OSX/sec/ipc/server_security_helpers.m

   1 /*
   2  * Copyright (c) 2017 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <pthread/pthread.h>
  25
  26 #include "server_security_helpers.h"
  27 #include "server_entitlement_helpers.h"
  28
  29 #include <Security/SecTask.h>
  30 #include <Security/SecTaskPriv.h>
  31 #include "ipc/securityd_client.h"
  32 #include <Security/SecEntitlements.h>
  33 #include <Security/SecItem.h>
  34 #include "utilities/SecCFRelease.h"
  35 #include "utilities/SecCFWrappers.h"
  36 #include "utilities/debugging.h"
  37 #include "keychain/securityd/SecDbQuery.h"
  38
  39 #if __has_include(<MobileKeyBag/MobileKeyBag.h>) && TARGET_HAS_KEYSTORE
  40 #include <MobileKeyBag/MobileKeyBag.h>
  41 #define HAVE_MOBILE_KEYBAG_SUPPORT 1
  42 #endif
  43
  44 #if __has_include(<UserManagement/UserManagement.h>)
  45 #include <UserManagement/UserManagement.h>
  46 #endif
  47
  48 #if TARGET_OS_IOS && HAVE_MOBILE_KEYBAG_SUPPORT
  49 static bool
  50 device_is_multiuser(void)
  51 {
  52     static dispatch_once_t once;
  53     static bool result;
  54
  55     dispatch_once(&once, ^{
  56         CFDictionaryRef deviceMode = MKBUserTypeDeviceMode(NULL, NULL);
  57         CFTypeRef value = NULL;
  58
  59         if (deviceMode && CFDictionaryGetValueIfPresent(deviceMode, kMKBDeviceModeKey, &value) && CFEqual(value, kMKBDeviceModeMultiUser)) {
  60             result = true;
  61         }
  62         CFReleaseNull(deviceMode);
  63     });
  64
  65     return result;
  66 }
  67 #endif /* HAVE_MOBILE_KEYBAG_SUPPORT && TARGET_OS_IOS */
  68
  69 bool
  70 fill_security_client(SecurityClient * client, const uid_t uid, audit_token_t auditToken) {
  71     if(!client) {
  72         return false;
  73     }
  74
  75     @autoreleasepool {
  76
  77         client->uid = uid;
  78         client->musr = NULL;
  79
  80 #if TARGET_OS_IOS
  81 #if HAVE_MOBILE_KEYBAG_SUPPORT
  82         if (device_is_multiuser()) {
  83             CFErrorRef error = NULL;
  84
  85             client->inMultiUser = true;
  86             client->activeUser = MKBForegroundUserSessionID(&error);
  87             if (client->activeUser == -1 || client->activeUser == 0) {
  88                 assert(0);
  89                 client->activeUser = 0;
  90             }
  91
  92             /*
  93              * If we are a edu mode user, and its not the active user,
  94              * then the request is coming from inside the syncbubble.
  95              *
  96              * otherwise we are going to execute the request as the
  97              * active user.
  98              */
  99
 100             if (client->uid > 501 && (uid_t)client->activeUser != client->uid) {
 101                 secinfo("serverxpc", "securityd client: sync bubble user");
 102                 client->musr = SecMUSRCreateSyncBubbleUserUUID(client->uid);
 103                 client->keybag = KEYBAG_DEVICE;
 104             } else {
 105                 secinfo("serverxpc", "securityd client: active user");
 106                 client->musr = SecMUSRCreateActiveUserUUID(client->activeUser);
 107                 client->uid = (uid_t)client->activeUser;
 108                 client->keybag = KEYBAG_DEVICE;
 109             }
 110         } else
 111 #endif
 112         /*
 113          * If the client application is a enterprise app according to usermanager, switch
 114          * to the per enterprise slice of keychain.
 115          */
 116         {
 117             UMUserPersona * persona = [[UMUserManager sharedManager] currentPersona];
 118             if (persona && persona.userPersonaType == UMUserPersonaTypeEnterprise) {
 119                 secinfo("serverxpc", "securityd client: enterprise user");
 120                 uuid_t uuid;
 121
 122                 if (uuid_parse([persona.userPersonaUniqueString UTF8String], uuid) != 0) {
 123                     return false;
 124                 }
 125                 client->musr = CFDataCreate(NULL, uuid, sizeof(uuid_t));
 126             }
 127         }
 128 #endif /* TARGET_OS_IOS */
 129
 130         client->task = SecTaskCreateWithAuditToken(kCFAllocatorDefault, auditToken);
 131
 132         client->accessGroups = SecTaskCopyAccessGroups(client->task);
 133
 134 #if TARGET_OS_IPHONE
 135         client->allowSystemKeychain = SecTaskGetBooleanValueForEntitlement(client->task, kSecEntitlementPrivateSystemKeychain);
 136         client->isNetworkExtension = SecTaskGetBooleanValueForEntitlement(client->task, kSecEntitlementPrivateNetworkExtension);
 137         client->canAccessNetworkExtensionAccessGroups = SecTaskGetBooleanValueForEntitlement(client->task, kSecEntitlementNetworkExtensionAccessGroups);
 138 #endif
 139 #if HAVE_MOBILE_KEYBAG_SUPPORT && TARGET_OS_IOS
 140         if (client->inMultiUser) {
 141             client->allowSyncBubbleKeychain = SecTaskGetBooleanValueForEntitlement(client->task, kSecEntitlementPrivateKeychainSyncBubble);
 142         }
 143 #endif
 144     }
 145     return true;
 146 }
 147