]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_codesigning/lib/SecTask.c
projects / apple / security.git / blob
? search:


96140c3ea5387f1694606b4f88cb629ccf6c46ec
[apple/security.git] / OSX / libsecurity_codesigning / lib / SecTask.c
1 /*
2 * Copyright (c) 2009-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include <CoreFoundation/CoreFoundation.h>
25 #include <CoreFoundation/CFRuntime.h>
26 #include <IOKit/IOKitLib.h>
27 #include <IOKit/IOCFUnserialize.h>
28 #include <System/sys/codesign.h>
29 #include <bsm/libbsm.h>
30 #include <inttypes.h>
31 #include <pthread.h>
32 #include <syslog.h>
33 #include <sys/sysctl.h>
34 #include <utilities/SecCFWrappers.h>
35
36
37 #include "SecCode.h"
38 #include "SecCodePriv.h"
39 #include "SecRequirement.h"
40
41 #include "SecTask.h"
42 #include "SecTaskPriv.h"
43
44
45 struct __SecTask {
46 CFRuntimeBase base;
47
48 pid_t pid_self;
49
50 audit_token_t token;
51
52 /* Track whether we've loaded entitlements independently since after the
53 * load, entitlements may legitimately be NULL */
54 Boolean entitlementsLoaded;
55 CFDictionaryRef entitlements;
56
57 /* for debugging only, shown by debugDescription */
58 int lastFailure;
59 };
60
61 enum {
62 kSecCodeMagicEntitlement = 0xfade7171, /* entitlement blob */
63 };
64
65
66 CFTypeID _kSecTaskTypeID = _kCFRuntimeNotATypeID;
67
68 static void SecTaskFinalize(CFTypeRef cfTask)
69 {
70 SecTaskRef task = (SecTaskRef) cfTask;
71 CFReleaseNull(task->entitlements);
72 }
73
74
75 // Define PRIdPID (proper printf format string for pid_t)
76 #define PRIdPID PRId32
77
78 static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask)
79 {
80 SecTaskRef task = (SecTaskRef) cfTask;
81 pid_t pid;
82
83 if (task->pid_self==-1) {
84 audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
85 } else {
86 pid = task->pid_self;
87 }
88
89 const char *task_name;
90 int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
91 struct kinfo_proc kp;
92 size_t len = sizeof(kp);
93 if (sysctl(mib, 4, &kp, &len, NULL, 0) == -1 || len == 0)
94 task_name = strerror(errno);
95 else
96 task_name = kp.kp_proc.p_comm;
97
98 return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]"), task_name, pid);
99 }
100
101 static void SecTaskRegisterClass(void)
102 {
103 static const CFRuntimeClass SecTaskClass = {
104 .version = 0,
105 .className = "SecTask",
106 .init = NULL,
107 .copy = NULL,
108 .finalize = SecTaskFinalize,
109 .equal = NULL,
110 .hash = NULL,
111 .copyFormattingDesc = NULL,
112 .copyDebugDesc = SecTaskCopyDebugDescription,
113 };
114
115 _kSecTaskTypeID = _CFRuntimeRegisterClass(&SecTaskClass);
116 }
117
118 CFTypeID SecTaskGetTypeID(void)
119 {
120 static pthread_once_t secTaskRegisterClassOnce = PTHREAD_ONCE_INIT;
121
122 /* Register the class with the CF runtime the first time through */
123 pthread_once(&secTaskRegisterClassOnce, SecTaskRegisterClass);
124
125 return _kSecTaskTypeID;
126 }
127
128 static SecTaskRef init_task_ref(CFAllocatorRef allocator)
129 {
130 CFIndex extra = sizeof(struct __SecTask) - sizeof(CFRuntimeBase);
131 return (SecTaskRef) _CFRuntimeCreateInstance(allocator, SecTaskGetTypeID(), extra, NULL);
132 }
133
134 SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
135 {
136 SecTaskRef task = init_task_ref(allocator);
137 if (task != NULL) {
138
139 memcpy(&task->token, &token, sizeof(token));
140 task->entitlementsLoaded = false;
141 task->entitlements = NULL;
142 task->pid_self = -1;
143 }
144
145 return task;
146 }
147
148 SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef allocator)
149 {
150 SecTaskRef task = init_task_ref(allocator);
151 if (task != NULL) {
152
153 memset(&task->token, 0, sizeof(task->token));
154 task->entitlementsLoaded = false;
155 task->entitlements = NULL;
156 task->pid_self = getpid();
157 }
158
159 return task;
160 }
161
162 /*
163 * Determine if the given task meets a specified requirement.
164 */
165 OSStatus
166 SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement)
167 {
168 OSStatus status;
169 SecCodeRef code = NULL;
170 SecRequirementRef req = NULL;
171 CFDataRef auditData = NULL;
172 CFNumberRef pidRef = NULL;
173
174 CFMutableDictionaryRef codeDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
175 if(task->pid_self==-1) {
176 auditData = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)&task->token, sizeof(audit_token_t));
177 CFDictionarySetValue(codeDict, kSecGuestAttributeAudit, auditData);
178 } else {
179 pidRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &task->pid_self);
180 CFDictionarySetValue(codeDict, kSecGuestAttributePid, pidRef);
181 }
182
183 status = SecCodeCopyGuestWithAttributes(NULL, codeDict, kSecCSDefaultFlags, &code);
184 CFReleaseNull(codeDict);
185 CFReleaseNull(auditData);
186 CFReleaseNull(pidRef);
187
188 if (!status) {
189 status = SecRequirementCreateWithString(requirement,
190 kSecCSDefaultFlags, &req);
191 }
192 if (!status) {
193 status = SecCodeCheckValidity(code, kSecCSDefaultFlags, req);
194 }
195
196 CFReleaseNull(req);
197 CFReleaseNull(code);
198
199 return status;
200 }
201
202 static CFRange myMakeRange(CFIndex loc, CFIndex len) {
203 CFRange r = {.location = loc, .length = len };
204 return r;
205 }
206 struct csheader {
207 uint32_t magic;
208 uint32_t length;
209 };
210
211 static int
212 csops_task(SecTaskRef task, int ops, void *blob, size_t size)
213 {
214 int rc;
215 if (task->pid_self==-1) {
216 pid_t pid;
217 audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
218 rc = csops_audittoken(pid, ops, blob, size, &task->token);
219 }
220 else
221 rc = csops(task->pid_self, ops, blob, size);
222 task->lastFailure = (rc == -1) ? errno : 0;
223 return rc;
224 }
225
226 static int SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
227 {
228 CFMutableDataRef data = NULL;
229 struct csheader header;
230 uint32_t bufferlen;
231 int ret;
232
233 ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
234 if (ret == 0) {
235 // we only gave a header's worth of buffer. If this succeeded, we have no entitlements
236 task->entitlementsLoaded = true;
237 return 0;
238 }
239 if (errno != ERANGE) {
240 // ERANGE means "your buffer is too small, it now tells you how much you need
241 // EINVAL is what the kernel says for unsigned code AND broken code, so we'll have to let that pass
242 if (errno == EINVAL) {
243 task->entitlementsLoaded = true;
244 return 0;
245 }
246 ret = errno;
247 goto out;
248 }
249 // kernel told us the needed buffer size in header.length; proceed
250
251 bufferlen = ntohl(header.length);
252 /* check for insane values */
253 if (bufferlen > 1024 * 1024 || bufferlen < 8) {
254 ret = EINVAL;
255 goto out;
256 }
257 data = CFDataCreateMutable(NULL, bufferlen);
258 if (data == NULL) {
259 ret = ENOMEM;
260 goto out;
261 }
262 CFDataSetLength(data, bufferlen);
263 ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, CFDataGetMutableBytePtr(data), bufferlen);
264 if (ret) {
265 ret = errno;
266 goto out;
267 }
268 CFDataDeleteBytes(data, myMakeRange(0, 8));
269 task->entitlements = CFPropertyListCreateWithData(NULL, data, 0, NULL, error);
270 task->entitlementsLoaded = true;
271 out:
272 if (data)
273 CFRelease(data);
274 if (ret && error)
275 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL);
276
277 return ret;
278 }
279
280 CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef task, CFStringRef entitlement, CFErrorRef *error)
281 {
282 /* Load entitlements if necessary */
283 if (task->entitlementsLoaded == false) {
284 SecTaskLoadEntitlements(task, error);
285 }
286
287 CFTypeRef value = NULL;
288 if (task->entitlements != NULL) {
289 value = CFDictionaryGetValue(task->entitlements, entitlement);
290
291 /* Return something the caller must release */
292 if (value != NULL) {
293 CFRetain(value);
294 }
295 }
296
297 return value;
298 }
299
300 CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef entitlements, CFErrorRef *error)
301 {
302 /* Load entitlements if necessary */
303 if (task->entitlementsLoaded == false) {
304 SecTaskLoadEntitlements(task, error);
305 }
306
307 /* Iterate over the passed in entitlements, populating the dictionary
308 * If entitlements were loaded but none were present, return an empty
309 * dictionary */
310 CFMutableDictionaryRef values = NULL;
311 if (task->entitlementsLoaded == true) {
312
313 CFIndex i, count = CFArrayGetCount(entitlements);
314 values = CFDictionaryCreateMutable(CFGetAllocator(task), count, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
315 if (task->entitlements != NULL) {
316 for (i = 0; i < count; i++) {
317 CFStringRef entitlement = CFArrayGetValueAtIndex(entitlements, i);
318 CFTypeRef value = CFDictionaryGetValue(task->entitlements, entitlement);
319 if (value != NULL) {
320 CFDictionarySetValue(values, entitlement, value);
321 }
322 }
323 }
324 }
325
326 return values;
327 }
328
329 Boolean SecTaskEntitlementsValidated(SecTaskRef task) {
330 // TODO: Cache the result
331 uint32_t csflags = 0;
332 const uint32_t mask = CS_VALID | CS_KILL | CS_ENTITLEMENTS_VALIDATED;
333 int rc = csops_task(task, CS_OPS_STATUS, &csflags, sizeof(csflags));
334 return rc != -1 && ((csflags & mask) == mask);
335 }
336
337 CFStringRef
338 SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
339 {
340 CFStringRef signingId = NULL;
341 char *data = NULL;
342 struct csheader header;
343 uint32_t bufferlen;
344 int ret;
345
346 ret = csops_task(task, CS_OPS_IDENTITY, &header, sizeof(header));
347 if (ret != -1 || errno != ERANGE)
348 return NULL;
349
350 bufferlen = ntohl(header.length);
351 /* check for insane values */
352 if (bufferlen > 1024 * 1024 || bufferlen < 8) {
353 ret = EINVAL;
354 goto out;
355 }
356 data = malloc(bufferlen + 1);
357 if (data == NULL) {
358 ret = ENOMEM;
359 goto out;
360 }
361 ret = csops_task(task, CS_OPS_IDENTITY, data, bufferlen);
362 if (ret) {
363 ret = errno;
364 goto out;
365 }
366 data[bufferlen] = '\0';
367
368 signingId = CFStringCreateWithCString(NULL, data + 8, kCFStringEncodingUTF8);
369
370 out:
371 if (data)
372 free(data);
373 if (ret && error)
374 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL);
375
376 return signingId;
377 }
378
379 uint32_t
380 SecTaskGetCodeSignStatus(SecTaskRef task)
381 {
382 uint32_t flags = 0;
383 if (csops_task(task, CS_OPS_STATUS, &flags, sizeof(flags)) != 0)
384 return 0;
385 return flags;
386 }
387
mirror of Security