);
283 }
284 } else {
285 auth_items_remove(engine->hints, AGENT_HINT_SUGGESTED_USER);
286 auth_items_remove(engine->hints, AGENT_HINT_SUGGESTED_USER_LONG);
287 }
288 }
289
290 #pragma mark -
291 #pragma mark right processing
292
293 static OSStatus
294 _evaluate_credential_for_rule(engine_t engine, credential_t cred, rule_t rule, bool ignoreShared, bool sessionOwner, enum Reason * reason)
295 {
296 if (auth_token_least_privileged(engine->auth)) {
297 if (credential_is_right(cred) && credential_get_valid(cred) && _compare_string(engine->currentRightName, credential_get_name(cred))) {
298 if (!ignoreShared) {
299 if (!rule_get_shared(rule) && credential_get_shared(cred)) {
300 os_log_error(AUTHD_LOG, "Shared right %{public}s (does NOT satisfy rule) (engine %lld)", credential_get_name(cred), engine->engine_index);
301 if (reason) { *reason = unknownReason; }
302 return errAuthorizationDenied;
303 }
304 }
305
306 return errAuthorizationSuccess;
307 } else {
308 if (reason) { *reason = unknownReason; }
309 return errAuthorizationDenied;
310 }
311 } else {
312 return _evaluate_user_credential_for_rule(engine,cred,rule,ignoreShared,sessionOwner, reason);
313 }
314 }
315
316 static OSStatus
317 _evaluate_user_credential_for_rule(engine_t engine, credential_t cred, rule_t rule, bool ignoreShared, bool sessionOwner, enum Reason * reason)
318 {
319 const char * cred_label = sessionOwner ? "session owner" : "credential";
320 os_log(AUTHD_LOG, "Validating %{public}s%{public}s %{public}s (%i) for %{public}s (engine %lld)", credential_get_shared(cred) ? "shared " : "",
321 cred_label,
322 credential_get_name(cred),
323 credential_get_uid(cred),
324 rule_get_name(rule),
325 engine->engine_index);
326
327 if (rule_get_class(rule) != RC_USER) {
328 os_log(AUTHD_LOG, "Invalid rule class %i (engine %lld)", rule_get_class(rule), engine->engine_index);
329 return errAuthorizationDenied;
330 }
331
332 if (credential_get_valid(cred) != true) {
333 os_log(AUTHD_LOG, "%{public}s %i invalid (does NOT satisfy rule) (engine %lld)", cred_label, credential_get_uid(cred), engine->engine_index);
334 if (reason) { *reason = invalidPassphrase; }
335 return errAuthorizationDenied;
336 }
337
338 if (engine->now - credential_get_creation_time(cred) > rule_get_timeout(rule)) {
339 os_log(AUTHD_LOG, "%{public}s %i expired '%f > %lli' (does NOT satisfy rule) (engine %lld)", cred_label, credential_get_uid(cred),
340 (engine->now - credential_get_creation_time(cred)), rule_get_timeout(rule), engine->engine_index);
341 if (reason) { *reason = unknownReason; }
342 return errAuthorizationDenied;
343 }
344
345 if (!ignoreShared) {
346 if (!rule_get_shared(rule) && credential_get_shared(cred)) {
347 os_log(AUTHD_LOG, "Shared %{public}s %i (does NOT satisfy rule) (engine %lld)", cred_label, credential_get_uid(cred), engine->engine_index);
348 if (reason) { *reason = unknownReason; }
349 return errAuthorizationDenied;
350 }
351 }
352
353 if (credential_get_uid(cred) == 0) {
354 os_log(AUTHD_LOG, "%{public}s %i has uid 0 (does satisfy rule) (engine %lld)", cred_label, credential_get_uid(cred), engine->engine_index);
355 return errAuthorizationSuccess;
356 }
357
358 if (rule_get_session_owner(rule)) {
359 if (credential_get_uid(cred) == session_get_uid(auth_token_get_session(engine->auth))) {
360 os_log(AUTHD_LOG, "%{public}s %i is session owner (does satisfy rule) (engine %lld)", cred_label, credential_get_uid(cred), engine->engine_index);
361 return errAuthorizationSuccess;
362 }
363 }
364
365 if (rule_get_group(rule) != NULL) {
366 do
367 {
368 // This allows testing a group modifier without prompting the user
369 // When (authenticate-user = false) we are just testing the creator uid.
370 // If a group modifier is enabled (RuleFlagEntitledAndGroup | RuleFlagVPNEntitledAndGroup)
371 // we want to skip the creator uid group check.
372 // group modifiers are checked early during the evaluation in _check_entitlement_for_rule
373 if (!rule_get_authenticate_user(rule)) {
374 if (rule_check_flags(rule, RuleFlagEntitledAndGroup | RuleFlagVPNEntitledAndGroup)) {
375 break;
376 }
377 }
378
379 if (credential_check_membership(cred, rule_get_group(rule))) {
380 os_log(AUTHD_LOG, "%{public}s %i is member of group %{public}s (does satisfy rule) (engine %lld)", cred_label, credential_get_uid(cred), rule_get_group(rule), engine->engine_index);
381 return errAuthorizationSuccess;
382 } else {
383 if (reason) { *reason = userNotInGroup; }
384 }
385 } while (0);
386 } else if (rule_get_session_owner(rule)) { // rule asks only if user is the session owner
387 if (reason) { *reason = unacceptableUser; }
388 }
389
390 os_log(AUTHD_LOG, "%{public}s %i (does NOT satisfy rule), reason %d (engine %lld)", cred_label, credential_get_uid(cred), reason ? *reason : -1, engine->engine_index);
391 return errAuthorizationDenied;
392 }
393
394 static agent_t
395 _get_agent(engine_t engine, mechanism_t mech, bool create, bool firstMech)
396 {
397 agent_t agent = (agent_t)CFDictionaryGetValue(engine->mechanism_agents, mech);
398 if (create && !agent) {
399 agent = agent_create(engine, mech, engine->auth, engine->proc, firstMech);
400 if (agent) {
401 CFDictionaryAddValue(engine->mechanism_agents, mech, agent);
402 CFReleaseSafe(agent);
403 }
404 }
405 return agent;
406 }
407
408 static uint64_t
409 _evaluate_builtin_mechanism(engine_t engine, mechanism_t mech)
410 {
411 uint64_t result = kAuthorizationResultDeny;
412
413 switch (mechanism_get_type(mech)) {
414 case kMechanismTypeEntitled:
415 if (auth_token_has_entitlement_for_right(engine->auth, engine->currentRightName)) {
416 result = kAuthorizationResultAllow;
417 }
418 break;
419 default:
420 break;
421 }
422
423 return result;
424 }
425
426 static bool
427 _extract_password_from_la(engine_t engine)
428 {
429 bool retval = false;
430
431 if (!engine->la_context) {
432 return retval;
433 }
434
435 // try to retrieve secret
436 CFDataRef passdata = LACopyCredential(engine->la_context, kLACredentialTypeExtractablePasscode, NULL);
437 if (passdata) {
438 if (CFDataGetBytePtr(passdata)) {
439 os_log_debug(AUTHD_LOG, "engine %lld: LA credentials retrieved", engine->engine_index);
440 auth_items_set_data(engine->context, kAuthorizationEnvironmentPassword, CFDataGetBytePtr(passdata), CFDataGetLength(passdata));
441 } else {
442 const char *empty_pass = "\0"; // authd code is unable to process empty strings so passing empty string as terminator only
443 os_log_debug(AUTHD_LOG, "engine %lld: LA credentials empty", engine->engine_index);
444 auth_items_set_data(engine->context, kAuthorizationEnvironmentPassword, empty_pass, 1);
445 }
446 CFRelease(passdata);
447 }
448 return retval;
449 }
450
451 static OSStatus
452 _evaluate_mechanisms(engine_t engine, CFArrayRef mechanisms)
453 {
454 uint64_t result = kAuthorizationResultAllow;
455 ccaudit_t ccaudit = ccaudit_create(engine->proc, engine->auth, AUE_ssauthmech);
456 auth_items_t context = auth_items_create();
457 auth_items_t hints = auth_items_create();
458
459 auth_items_copy(context, engine->context);
460 auth_items_copy(hints, engine->hints);
461 auth_items_copy(context, engine->sticky_context);
462
463 CFDictionaryRef la_result = NULL;
464
465 CFIndex count = CFArrayGetCount(mechanisms);
466 bool sheet_evaluation = false;
467 if (engine->la_context) {
468 int tmp = kLAOptionNotInteractive;
469 CFNumberRef key = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tmp);
470 tmp = 1;
471 CFNumberRef value = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tmp);
472 if (key && value) {
473 CFMutableDictionaryRef options = CFDictionaryCreateMutable(kCFAllocatorDefault, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
474 CFDictionarySetValue(options, key, value);
475 la_result = LACopyResultOfPolicyEvaluation(engine->la_context, kLAPolicyDeviceOwnerAuthentication, options, NULL);
476 os_log_debug(AUTHD_LOG, "engine %lld: Retrieve LA evaluate result: %d", engine->engine_index, la_result != NULL);
477 CFReleaseSafe(options);
478 }
479 CFReleaseSafe(key);
480 CFReleaseSafe(value);
481 }
482
483 for (CFIndex i = 0; i < count; i++) {
484 mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(mechanisms, i);
485
486 if (mechanism_get_type(mech)) {
487 os_log_debug(AUTHD_LOG, "engine %lld: running builtin mechanism %{public}s (%li of %li)", engine->engine_index, mechanism_get_string(mech), i+1, count);
488 result = _evaluate_builtin_mechanism(engine, mech);
489 } else {
490 bool shoud_run_agent = true; // evaluate comes from sheet -> we may not want to run standard SecurityAgent or authhost
491 if (engine->la_context) {
492 // sheet variant in progress
493 if (strcmp(mechanism_get_string(mech), "builtin:authenticate") == 0) {
494 // set the UID the same way as SecurityAgent would
495 if (auth_items_exist(engine->context, "sheet-uid")) {
496 os_log_debug(AUTHD_LOG, "engine %lld: setting sheet UID %d to the context", engine->engine_index, auth_items_get_uint(engine->context, "sheet-uid"));
497 auth_items_set_uint(engine->context, "uid", auth_items_get_uint(engine->context, "sheet-uid"));
498 }
499
500 // find out if sheet just provided credentials or did real authentication
501 // if password is provided or PAM service name exists, it means authd has to evaluate credentials
502 // otherwise we need to check la_result
503 if (auth_items_exist(engine->context, AGENT_CONTEXT_AP_PAM_SERVICE_NAME) || auth_items_exist(engine->context, kAuthorizationEnvironmentPassword)) {
504 // do not try to get credentials as it has been already passed by sheet
505 os_log_debug(AUTHD_LOG, "engine %lld: ignoring builtin sheet authenticate", engine->engine_index);
506 } else {
507 // sheet itself did the authenticate the user
508 os_log_debug(AUTHD_LOG, "engine %lld: running builtin sheet authenticate", engine->engine_index);
509 sheet_evaluation = true;
510 if (!la_result || TKGetSmartcardSetting(kTKEnforceSmartcard) != 0) {
511 result = kAuthorizationResultDeny; // no la_result => evaluate did not pass for sheet method. Enforced smartcard => no way to use sheet based evaluation
512 }
513 }
514 shoud_run_agent = false; // SecurityAgent should not be run for builtin:authenticate
515 } else if (strcmp(mechanism_get_string(mech), "builtin:authenticate,privileged") == 0) {
516 if (sheet_evaluation) {
517 os_log_debug(AUTHD_LOG, "engine %lld: running builtin sheet privileged authenticate", engine->engine_index);
518 shoud_run_agent = false;
519 if (!la_result || TKGetSmartcardSetting(kTKEnforceSmartcard) != 0) { // should not get here under normal circumstances but we need to handle this case as well
520 result = kAuthorizationResultDeny; // no la_result => evaluate did not pass. Enforced smartcard => no way to use sheet based evaluation
521 }
522 } else {
523 // should_run_agent has to be set to true because we want authorizationhost to verify the credentials
524 os_log_debug(AUTHD_LOG, "engine %lld: running sheet privileged authenticate", engine->engine_index);
525 }
526 }
527 }
528
529 if (shoud_run_agent) {
530 agent_t agent = _get_agent(engine, mech, true, i == 0);
531 require_action(agent != NULL, done, result = kAuthorizationResultUndefined; os_log_error(AUTHD_LOG, "Error creating mechanism agent (engine %lld)", engine->engine_index));
532
533 // check if any agent has been interrupted (it necessary if interrupt will come during creation)
534 CFIndex j;
535 agent_t agent1;
536 for (j = 0; j < i; j++) {
537 agent1 = _get_agent(engine, (mechanism_t)CFArrayGetValueAtIndex(mechanisms, j), false, j == 0);
538 if(agent1 && agent_get_state(agent1) == interrupting) {
539 break;
540 }
541 }
542 if (j < i) {
543 os_log(AUTHD_LOG, "engine %lld: mechanisms interrupted", engine->engine_index);
544 char * buf = NULL;
545 asprintf(&buf, "evaluation interrupted by %s; restarting evaluation there", mechanism_get_string(agent_get_mechanism(agent1)));
546 ccaudit_log_mechanism(ccaudit, engine->currentRightName, mechanism_get_string(agent_get_mechanism(agent1)), kAuthorizationResultAllow, buf);
547 free_safe(buf);
548 ccaudit_log_mechanism(ccaudit, engine->currentRightName, mechanism_get_string(mech), kAuthorizationResultAllow, NULL);
549 const char * token_name = auth_items_get_string(hints, AGENT_HINT_TOKEN_NAME);
550 if (token_name && strlen(token_name) == 0) {
551 auth_items_remove(hints, AGENT_HINT_TOKEN_NAME);
552 }
553 auth_items_copy(context, agent_get_context(agent1));
554 auth_items_copy(hints, agent_get_hints(agent1));
555
556 i = j - 1;
557
558 continue;
559 }
560
561 os_log(AUTHD_LOG, "engine %lld: running mechanism %{public}s (%li of %li)", engine->engine_index, mechanism_get_string(agent_get_mechanism(agent)), i+1, count);
562
563 result = agent_run(agent, hints, context, engine->immutable_hints);
564
565 auth_items_copy(context, agent_get_context(agent));
566 auth_items_copy(hints, agent_get_hints(agent));
567
568 bool interrupted = false;
569 for (CFIndex i2 = 0; i2 != i; i2++) {
570 agent_t agent2 = _get_agent(engine, (mechanism_t)CFArrayGetValueAtIndex(mechanisms, i2), false, i == 0);
571 if (agent2 && agent_get_state(agent2) == interrupting) {
572 agent_deactivate(agent);
573 interrupted = true;
574 i = i2 - 1;
575 char * buf = NULL;
576 asprintf(&buf, "evaluation interrupted by %s; restarting evaluation there", mechanism_get_string(agent_get_mechanism(agent2)));
577 ccaudit_log_mechanism(ccaudit, engine->currentRightName, mechanism_get_string(agent_get_mechanism(agent2)), kAuthorizationResultAllow, buf);
578 free_safe(buf);
579 auth_items_copy(context, agent_get_context(agent2));
580 auth_items_copy(hints, agent_get_hints(agent2));
581 break;
582 }
583 }
584
585 // Empty token name means that token doesn't exist (e.g. SC was removed).
586 // Remove empty token name from hints for UI drawing logic.
587 const char * token_name = auth_items_get_string(hints, AGENT_HINT_TOKEN_NAME);
588 if (token_name && strlen(token_name) == 0) {
589 auth_items_remove(hints, AGENT_HINT_TOKEN_NAME);
590 }
591
592 if (interrupted) {
593 os_log_info(AUTHD_LOG, "Mechanisms interrupted (engine %lld)", engine->engine_index);
594 enum Reason reason = worldChanged;
595 auth_items_set_data(hints, AGENT_HINT_RETRY_REASON, &reason, sizeof(reason));
596 result = kAuthorizationResultAllow;
597 _cf_dictionary_iterate(engine->mechanism_agents, ^bool(CFTypeRef key __attribute__((__unused__)), CFTypeRef value) {
598 agent_t tempagent = (agent_t)value;
599 agent_clear_interrupt(tempagent);
600 return true;
601 });
602 }
603 }
604 }
605
606 if (result == kAuthorizationResultAllow) {
607 ccaudit_log_mechanism(ccaudit, engine->currentRightName, mechanism_get_string(mech), kAuthorizationResultAllow, NULL);
608 } else {
609 ccaudit_log_mechanism(ccaudit, engine->currentRightName, mechanism_get_string(mech), (uint32_t)result, NULL);
610 break;
611 }
612 }
613
614 done:
615 if ((result == kAuthorizationResultUserCanceled) || (result == kAuthorizationResultAllow)) {
616 // only make non-sticky context values available externally
617 auth_items_set_flags(context, kAuthorizationEnvironmentPassword, kAuthorizationContextFlagVolatile);
618 // <rdar://problem/16275827> Takauthorizationenvironmentusername should always be extractable
619 auth_items_set_flags(context, kAuthorizationEnvironmentUsername, kAuthorizationContextFlagExtractable);
620 auth_items_copy_with_flags(engine->context, context, kAuthorizationContextFlagExtractable | kAuthorizationContextFlagVolatile);
621 } else if (result == kAuthorizationResultDeny) {
622 auth_items_clear(engine->sticky_context);
623 // save off sticky values in context
624 auth_items_copy_with_flags(engine->sticky_context, context, kAuthorizationContextFlagSticky);
625 }
626
627 CFReleaseSafe(ccaudit);
628 CFReleaseSafe(context);
629 CFReleaseSafe(hints);
630 CFReleaseSafe(la_result);
631
632 switch(result)
633 {
634 case kAuthorizationResultDeny:
635 return errAuthorizationDenied;
636 case kAuthorizationResultUserCanceled:
637 return errAuthorizationCanceled;
638 case kAuthorizationResultAllow:
639 return errAuthorizationSuccess;
640 case kAuthorizationResultUndefined:
641 return errAuthorizationInternal;
642 default:
643 {
644 os_log_error(AUTHD_LOG, "Evaluate - unexpected result %llu (engine %lld)", result, engine->engine_index);
645 return errAuthorizationInternal;
646 }
647 }
648 }
649
650 static OSStatus
651 _evaluate_authentication(engine_t engine, rule_t rule)
652 {
653 OSStatus status = errAuthorizationDenied;
654 ccaudit_t ccaudit = ccaudit_create(engine->proc, engine->auth, AUE_ssauthint);
655 os_log_debug(AUTHD_LOG, "engine %lld: evaluate authentication", engine->engine_index);
656 _set_rule_hints(engine->hints, rule);
657 _set_session_hints(engine, rule);
658
659 CFArrayRef mechanisms = rule_get_mechanisms(rule);
660 if (!(CFArrayGetCount(mechanisms) > 0)) {
661 mechanisms = rule_get_mechanisms(engine->authenticateRule);
662 }
663 require_action(CFArrayGetCount(mechanisms) > 0, done, os_log_debug(AUTHD_LOG, "engine %lld: error - no mechanisms found", engine->engine_index));
664
665 int64_t ruleTries = rule_get_tries(rule);
666
667 if (engine->la_context) {
668 ruleTries = 1;
669 os_log_debug(AUTHD_LOG, "engine %lld: sheet authentication in progress, one try is enough", engine->engine_index);
670 }
671
672 for (engine->tries = 0; engine->tries < ruleTries; engine->tries++) {
673
674 auth_items_set_data(engine->hints, AGENT_HINT_RETRY_REASON, &engine->reason, sizeof(engine->reason));
675 auth_items_set_int(engine->hints, AGENT_HINT_TRIES, engine->tries);
676 status = _evaluate_mechanisms(engine, mechanisms);
677
678 os_log_debug(AUTHD_LOG, "engine %lld: evaluate mechanisms result %d", engine->engine_index, (int)status);
679
680 // successfully ran mechanisms to obtain credential
681 if (status == errAuthorizationSuccess) {
682 // deny is the default
683 status = errAuthorizationDenied;
684
685 credential_t newCred = NULL;
686 if (auth_items_exist(engine->context, "uid")) {
687 newCred = credential_create(auth_items_get_uint(engine->context, "uid"));
688 } else {
689 os_log_info(AUTHD_LOG, "Mechanism failed to return a valid uid (engine %lld)", engine->engine_index);
690 if (engine->la_context) {
691 // sheet failed so remove sheet reference and next time, standard dialog will be displayed
692 CFReleaseNull(engine->la_context);
693 }
694 }
695
696 if (newCred) {
697 if (credential_get_valid(newCred)) {
698 os_log(AUTHD_LOG, "UID %u authenticated as user %{public}s (UID %u) for right '%{public}s'", auth_token_get_uid(engine->auth), credential_get_name(newCred), credential_get_uid(newCred), engine->currentRightName);
699 ccaudit_log_success(ccaudit, newCred, engine->currentRightName);
700 } else {
701 os_log(AUTHD_LOG, "UID %u failed to authenticate as user '%{public}s' for right '%{public}s'", auth_token_get_uid(engine->auth), auth_items_get_string(engine->context, "username"), engine->currentRightName);
702 ccaudit_log_failure(ccaudit, auth_items_get_string(engine->context, "username"), engine->currentRightName);
703 }
704
705 status = _evaluate_user_credential_for_rule(engine, newCred, rule, true, false, &engine->reason);
706
707 if (status == errAuthorizationSuccess) {
708 _engine_set_credential(engine, newCred, rule_get_shared(rule));
709 CFReleaseSafe(newCred);
710
711 if (auth_token_least_privileged(engine->auth)) {
712 credential_t rightCred = credential_create_with_right(engine->currentRightName);
713 _engine_set_credential(engine, rightCred, rule_get_shared(rule));
714 CFReleaseSafe(rightCred);
715 }
716
717 session_t session = auth_token_get_session(engine->auth);
718 if (credential_get_uid(newCred) == session_get_uid(session)) {
719 os_log_debug(AUTHD_LOG, "engine %lld: authenticated as the session owner", engine->engine_index);
720 session_set_attributes(auth_token_get_session(engine->auth), AU_SESSION_FLAG_HAS_AUTHENTICATED);
721 }
722
723 break;
724 } else {
725 os_log_error(AUTHD_LOG, "User credential for rule failed (%d) (engine %lld)", (int)status, engine->engine_index);
726 }
727
728 CFReleaseSafe(newCred);
729 }
730
731 } else if (status == errAuthorizationCanceled || status == errAuthorizationInternal) {
732 os_log_error(AUTHD_LOG, "Evaluate cancelled or failed %d (engine %lld)", (int)status, engine->engine_index);
733 break;
734 } else if (status == errAuthorizationDenied) {
735 os_log_error(AUTHD_LOG, "Evaluate denied (engine %lld)", engine->engine_index);
736 engine->reason = invalidPassphrase;
737 }
738 }
739
740 if (engine->tries == ruleTries) {
741 engine->reason = tooManyTries;
742 auth_items_set_data(engine->hints, AGENT_HINT_RETRY_REASON, &engine->reason, sizeof(engine->reason));
743 auth_items_set_int(engine->hints, AGENT_HINT_TRIES, engine->tries);
744 ccaudit_log(ccaudit, engine->currentRightName, NULL, 1113);
745 }
746
747 done:
748 CFReleaseSafe(ccaudit);
749
750 return status;
751 }
752
753 static bool
754 _check_entitlement_for_rule(engine_t engine, rule_t rule)
755 {
756 bool entitled = false;
757 CFTypeRef value = NULL;
758
759 if (rule_check_flags(rule, RuleFlagEntitledAndGroup)) {
760 if (auth_token_has_entitlement_for_right(engine->auth, engine->currentRightName)) {
761 if (credential_check_membership(auth_token_get_credential(engine->auth), rule_get_group(rule))) {
762 os_log_info(AUTHD_LOG, "Creator of authorization has entitlement for right %{public}s and is member of group '%{public}s' (engine %lld)", engine->currentRightName, rule_get_group(rule), engine->engine_index);
763 entitled = true;
764 goto done;
765 }
766 }
767 }
768
769 if (rule_check_flags(rule, RuleFlagVPNEntitledAndGroup)) {
770 // com.apple.networking.vpn.configuration is an array we only check for it's existence
771 value = auth_token_copy_entitlement_value(engine->auth, "com.apple.networking.vpn.configuration");
772 if (value) {
773 if (credential_check_membership(auth_token_get_credential(engine->auth), rule_get_group(rule))) {
774 os_log_info(AUTHD_LOG, "Creator of authorization has VPN entitlement and is member of group '%{public}s' (engine %lld)", rule_get_group(rule), engine->engine_index);
775 entitled = true;
776 goto done;
777 }
778 }
779 }
780
781 done:
782 CFReleaseSafe(value);
783 return entitled;
784 }
785
786 static OSStatus
787 _evaluate_class_user(engine_t engine, rule_t rule)
788 {
789 __block OSStatus status = errAuthorizationDenied;
790
791 if (_check_entitlement_for_rule(engine,rule)) {
792 return errAuthorizationSuccess;
793 }
794
795 if (rule_get_allow_root(rule) && auth_token_get_uid(engine->auth) == 0) {
796 os_log_info(AUTHD_LOG, "Creator of authorization has uid == 0, granting right %{public}s (engine %lld)", engine->currentRightName, engine->engine_index);
797 return errAuthorizationSuccess;
798 }
799
800 if (!rule_get_authenticate_user(rule)) {
801 status = _evaluate_user_credential_for_rule(engine, engine->sessionCredential, rule, true, true, NULL);
802
803 if (status == errAuthorizationSuccess) {
804 return errAuthorizationSuccess;
805 }
806
807 return errAuthorizationDenied;
808 }
809
810 // First -- check all the credentials we have either acquired or currently have
811 _cf_set_iterate(engine->credentials, ^bool(CFTypeRef value) {
812 credential_t cred = (credential_t)value;
813 // Passed-in user credentials are allowed for least-privileged mode
814 if (auth_token_least_privileged(engine->auth) && !credential_is_right(cred) && credential_get_valid(cred)) {
815 status = _evaluate_user_credential_for_rule(engine, cred, rule, false, false, NULL);
816 if (errAuthorizationSuccess == status) {
817 credential_t rightCred = credential_create_with_right(engine->currentRightName);
818 _engine_set_credential(engine,rightCred,rule_get_shared(rule));
819 CFReleaseSafe(rightCred);
820 return false; // exit loop
821 }
822 }
823
824 status = _evaluate_credential_for_rule(engine, cred, rule, false, false, NULL);
825 if (status == errAuthorizationSuccess) {
826 return false; // exit loop
827 }
828 return true;
829 });
830
831 if (status == errAuthorizationSuccess) {
832 return status;
833 }
834
835 // Second -- go through the credentials associated to the authorization token session/auth token
836 _cf_set_iterate(engine->effectiveCredentials, ^bool(CFTypeRef value) {
837 credential_t cred = (credential_t)value;
838 status = _evaluate_credential_for_rule(engine, cred, rule, false, false, NULL);
839 if (status == errAuthorizationSuccess) {
840 // Add the credential we used to the output set.
841 _engine_set_credential(engine, cred, false);
842 return false; // exit loop
843 }
844 return true;
845 });
846
847 if (status == errAuthorizationSuccess) {
848 return status;
849 }
850
851 // Finally - we didn't find a credential. Obtain a new credential if our flags let us do so.
852 if (!(engine->flags & kAuthorizationFlagExtendRights)) {
853 os_log_error(AUTHD_LOG, "Fatal: authorization denied (kAuthorizationFlagExtendRights not set) (engine %lld)", engine->engine_index);
854 return errAuthorizationDenied;
855 }
856
857 // authorization that timeout immediately cannot be preauthorized
858 if (engine->flags & kAuthorizationFlagPreAuthorize && rule_get_timeout(rule) == 0) {
859 return errAuthorizationSuccess;
860 }
861
862 if (!engine->preauthorizing) {
863 if (!(engine->flags & kAuthorizationFlagInteractionAllowed)) {
864 os_log_error(AUTHD_LOG, "Fatal: interaction not allowed (kAuthorizationFlagInteractionAllowed not set) (engine %lld)", engine->engine_index);
865 return errAuthorizationInteractionNotAllowed;
866 }
867
868 if (!(session_get_attributes(auth_token_get_session(engine->auth)) & AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS)) {
869 os_log_error(AUTHD_LOG, "Fatal: interaction not allowed (session has no ui access) (engine %lld)", engine->engine_index);
870 return errAuthorizationInteractionNotAllowed;
871 }
872
873 if (server_in_dark_wake() && !(engine->flags & kAuthorizationFlagIgnoreDarkWake)) {
874 os_log_error(AUTHD_LOG, "Fatal: authorization denied (DW) (engine %lld)", engine->engine_index);
875 return errAuthorizationDenied;
876 }
877 }
878
879 return _evaluate_authentication(engine, rule);
880 }
881
882 static OSStatus
883 _evaluate_class_rule(engine_t engine, rule_t rule, bool *save_pwd)
884 {
885 __block OSStatus status = errAuthorizationDenied;
886 int64_t kofn = rule_get_kofn(rule);
887
888 uint32_t total = (uint32_t)rule_get_delegates_count(rule);
889 __block uint32_t success_count = 0;
890 __block uint32_t count = 0;
891 os_log_debug(AUTHD_LOG, "engine %lld: ** rule %{public}s has %u delegates kofn = %lli", engine->engine_index, rule_get_name(rule), total, kofn);
892 rule_delegates_iterator(rule, ^bool(rule_t delegate) {
893 count++;
894
895 if (kofn != 0 && success_count == kofn) {
896 status = errAuthorizationSuccess;
897 return false;
898 }
899
900 os_log_debug(AUTHD_LOG, "engine %lld: * evaluate rule %{public}s (%i)", engine->engine_index, rule_get_name(delegate), count);
901 status = _evaluate_rule(engine, delegate, save_pwd);
902
903 // if status is cancel/internal error abort
904 if ((status == errAuthorizationCanceled) || (status == errAuthorizationInternal))
905 return false;
906
907 if (status != errAuthorizationSuccess) {
908 if (kofn != 0) {
909 // if remaining is less than required abort
910 if ((total - count) < (kofn - success_count)) {
911 os_log_debug(AUTHD_LOG, "engine %lld: rule evaluation remaining: %i, required: %lli", engine->engine_index, (total - count), (kofn - success_count));
912 return false;
913 }
914 return true;
915 }
916 return false;
917 } else {
918 success_count++;
919 return true;
920 }
921 });
922
923 return status;
924 }
925
926 static bool
927 _preevaluate_class_rule(engine_t engine, rule_t rule)
928 {
929 os_log_debug(AUTHD_LOG, "engine %lld: _preevaluate_class_rule %{public}s", engine->engine_index, rule_get_name(rule));
930
931 __block bool password_only = false;
932 rule_delegates_iterator(rule, ^bool(rule_t delegate) {
933 if (_preevaluate_rule(engine, delegate)) {
934 password_only = true;
935 return false;
936 }
937 return true;
938 });
939
940 return password_only;
941 }
942
943 static OSStatus
944 _evaluate_class_mechanism(engine_t engine, rule_t rule)
945 {
946 OSStatus status = errAuthorizationDenied;
947 CFArrayRef mechanisms = NULL;
948
949 require_action(rule_get_mechanisms_count(rule) > 0, done, status = errAuthorizationSuccess; os_log_error(AUTHD_LOG, "Fatal: no mechanisms specified (engine %lld)", engine->engine_index));
950
951 mechanisms = rule_get_mechanisms(rule);
952
953 if (server_in_dark_wake() && !(engine->flags & kAuthorizationFlagIgnoreDarkWake)) {
954 CFIndex count = CFArrayGetCount(mechanisms);
955 for (CFIndex i = 0; i < count; i++) {
956 if (!mechanism_is_privileged((mechanism_t)CFArrayGetValueAtIndex(mechanisms, i))) {
957 os_log_error(AUTHD_LOG, "Fatal: authorization denied (in DW) (engine %lld)", engine->engine_index);
958 goto done;
959 }
960 }
961 }
962
963 int64_t ruleTries = rule_get_tries(rule);
964 engine->tries = 0;
965 do {
966 auth_items_set_data(engine->hints, AGENT_HINT_RETRY_REASON, &engine->reason, sizeof(engine->reason));
967 auth_items_set_int(engine->hints, AGENT_HINT_TRIES, engine->tries);
968
969 status = _evaluate_mechanisms(engine, mechanisms);
970 os_log_debug(AUTHD_LOG, "engine %lld: evaluate mechanisms result %d", engine->engine_index, (int)status);
971
972 if (status == errAuthorizationSuccess) {
973 credential_t newCred = NULL;
974 if (auth_items_exist(engine->context, "uid")) {
975 newCred = credential_create(auth_items_get_uint(engine->context, "uid"));
976 } else {
977 os_log_info(AUTHD_LOG, "Mechanism did not return a uid (engine %lld)", engine->engine_index);
978 }
979
980 if (newCred) {
981 _engine_set_credential(engine, newCred, rule_get_shared(rule));
982
983 if (auth_token_least_privileged(engine->auth)) {
984 credential_t rightCred = credential_create_with_right(engine->currentRightName);
985 _engine_set_credential(engine, rightCred, rule_get_shared(rule));
986 CFReleaseSafe(rightCred);
987 }
988
989 if (strcmp(engine->currentRightName, "system.login.console") == 0 && !auth_items_exist(engine->context, AGENT_CONTEXT_AUTO_LOGIN)) {
990 session_set_attributes(auth_token_get_session(engine->auth), AU_SESSION_FLAG_HAS_AUTHENTICATED);
991 }
992
993 CFReleaseSafe(newCred);
994 }
995 }
996
997 engine->tries++;
998
999 } while ( (status == errAuthorizationDenied) // only if we have an expected faulure we continue
1000 && ((ruleTries == 0) || ((ruleTries > 0) && engine->tries < ruleTries))); // ruleTries == 0 means we try forever
1001 // ruleTires > 0 means we try upto ruleTries times
1002 done:
1003 return status;
1004 }
1005
1006 static OSStatus
1007 _evaluate_rule(engine_t engine, rule_t rule, bool *save_pwd)
1008 {
1009 if (rule_check_flags(rule, RuleFlagEntitled)) {
1010 if (auth_token_has_entitlement_for_right(engine->auth, engine->currentRightName)) {
1011 os_log_debug(AUTHD_LOG, "engine %lld: rule allow, creator of authorization has entitlement for right %{public}s", engine->engine_index, engine->currentRightName);
1012 return errAuthorizationSuccess;
1013 }
1014 }
1015
1016 // check apple signature also for every sheet authorization + disable this check for debug builds
1017 if (engine->la_context || rule_check_flags(rule, RuleFlagRequireAppleSigned)) {
1018 if (!auth_token_apple_signed(engine->auth)) {
1019 #ifdef NDEBUG
1020 os_log_error(AUTHD_LOG, "Rule deny, creator of authorization is not signed by Apple (engine %lld)", engine->engine_index);
1021 return errAuthorizationDenied;
1022 #else
1023 os_log_debug(AUTHD_LOG, "engine %lld: in release mode, this rule would be denied because creator of authorization is not signed by Apple", engine->engine_index);
1024 #endif
1025 }
1026 }
1027
1028 *save_pwd |= rule_get_extract_password(rule);
1029
1030 switch (rule_get_class(rule)) {
1031 case RC_ALLOW:
1032 os_log(AUTHD_LOG, "Rule set to allow (engine %lld)", engine->engine_index);
1033 return errAuthorizationSuccess;
1034 case RC_DENY:
1035 os_log(AUTHD_LOG, "Rule set to deny (engine %lld)", engine->engine_index);
1036 return errAuthorizationDenied;
1037 case RC_USER:
1038 return _evaluate_class_user(engine, rule);
1039 case RC_RULE:
1040 return _evaluate_class_rule(engine, rule, save_pwd);
1041 case RC_MECHANISM:
1042 return _evaluate_class_mechanism(engine, rule);
1043 default:
1044 os_log_error(AUTHD_LOG, "Invalid class for rule or rule not found: %{public}s (engine %lld)", rule_get_name(rule), engine->engine_index);
1045 return errAuthorizationInternal;
1046 }
1047 }
1048
1049 // returns true if this rule or its children contain RC_USER rule with password_only==true
1050 static bool
1051 _preevaluate_rule(engine_t engine, rule_t rule)
1052 {
1053 os_log_debug(AUTHD_LOG, "engine %lld: _preevaluate_rule %{public}s", engine->engine_index, rule_get_name(rule));
1054
1055 switch (rule_get_class(rule)) {
1056 case RC_ALLOW:
1057 case RC_DENY:
1058 return false;
1059 case RC_USER:
1060 return rule_get_password_only(rule);
1061 case RC_RULE:
1062 return _preevaluate_class_rule(engine, rule);
1063 case RC_MECHANISM:
1064 return false;
1065 default:
1066 return false;
1067 }
1068 }
1069
1070 static rule_t
1071 _find_rule(engine_t engine, authdb_connection_t dbconn, const char * string)
1072 {
1073 rule_t r = NULL;
1074 size_t sLen = strlen(string);
1075
1076 char * buf = calloc(1u, sLen + 1);
1077 strlcpy(buf, string, sLen + 1);
1078 char * ptr = buf + sLen;
1079 __block int64_t count = 0;
1080
1081 for (;;) {
1082
1083 // lookup rule
1084 authdb_step(dbconn, "SELECT COUNT(name) AS cnt FROM rules WHERE name = ? AND type = 1",
1085 ^(sqlite3_stmt *stmt) {
1086 sqlite3_bind_text(stmt, 1, buf, -1, NULL);
1087 }, ^bool(auth_items_t data) {
1088 count = auth_items_get_int64(data, "cnt");
1089 return false;
1090 });
1091
1092 if (count > 0) {
1093 r = rule_create_with_string(buf, dbconn);
1094 goto done;
1095 }
1096
1097 // if buf ends with a . and we didn't find a rule remove .
1098 if (*ptr == '.') {
1099 *ptr = '\0';
1100 }
1101 // find any remaining . and truncate the string
1102 ptr = strrchr(buf, '.');
1103 if (ptr) {
1104 *(ptr+1) = '\0';
1105 } else {
1106 break;
1107 }
1108 }
1109
1110 done:
1111 free_safe(buf);
1112
1113 // set default if we didn't find a rule
1114 if (r == NULL) {
1115 r = rule_create_with_string("", dbconn);
1116 if (rule_get_id(r) == 0) {
1117 CFReleaseNull(r);
1118 os_log_error(AUTHD_LOG, "Default rule lookup error (missing), using builtin defaults (engine %lld)", engine->engine_index);
1119 r = rule_create_default();
1120 }
1121 }
1122 return r;
1123 }
1124
1125 static void _parse_environment(engine_t engine, auth_items_t environment)
1126 {
1127 require(environment != NULL, done);
1128
1129 #if DEBUG
1130 os_log_debug(AUTHD_LOG, "engine %lld: Dumping Environment: %@", engine->engine_index, environment);
1131 #endif
1132
1133 // Check if a credential was passed into the environment and we were asked to extend the rights
1134 if (engine->flags & kAuthorizationFlagExtendRights && !(engine->flags & kAuthorizationFlagSheet)) {
1135 const char * user = auth_items_get_string(environment, kAuthorizationEnvironmentUsername);
1136 const char * pass = auth_items_get_string(environment, kAuthorizationEnvironmentPassword);
1137 const bool password_was_used = auth_items_get_string(environment, AGENT_CONTEXT_AP_PAM_SERVICE_NAME) == nil; // AGENT_CONTEXT_AP_PAM_SERVICE_NAME in the context means alternative PAM was used
1138 require(password_was_used == true, done);
1139
1140 bool shared = auth_items_exist(environment, kAuthorizationEnvironmentShared);
1141 require_action(user != NULL, done, os_log_debug(AUTHD_LOG, "engine %lld: user not used password", engine->engine_index));
1142
1143 struct passwd *pw = getpwnam(user);
1144 require_action(pw != NULL, done, os_log_error(AUTHD_LOG, "User not found %{public}s (engine %lld)", user, engine->engine_index));
1145
1146 int checkpw_status = checkpw_internal(pw, pass ? pass : "");
1147 require_action(checkpw_status == CHECKPW_SUCCESS, done, os_log_error(AUTHD_LOG, "engine %lld: checkpw() returned %d; failed to authenticate user %{public}s (uid %u).", engine->engine_index, checkpw_status, pw->pw_name, pw->pw_uid));
1148
1149 credential_t cred = credential_create(pw->pw_uid);
1150 if (credential_get_valid(cred)) {
1151 os_log_info(AUTHD_LOG, "checkpw() succeeded, creating credential for user %{public}s (engine %lld)", user, engine->engine_index);
1152 _engine_set_credential(engine, cred, shared);
1153
1154 auth_items_set_string(engine->context, kAuthorizationEnvironmentUsername, user);
1155 auth_items_set_string(engine->context, kAuthorizationEnvironmentPassword, pass ? pass : "");
1156 }
1157 CFReleaseSafe(cred);
1158 }
1159
1160 done:
1161 endpwent();
1162 return;
1163 }
1164
1165 static bool _verify_sandbox(engine_t engine, const char * right)
1166 {
1167 pid_t pid = process_get_pid(engine->proc);
1168 if (sandbox_check_by_audit_token(process_get_audit_info(engine->proc)->opaqueToken, "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, right)) {
1169 os_log_error(AUTHD_LOG, "Sandbox denied authorizing right '%{public}s' by client '%{public}s' [%d] (engine %lld)", right, process_get_code_url(engine->proc), pid, engine->engine_index);
1170 return false;
1171 }
1172
1173 pid = auth_token_get_pid(engine->auth);
1174 if (auth_token_get_sandboxed(engine->auth) && sandbox_check_by_audit_token(auth_token_get_audit_info(engine->auth)->opaqueToken, "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, right)) {
1175 os_log_error(AUTHD_LOG, "Sandbox denied authorizing right '%{public}s' for authorization created by '%{public}s' [%d] (engine %lld)", right, auth_token_get_code_url(engine->auth), pid, engine->engine_index);
1176 return false;
1177 }
1178
1179 return true;
1180 }
1181
1182 #pragma mark -
1183 #pragma mark engine methods
1184
1185 OSStatus engine_preauthorize(engine_t engine, auth_items_t credentials)
1186 {
1187 os_log(AUTHD_LOG, "engine %lld: preauthorizing", engine->engine_index);
1188
1189 OSStatus status = errAuthorizationDenied;
1190 bool save_password = false;
1191
1192 engine->flags = kAuthorizationFlagExtendRights;
1193 engine->preauthorizing = true;
1194 CFAssignRetained(engine->la_context, engine_copy_context(engine, credentials));
1195 _extract_password_from_la(engine);
1196
1197 const char *user = auth_items_get_string(credentials, kAuthorizationEnvironmentUsername);
1198 require(user, done);
1199
1200 auth_items_set_string(engine->context, kAuthorizationEnvironmentUsername, user);
1201 struct passwd *pwd = getpwnam(user);
1202 require(pwd, done);
1203
1204 auth_items_set_int(engine->context, AGENT_CONTEXT_UID, pwd->pw_uid);
1205
1206 const char *service = auth_items_get_string(credentials, AGENT_CONTEXT_AP_PAM_SERVICE_NAME);
1207
1208 if (service) {
1209 auth_items_set_string(engine->context, AGENT_CONTEXT_AP_USER_NAME, user);
1210 auth_items_set_string(engine->context, AGENT_CONTEXT_AP_PAM_SERVICE_NAME, service);
1211 }
1212
1213 if (auth_items_exist(credentials, AGENT_CONTEXT_AP_TOKEN)) {
1214 size_t datalen = 0;
1215 const void *data = auth_items_get_data(credentials, AGENT_CONTEXT_AP_TOKEN, &datalen);
1216 if (data) {
1217 auth_items_set_data(engine->context, AGENT_CONTEXT_AP_TOKEN, data, datalen);
1218 }
1219 }
1220
1221 auth_items_t decrypted_items = auth_items_create();
1222 require_action(decrypted_items != NULL, done, os_log_error(AUTHD_LOG, "Unable to create items (engine %lld)", engine->engine_index));
1223 auth_items_content_copy(decrypted_items, auth_token_get_context(engine->auth));
1224 auth_items_decrypt(decrypted_items, auth_token_get_encryption_key(engine->auth));
1225 auth_items_copy(engine->context, decrypted_items);
1226 CFReleaseSafe(decrypted_items);
1227
1228 engine->dismissed = false;
1229 auth_rights_clear(engine->grantedRights);
1230
1231 rule_t rule = rule_create_preauthorization();
1232 engine->currentRightName = rule_get_name(rule);
1233 engine->currentRule = rule;
1234 status = _evaluate_rule(engine, rule, &save_password);
1235 switch (status) {
1236 case errAuthorizationSuccess:
1237 os_log(AUTHD_LOG, "Succeeded preauthorizing client '%{public}s' [%d] for authorization created by '%{public}s' [%d] (%X,%d) (engine %lld)",
1238 process_get_code_url(engine->proc), process_get_pid(engine->proc),
1239 auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), (unsigned int)engine->flags, auth_token_least_privileged(engine->auth), engine->engine_index);
1240 status = errAuthorizationSuccess;
1241 break;
1242 case errAuthorizationDenied:
1243 case errAuthorizationInteractionNotAllowed:
1244 case errAuthorizationCanceled:
1245 os_log(AUTHD_LOG, "Failed to preauthorize client '%{public}s' [%d] for authorization created by '%{public}s' [%d] (%X,%d) (%i) (engine %lld)",
1246 process_get_code_url(engine->proc), process_get_pid(engine->proc),
1247 auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), (unsigned int)engine->flags, auth_token_least_privileged(engine->auth), (int)status, engine->engine_index);
1248 break;
1249 default:
1250 os_log_error(AUTHD_LOG, "Preauthorize returned %d => returning errAuthorizationInternal (engine %lld)", (int)status, engine->engine_index);
1251 status = errAuthorizationInternal;
1252 break;
1253 }
1254
1255 CFReleaseSafe(rule);
1256
1257 if (engine->dismissed) {
1258 os_log_error(AUTHD_LOG, "Engine dismissed (engine %lld)", engine->engine_index);
1259 status = errAuthorizationDenied;
1260 }
1261
1262 os_log_debug(AUTHD_LOG, "engine %lld: preauthorize result: %d", engine->engine_index, (int)status);
1263
1264 _cf_set_iterate(engine->credentials, ^bool(CFTypeRef value) {
1265 credential_t cred = (credential_t)value;
1266 // skip all uid credentials when running in least privileged
1267 if (auth_token_least_privileged(engine->auth) && !credential_is_right(cred))
1268 return true;
1269
1270 session_t session = auth_token_get_session(engine->auth);
1271 auth_token_set_credential(engine->auth, cred);
1272 if (credential_get_shared(cred)) {
1273 session_set_credential(session, cred);
1274 }
1275 if (credential_is_right(cred)) {
1276 os_log(AUTHD_LOG, "engine %lld: adding least privileged %{public}scredential %{public}s to authorization", engine->engine_index, credential_get_shared(cred) ? "shared " : "", credential_get_name(cred));
1277 } else {
1278 os_log(AUTHD_LOG, "engine %lld: adding %{public}scredential %{public}s (%i) to authorization", engine->engine_index, credential_get_shared(cred) ? "shared " : "", credential_get_name(cred), credential_get_uid(cred));
1279 }
1280 return true;
1281 });
1282
1283
1284 if (status == errAuthorizationSuccess && save_password) {
1285 auth_items_set_flags(engine->context, kAuthorizationEnvironmentPassword, kAuthorizationContextFlagExtractable);
1286 }
1287
1288 if ((status == errAuthorizationSuccess) || (status == errAuthorizationCanceled)) {
1289 auth_items_t encrypted_items = auth_items_create();
1290 require_action(encrypted_items != NULL, done, os_log_error(AUTHD_LOG, "Unable to create items (engine %lld)", engine->engine_index));
1291 auth_items_content_copy_with_flags(encrypted_items, engine->context, kAuthorizationContextFlagExtractable);
1292 #if DEBUG
1293 os_log_debug(AUTHD_LOG, "engine %lld: ********** Dumping preauthorized context for encryption **********", engine->engine_index);
1294 os_log_debug(AUTHD_LOG, "%@", encrypted_items);
1295 #endif
1296 auth_items_encrypt(encrypted_items, auth_token_get_encryption_key(engine->auth));
1297 auth_items_copy_with_flags(auth_token_get_context(engine->auth), encrypted_items, kAuthorizationContextFlagExtractable);
1298 os_log_debug(AUTHD_LOG, "engine %lld: encrypted preauthorization context data", engine->engine_index);
1299 CFReleaseSafe(encrypted_items);
1300 }
1301
1302 done:
1303 engine->preauthorizing = false;
1304 auth_items_clear(engine->context);
1305 auth_items_clear(engine->sticky_context);
1306 CFDictionaryRemoveAllValues(engine->mechanism_agents);
1307 return status;
1308 }
1309
1310 OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t environment, AuthorizationFlags flags)
1311 {
1312 __block OSStatus status = errAuthorizationSuccess;
1313 __block bool save_password = false;
1314 __block bool password_only = false;
1315 CFIndex rights_count = auth_rights_get_count(rights);
1316 ccaudit_t ccaudit = NULL;
1317
1318 require(rights != NULL, done);
1319
1320 ccaudit = ccaudit_create(engine->proc, engine->auth, AUE_ssauthorize);
1321 if (auth_rights_get_count(rights) > 0) {
1322 ccaudit_log(ccaudit, "begin evaluation", NULL, 0);
1323 }
1324
1325 if (rights_count) {
1326 __block CFMutableArrayRef rights_list = NULL;
1327 rights_list = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
1328 auth_rights_iterate(rights, ^bool(const char *key) {
1329 if (!key)
1330 return true;
1331
1332 CFStringRef tmp = CFStringCreateWithCString(kCFAllocatorDefault, key, kCFStringEncodingUTF8);
1333 if (tmp) {
1334 CFArrayAppendValue(rights_list, tmp);
1335 CFRelease(tmp);
1336 } else {
1337 os_log_error(AUTHD_LOG, "Unable to get details for right %{public}s", key);
1338 }
1339 return true;
1340 });
1341
1342 os_log_info(AUTHD_LOG, "Process %{public}s (PID %d) evaluates %ld rights with flags %08x (engine %lld): %{public}@", process_get_code_url(engine->proc), process_get_pid(engine->proc), (long)rights_count, flags, engine->engine_index, rights_list);
1343 CFReleaseNull(rights_list);
1344 }
1345
1346 if (!auth_token_apple_signed(engine->auth) && (flags & kAuthorizationFlagSheet)) {
1347 #ifdef NDEBUG
1348 os_log_error(AUTHD_LOG, "engine %lld: extra flags are ommited as creator is not signed by Apple", engine->engine_index);
1349 flags &= ~kAuthorizationFlagSheet;
1350 #else
1351 os_log_debug(AUTHD_LOG, "engine %lld: in release mode, extra flags would be ommited as creator is not signed by Apple", engine->engine_index);
1352 #endif
1353 }
1354
1355 engine->flags = flags;
1356
1357 if (environment) {
1358 _parse_environment(engine, environment);
1359 auth_items_copy(engine->hints, environment);
1360 }
1361
1362 // Restore all context values from the AuthorizationRef
1363 auth_items_t decrypted_items = auth_items_create();
1364 require_action(decrypted_items != NULL, done, os_log_error(AUTHD_LOG, "Unable to create items (engine %lld)", engine->engine_index));
1365 auth_items_content_copy(decrypted_items, auth_token_get_context(engine->auth));
1366 auth_items_decrypt(decrypted_items, auth_token_get_encryption_key(engine->auth));
1367 auth_items_copy(engine->context, decrypted_items);
1368 CFReleaseSafe(decrypted_items);
1369
1370 if (engine->flags & kAuthorizationFlagSheet) {
1371 // Try to use/update fresh context values from the environment
1372 require_action(environment, done, os_log_error(AUTHD_LOG, "Missing environment for sheet authorization (engine %lld)", engine->engine_index); status = errAuthorizationDenied);
1373
1374 const char *user = auth_items_get_string(environment, kAuthorizationEnvironmentUsername);
1375 require_action(user, done, os_log_error(AUTHD_LOG, "Missing username (engine %lld)", engine->engine_index); status = errAuthorizationDenied);
1376
1377 auth_items_set_string(engine->context, kAuthorizationEnvironmentUsername, user);
1378 struct passwd *pwd = getpwnam(user);
1379 require_action(pwd, done, os_log_error(AUTHD_LOG, "Invalid username %s (engine %lld)", user, engine->engine_index); status = errAuthorizationDenied);
1380 auth_items_set_uint(engine->context, "sheet-uid", pwd->pw_uid);
1381
1382 // move sheet-specific items from hints to context
1383 const char *service = auth_items_get_string(engine->hints, AGENT_CONTEXT_AP_PAM_SERVICE_NAME);
1384 if (service) {
1385 if (auth_items_exist(engine->hints, AGENT_CONTEXT_AP_USER_NAME)) {
1386 auth_items_set_string(engine->context, AGENT_CONTEXT_AP_USER_NAME, auth_items_get_string(engine->hints, AGENT_CONTEXT_AP_USER_NAME));
1387 auth_items_remove(engine->hints, AGENT_CONTEXT_AP_USER_NAME);
1388 } else {
1389 auth_items_set_string(engine->context, AGENT_CONTEXT_AP_USER_NAME, user);
1390 }
1391
1392 auth_items_set_string(engine->context, AGENT_CONTEXT_AP_PAM_SERVICE_NAME, service);
1393 auth_items_remove(engine->hints, AGENT_CONTEXT_AP_PAM_SERVICE_NAME);
1394 }
1395
1396 if (auth_items_exist(environment, AGENT_CONTEXT_AP_TOKEN)) {
1397 size_t datalen = 0;
1398 const void *data = auth_items_get_data(engine->hints, AGENT_CONTEXT_AP_TOKEN, &datalen);
1399 if (data) {
1400 auth_items_set_data(engine->context, AGENT_CONTEXT_AP_TOKEN, data, datalen);
1401 }
1402 auth_items_remove(engine->hints, AGENT_CONTEXT_AP_TOKEN);
1403 }
1404
1405 engine_acquire_sheet_data(engine);
1406 _extract_password_from_la(engine);
1407 engine->preauthorizing = true;
1408 }
1409
1410 engine->dismissed = false;
1411 auth_rights_clear(engine->grantedRights);
1412
1413 if (!(engine->flags & kAuthorizationFlagIgnorePasswordOnly))
1414 {
1415 // first check if any of rights uses rule with password-only set to true
1416 // if so, set appropriate hint so SecurityAgent won't use alternate authentication methods like smartcard etc.
1417 authdb_connection_t dbconn = authdb_connection_acquire(server_get_database()); // get db handle
1418 auth_rights_iterate(rights, ^bool(const char *key) {
1419 if (!key)
1420 return true;
1421 os_log_debug(AUTHD_LOG, "engine %lld: checking if rule %{public}s contains password-only item", engine->engine_index, key);
1422
1423 rule_t rule = _find_rule(engine, dbconn, key);
1424
1425 if (rule && _preevaluate_rule(engine, rule)) {
1426 password_only = true;
1427 CFReleaseSafe(rule);
1428 return false;
1429 }
1430 CFReleaseSafe(rule);
1431 return true;
1432 });
1433 authdb_connection_release(&dbconn); // release db handle
1434 } else {
1435 os_log_info(AUTHD_LOG, "Password-only flag ignored (engine %lld)", engine->engine_index);
1436 }
1437
1438 if (password_only) {
1439 os_log_debug(AUTHD_LOG, "engine %lld: password-only item found, forcing SecurityAgent to use password-only UI", engine->engine_index);
1440 auth_items_set_bool(engine->immutable_hints, AGENT_HINT_PASSWORD_ONLY, true);
1441 }
1442
1443 auth_rights_iterate(rights, ^bool(const char *key) {
1444 if (!key)
1445 return true;
1446
1447 if (!_verify_sandbox(engine, key)) { // _verify_sandbox is already logging failures
1448 status = errAuthorizationDenied;
1449 return false;
1450 }
1451
1452 authdb_connection_t dbconn = authdb_connection_acquire(server_get_database()); // get db handle
1453
1454 os_log_debug(AUTHD_LOG, "engine %lld: evaluate right %{public}s", engine->engine_index, key);
1455 rule_t rule = _find_rule(engine, dbconn, key);
1456 const char * rule_name = rule_get_name(rule);
1457 if (rule_name && (strcasecmp(rule_name, "") == 0)) {
1458 rule_name = "default (not defined)";
1459 }
1460 os_log_debug(AUTHD_LOG, "engine %lld: using rule %{public}s", engine->engine_index, rule_name);
1461
1462 // only need the hints & mechanisms if we are going to show ui
1463 if (engine->flags & kAuthorizationFlagInteractionAllowed || engine->flags & kAuthorizationFlagSheet) {
1464 _set_right_hints(engine->hints, key);
1465 _set_localization_hints(dbconn, engine->hints, rule);
1466 if (!engine->authenticateRule) {
1467 engine->authenticateRule = rule_create_with_string("authenticate", dbconn);
1468 }
1469 }
1470
1471 authdb_connection_release(&dbconn); // release db handle
1472
1473 engine->currentRightName = key;
1474 engine->currentRule = rule;
1475
1476 ccaudit_log(ccaudit, key, rule_name, 0);
1477
1478 status = _evaluate_rule(engine, engine->currentRule, &save_password);
1479 switch (status) {
1480 case errAuthorizationSuccess:
1481 auth_rights_add(engine->grantedRights, key);
1482 auth_rights_set_flags(engine->grantedRights, key, auth_rights_get_flags(rights, key));
1483
1484 if ((engine->flags & kAuthorizationFlagPreAuthorize) &&
1485 (rule_get_class(engine->currentRule) == RC_USER) &&
1486 (rule_get_timeout(engine->currentRule) == 0)) {
1487 // FIXME: kAuthorizationFlagPreAuthorize => kAuthorizationFlagCanNotPreAuthorize ???
1488 auth_rights_set_flags(engine->grantedRights, engine->currentRightName, kAuthorizationFlagPreAuthorize);
1489 }
1490
1491 os_log(AUTHD_LOG, "Succeeded authorizing right '%{public}s' by client '%{public}s' [%d] for authorization created by '%{public}s' [%d] (%X,%d) (engine %lld)",
1492 key, process_get_code_url(engine->proc), process_get_pid(engine->proc),
1493 auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), (unsigned int)engine->flags, auth_token_least_privileged(engine->auth), engine->engine_index);
1494 break;
1495 case errAuthorizationDenied:
1496 case errAuthorizationInteractionNotAllowed:
1497 case errAuthorizationCanceled:
1498 if (engine->flags & kAuthorizationFlagInteractionAllowed) {
1499 os_log(AUTHD_LOG, "Failed to authorize right '%{public}s' by client '%{public}s' [%d] for authorization created by '%{public}s' [%d] (%X,%d) (%i) (engine %lld)",
1500 key, process_get_code_url(engine->proc), process_get_pid(engine->proc),
1501 auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), (unsigned int)engine->flags, auth_token_least_privileged(engine->auth), (int)status,
1502 engine->engine_index);
1503 } else {
1504 os_log_debug(AUTHD_LOG, "Failed to authorize right '%{public}s' by client '%{public}s' [%d] for authorization created by '%{public}s' [%d] (%X,%d) (%d) (engine %lld)",
1505 key, process_get_code_url(engine->proc), process_get_pid(engine->proc),
1506 auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), (unsigned int)engine->flags, auth_token_least_privileged(engine->auth), (int)status,
1507 engine->engine_index);
1508 }
1509 break;
1510 default:
1511 os_log_error(AUTHD_LOG, "Evaluate returned %d, returning errAuthorizationInternal (engine %lld)", (int)status, engine->engine_index);
1512 status = errAuthorizationInternal;
1513 break;
1514 }
1515
1516 ccaudit_log_authorization(ccaudit, engine->currentRightName, status);
1517
1518 CFReleaseSafe(rule);
1519 engine->currentRightName = NULL;
1520 engine->currentRule = NULL;
1521
1522 auth_items_remove_with_flags(engine->hints, kEngineHintsFlagTemporary);
1523
1524 if (!(engine->flags & kAuthorizationFlagPartialRights) && (status != errAuthorizationSuccess)) {
1525 return false;
1526 }
1527
1528 return true;
1529 });
1530
1531 if (password_only) {
1532 os_log_debug(AUTHD_LOG, "engine %lld: removing password-only flag", engine->engine_index);
1533 auth_items_remove(engine->immutable_hints, AGENT_HINT_PASSWORD_ONLY);
1534 }
1535
1536 if ((engine->flags & kAuthorizationFlagPartialRights) && (auth_rights_get_count(engine->grantedRights) > 0)) {
1537 status = errAuthorizationSuccess;
1538 }
1539
1540 if (engine->dismissed) {
1541 os_log_error(AUTHD_LOG, "Dismissed (engine %lld)", engine->engine_index);
1542 status = errAuthorizationDenied;
1543 }
1544
1545 os_log_debug(AUTHD_LOG, "engine %lld: authorize result: %d", engine->engine_index, (int)status);
1546
1547 if (engine->flags & kAuthorizationFlagSheet) {
1548 engine->preauthorizing = false;
1549 }
1550
1551 if ((engine->flags & kAuthorizationFlagExtendRights) && !(engine->flags & kAuthorizationFlagDestroyRights)) {
1552 _cf_set_iterate(engine->credentials, ^bool(CFTypeRef value) {
1553 credential_t cred = (credential_t)value;
1554 // skip all uid credentials when running in least privileged
1555 if (auth_token_least_privileged(engine->auth) && !credential_is_right(cred))
1556 return true;
1557
1558 session_t session = auth_token_get_session(engine->auth);
1559 auth_token_set_credential(engine->auth, cred);
1560 if (credential_get_shared(cred)) {
1561 session_set_credential(session, cred);
1562 }
1563 if (credential_is_right(cred)) {
1564 os_log_debug(AUTHD_LOG, "engine %lld: adding least privileged %{public}scredential %{public}s to authorization", engine->engine_index, credential_get_shared(cred) ? "shared " : "", credential_get_name(cred));
1565 } else {
1566 os_log_debug(AUTHD_LOG, "engine %lld: adding %{public}scredential %{public}s (%i) to authorization", engine->engine_index, credential_get_shared(cred) ? "shared " : "", credential_get_name(cred), credential_get_uid(cred));
1567 }
1568 return true;
1569 });
1570 }
1571
1572 if (status == errAuthorizationSuccess && save_password) {
1573 auth_items_set_flags(engine->context, kAuthorizationEnvironmentPassword, kAuthorizationContextFlagExtractable);
1574 }
1575
1576 if ((status == errAuthorizationSuccess) || (status == errAuthorizationCanceled)) {
1577 auth_items_t encrypted_items = auth_items_create();
1578 require_action(encrypted_items != NULL, done, os_log_error(AUTHD_LOG, "Unable to create items (engine %lld)", engine->engine_index));
1579 auth_items_content_copy_with_flags(encrypted_items, engine->context, kAuthorizationContextFlagExtractable);
1580 #if DEBUG
1581 os_log_debug(AUTHD_LOG,"engine %lld: ********** Dumping context for encryption **********", engine->engine_index);
1582 os_log_debug(AUTHD_LOG, "%@", encrypted_items);
1583 #endif
1584 auth_items_encrypt(encrypted_items, auth_token_get_encryption_key(engine->auth));
1585 auth_items_copy_with_flags(auth_token_get_context(engine->auth), encrypted_items, kAuthorizationContextFlagExtractable);
1586 os_log_debug(AUTHD_LOG, "engine %lld: encrypted authorization context data", engine->engine_index);
1587 CFReleaseSafe(encrypted_items);
1588 }
1589
1590 if (auth_rights_get_count(rights) > 0) {
1591 ccaudit_log(ccaudit, "end evaluation", NULL, status);
1592 }
1593
1594 #if DEBUG
1595 os_log_debug(AUTHD_LOG, "engine %lld: ********** Dumping auth->credentials **********", engine->engine_index);
1596 auth_token_credentials_iterate(engine->auth, ^bool(credential_t cred) {
1597 os_log_debug(AUTHD_LOG, "%@", cred);
1598 return true;
1599 });
1600 os_log_debug(AUTHD_LOG, "engine %lld: ********** Dumping session->credentials **********", engine->engine_index);
1601 session_credentials_iterate(auth_token_get_session(engine->auth), ^bool(credential_t cred) {
1602 os_log_debug(AUTHD_LOG, "%@", cred);
1603 return true;
1604 });
1605 os_log_debug(AUTHD_LOG, "engine %lld: ********** Dumping engine->context **********", engine->engine_index);
1606 os_log_debug(AUTHD_LOG, "%@", engine->context);
1607 os_log_debug(AUTHD_LOG, "engine %lld: ********** Dumping auth->context **********", engine->engine_index);
1608 os_log_debug(AUTHD_LOG, "%@", engine->auth);
1609 os_log_debug(AUTHD_LOG, "engine %lld: ********** Dumping granted rights **********", engine->engine_index);
1610 os_log_debug(AUTHD_LOG, "%@", engine->grantedRights);
1611 #endif
1612
1613 done:
1614 auth_items_clear(engine->context);
1615 auth_items_clear(engine->sticky_context);
1616 CFReleaseSafe(ccaudit);
1617 CFDictionaryRemoveAllValues(engine->mechanism_agents);
1618
1619 return status;
1620 }
1621
1622 static bool
1623 _wildcard_right_exists(engine_t engine, const char * right)
1624 {
1625 // checks if a wild card right exists
1626 // ex: com.apple. system.
1627 bool exists = false;
1628 rule_t rule = NULL;
1629 authdb_connection_t dbconn = authdb_connection_acquire(server_get_database()); // get db handle
1630 require(dbconn != NULL, done);
1631
1632 rule = _find_rule(engine, dbconn, right);
1633 require(rule != NULL, done);
1634
1635 const char * ruleName = rule_get_name(rule);
1636 require(ruleName != NULL, done);
1637 size_t len = strlen(ruleName);
1638 require(len != 0, done);
1639
1640 if (ruleName[len-1] == '.') {
1641 exists = true;
1642 goto done;
1643 }
1644
1645 done:
1646 authdb_connection_release(&dbconn);
1647 CFReleaseSafe(rule);
1648
1649 return exists;
1650 }
1651
1652 // Validate db right modification
1653
1654 // meta rights are constructed as follows:
1655 // we don't allow setting of wildcard rights, so you can only be more specific
1656 // note that you should never restrict things with a wildcard right without disallowing
1657 // changes to the entire domain. ie.
1658 // system.privilege. -> never
1659 // config.add.system.privilege. -> never
1660 // config.modify.system.privilege. -> never
1661 // config.delete.system.privilege. -> never
1662 // For now we don't allow any configuration of configuration rules
1663 // config.config. -> never
1664
1665 OSStatus engine_verify_modification(engine_t engine, rule_t rule, bool remove, bool force_modify)
1666 {
1667 OSStatus status = errAuthorizationDenied;
1668 auth_rights_t checkRight = NULL;
1669 char buf[BUFSIZ];
1670 memset(buf, 0, sizeof(buf));
1671
1672 const char * right = rule_get_name(rule);
1673 require(right != NULL, done);
1674 size_t len = strlen(right);
1675 require(len != 0, done);
1676
1677 require_action(right[len-1] != '.', done, os_log_error(AUTHD_LOG, "Not allowed to set wild card rules (engine %lld)", engine->engine_index));
1678
1679 if (strncasecmp(right, kConfigRight, strlen(kConfigRight)) == 0) {
1680 // special handling of meta right change:
1681 // config.add. config.modify. config.remove. config.{}.
1682 // check for config.<right> (which always starts with config.config.)
1683 strlcat(buf, kConfigRight, sizeof(buf));
1684 } else {
1685 bool existing = (rule_get_id(rule) != 0) ? true : _wildcard_right_exists(engine, right);
1686 if (!remove) {
1687 if (existing || force_modify) {
1688 strlcat(buf, kAuthorizationConfigRightModify,sizeof(buf));
1689 } else {
1690 strlcat(buf, kAuthorizationConfigRightAdd, sizeof(buf));
1691 }
1692 } else {
1693 if (existing) {
1694 strlcat(buf, kAuthorizationConfigRightRemove, sizeof(buf));
1695 } else {
1696 status = errAuthorizationSuccess;
1697 goto done;
1698 }
1699 }
1700 }
1701
1702 strlcat(buf, right, sizeof(buf));
1703
1704 checkRight = auth_rights_create();
1705 auth_rights_add(checkRight, buf);
1706 status = engine_authorize(engine, checkRight, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights);
1707
1708 done:
1709 os_log_debug(AUTHD_LOG, "engine %lld: authorizing %{public}s for db modification: %d", engine->engine_index, right, (int)status);
1710 CFReleaseSafe(checkRight);
1711 return status;
1712 }
1713
1714 void
1715 _engine_set_credential(engine_t engine, credential_t cred, bool shared)
1716 {
1717 os_log_debug(AUTHD_LOG, "engine %lld: adding %{public}scredential %{public}s (%i) to engine shared: %i", engine->engine_index, credential_get_shared(cred) ? "shared " : "", credential_get_name(cred), credential_get_uid(cred), shared);
1718 CFSetSetValue(engine->credentials, cred);
1719 if (shared) {
1720 credential_t sharedCred = credential_create_with_credential(cred, true);
1721 CFSetSetValue(engine->credentials, sharedCred);
1722 CFReleaseSafe(sharedCred);
1723 }
1724 }
1725
1726 auth_rights_t
1727 engine_get_granted_rights(engine_t engine)
1728 {
1729 return engine->grantedRights;
1730 }
1731
1732 CFAbsoluteTime engine_get_time(engine_t engine)
1733 {
1734 return engine->now;
1735 }
1736
1737 void engine_destroy_agents(engine_t engine)
1738 {
1739 engine->dismissed = true;
1740
1741 _cf_dictionary_iterate(engine->mechanism_agents, ^bool(CFTypeRef key __attribute__((__unused__)), CFTypeRef value) {
1742 os_log_debug(AUTHD_LOG, "engine %lld: Destroying %{public}s", engine->engine_index, mechanism_get_string((mechanism_t)key));
1743 agent_t agent = (agent_t)value;
1744 agent_destroy(agent);
1745
1746 return true;
1747 });
1748 }
1749
1750 void engine_interrupt_agent(engine_t engine)
1751 {
1752 _cf_dictionary_iterate(engine->mechanism_agents, ^bool(CFTypeRef key __attribute__((__unused__)), CFTypeRef value) {
1753 agent_t agent = (agent_t)value;
1754 agent_notify_interrupt(agent);
1755 return true;
1756 });
1757 }
1758
1759 CFTypeRef engine_copy_context(engine_t engine, auth_items_t source)
1760 {
1761 CFTypeRef retval = NULL;
1762
1763 process_t proc = connection_get_process(engine->conn);
1764 if (!proc) {
1765 os_log_error(AUTHD_LOG, "No client process (engine %lld)", engine->engine_index);
1766 return retval;
1767 }
1768
1769 uid_t client_uid = process_get_uid(proc);
1770 if (!client_uid) {
1771 os_log_error(AUTHD_LOG, "No client UID (engine %lld)", engine->engine_index);
1772 return retval;
1773 }
1774
1775 size_t dataLen = 0;
1776 const void *data = auth_items_get_data(source, AGENT_HINT_SHEET_CONTEXT, &dataLen);
1777 if (data) {
1778 CFDataRef externalized = CFDataCreate(kCFAllocatorDefault, data, dataLen);
1779 if (externalized) {
1780 os_log_debug(AUTHD_LOG, "engine %lld: going to get LA context for UID %d", engine->engine_index, client_uid);
1781 retval = LACreateNewContextWithACMContextInSession(client_uid, externalized, NULL);
1782 CFRelease(externalized);
1783 }
1784 }
1785
1786 return retval;
1787 }
1788
1789 bool engine_acquire_sheet_data(engine_t engine)
1790 {
1791 if (!auth_items_exist(engine->context, "sheet-uid"))
1792 return false;
1793
1794 uid_t uid = auth_items_get_uint(engine->context, "sheet-uid");
1795
1796 CFReleaseSafe(engine->la_context);
1797 engine->la_context = engine_copy_context(engine, engine->hints);
1798 if (engine->la_context) {
1799 os_log_debug(AUTHD_LOG, "engine %lld: Sheet UID %d", engine->engine_index, uid);
1800 return true;
1801 } else {
1802 // this is not real failure as no LA context in authorization context is very valid scenario
1803 os_log_debug(AUTHD_LOG, "engine %lld: Failed to get LA context", engine->engine_index);
1804 }
1805 return false;
1806 }