1 /* Copyright (c) 2012-2013 Apple Inc. All Rights Reserved. */
9 #include "authutilities.h"
11 #include "mechanism.h"
13 #include "authitems.h"
14 #include "debugging.h"
16 #include "connection.h"
18 #include <bsm/libbsm.h>
19 #include <Security/Authorization.h>
20 #include <Security/AuthorizationPriv.h>
21 #include <Security/AuthorizationTagsPriv.h>
22 #include <Security/AuthorizationPlugin.h>
23 #include <xpc/private.h>
24 #include <dispatch/dispatch.h>
25 #include <CoreFoundation/CoreFoundation.h>
26 #include <CoreFoundation/CFXPCBridge.h>
27 #include <IOKit/IOMessage.h>
28 #include <IOKit/pwr_mgt/IOPMLib.h>
29 #include <IOKit/pwr_mgt/IOPMLibPrivate.h>
33 #define MAX_PROCESS_RIGHTS 100
35 static CFMutableDictionaryRef gProcessMap
= NULL
;
36 static CFMutableDictionaryRef gSessionMap
= NULL
;
37 static CFMutableDictionaryRef gAuthTokenMap
= NULL
;
38 static authdb_t gDatabase
= NULL
;
40 static bool gXPCTransaction
= false;
42 static dispatch_queue_t
43 get_server_dispatch_queue()
45 static dispatch_once_t onceToken
;
46 static dispatch_queue_t server_queue
= NULL
;
48 dispatch_once(&onceToken
, ^{
49 server_queue
= dispatch_queue_create("com.apple.security.auth.server", DISPATCH_QUEUE_SERIAL
);
50 check(server_queue
!= NULL
);
56 static Boolean
_processEqualCallBack(const void *value1
, const void *value2
)
58 audit_info_s
* info1
= (audit_info_s
*)value1
;
59 audit_info_s
* info2
= (audit_info_s
*)value2
;
60 if (info1
->pid
== info2
->pid
) {
61 if (info1
->tid
== info2
->tid
) {
68 static CFHashCode
_processHashCallBack(const void *value
)
70 audit_info_s
* info
= (audit_info_s
*)value
;
71 uint64_t crc
= crc64_init();
72 crc
= crc64_update(crc
, &info
->pid
, sizeof(info
->pid
));
73 crc
= crc64_update(crc
, &info
->tid
, sizeof(info
->tid
));
74 crc
= crc64_final(crc
);
75 return (CFHashCode
)crc
;
78 static const CFDictionaryKeyCallBacks kProcessMapKeyCallBacks
= {
82 .copyDescription
= NULL
,
83 .equal
= &_processEqualCallBack
,
84 .hash
= &_processHashCallBack
87 static Boolean
_sessionEqualCallBack(const void *value1
, const void *value2
)
89 return (*(session_id_t
*)value1
) == (*(session_id_t
*)value2
);
92 static CFHashCode
_sessionHashCallBack(const void *value
)
94 return (CFHashCode
)(*(session_id_t
*)(value
));
97 static const CFDictionaryKeyCallBacks kSessionMapKeyCallBacks
= {
101 .copyDescription
= NULL
,
102 .equal
= &_sessionEqualCallBack
,
103 .hash
= &_sessionHashCallBack
106 void server_cleanup()
108 CFRelease(gProcessMap
);
109 CFRelease(gSessionMap
);
110 CFRelease(gAuthTokenMap
);
112 dispatch_queue_t queue
= get_server_dispatch_queue();
114 dispatch_release(queue
);
118 bool server_in_dark_wake()
120 return IOPMIsADarkWake(IOPMConnectionGetSystemCapabilities());
123 authdb_t
server_get_database()
128 static void _setupAuditSessionMonitor()
130 dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT
, 0), ^{
131 au_sdev_handle_t
*dev
= au_sdev_open(AU_SDEVF_ALLSESSIONS
);
133 auditinfo_addr_t aia
;
136 os_log_error(AUTHD_LOG
, "server: could not open %{public}s %d", AUDIT_SDEV_PATH
, errno
);
141 if (0 != au_sdev_read_aia(dev
, &event
, &aia
)) {
142 os_log_error(AUTHD_LOG
, "server: au_sdev_read_aia failed: %d", errno
);
145 os_log_debug(AUTHD_LOG
, "server: au_sdev_handle_t event=%i, session=%i", event
, aia
.ai_asid
);
146 if (event
== AUE_SESSION_END
) {
147 dispatch_async(get_server_dispatch_queue(), ^{
148 os_log_debug(AUTHD_LOG
, "server: session %i destroyed", aia
.ai_asid
);
149 CFDictionaryRemoveValue(gSessionMap
, &aia
.ai_asid
);
157 static void _setupSignalHandlers()
159 signal(SIGTERM
, SIG_IGN
);
160 static dispatch_source_t sigtermHandler
;
161 sigtermHandler
= dispatch_source_create(DISPATCH_SOURCE_TYPE_SIGNAL
, SIGTERM
, 0, get_server_dispatch_queue());
162 if (sigtermHandler
) {
163 dispatch_source_set_event_handler(sigtermHandler
, ^{
165 // should we clean up any state?
168 dispatch_resume(sigtermHandler
);
172 OSStatus
server_init(void)
174 OSStatus status
= errAuthorizationSuccess
;
176 auditinfo_addr_t info
;
177 memset(&info
, 0, sizeof(info
));
178 getaudit_addr(&info
, sizeof(info
));
179 os_log_debug(AUTHD_LOG
, "server: uid=%i, sid=%i", info
.ai_auid
, info
.ai_asid
);
181 require_action(get_server_dispatch_queue() != NULL
, done
, status
= errAuthorizationInternal
);
183 gProcessMap
= CFDictionaryCreateMutable(kCFAllocatorDefault
, 0, &kProcessMapKeyCallBacks
, &kCFTypeDictionaryValueCallBacks
);
184 require_action(gProcessMap
!= NULL
, done
, status
= errAuthorizationInternal
);
186 gSessionMap
= CFDictionaryCreateMutable(kCFAllocatorDefault
, 0, &kSessionMapKeyCallBacks
, &kCFTypeDictionaryValueCallBacks
);
187 require_action(gSessionMap
!= NULL
, done
, status
= errAuthorizationInternal
);
189 gAuthTokenMap
= CFDictionaryCreateMutable(kCFAllocatorDefault
, 0, &kAuthTokenKeyCallBacks
, &kCFTypeDictionaryValueCallBacks
);
190 require_action(gAuthTokenMap
!= NULL
, done
, status
= errAuthorizationInternal
);
192 gDatabase
= authdb_create();
193 require_action(gDatabase
!= NULL
, done
, status
= errAuthorizationInternal
);
195 // check to see if we have an updates
196 authdb_connection_t dbconn
= authdb_connection_acquire(gDatabase
);
197 authdb_maintenance(dbconn
);
198 authdb_connection_release(&dbconn
);
200 _setupAuditSessionMonitor();
201 _setupSignalHandlers();
207 static void _server_parse_audit_token(audit_token_t
* token
, audit_info_s
* info
)
210 memset(info
, 0, sizeof(*info
));
212 memset(&tid
, 0, sizeof(tid
));
213 audit_token_to_au32(*token
, &info
->auid
, &info
->euid
,
214 &info
->egid
, &info
->ruid
, &info
->rgid
,
215 &info
->pid
, &info
->asid
, &tid
);
216 info
->tid
= tid
.port
;
217 info
->opaqueToken
= *token
;
222 server_register_connection(xpc_connection_t connection
)
224 __block connection_t conn
= NULL
;
225 __block session_t session
= NULL
;
226 __block process_t proc
= NULL
;
227 __block CFIndex conn_count
= 0;
229 require(connection
!= NULL
, done
);
231 audit_token_t auditToken
;
233 xpc_connection_get_audit_token(connection
, &auditToken
);
234 _server_parse_audit_token(&auditToken
, &info
);
237 dispatch_sync(get_server_dispatch_queue(), ^{
238 session
= (session_t
)CFDictionaryGetValue(gSessionMap
, &info
.asid
);
242 session
= session_create(info
.asid
);
243 CFDictionarySetValue(gSessionMap
, session_get_key(session
), session
);
246 proc
= (process_t
)CFDictionaryGetValue(gProcessMap
, &info
);
252 conn
= connection_create(proc
);
253 conn_count
= process_add_connection(proc
, conn
);
255 proc
= process_create(&info
, session
);
257 conn
= connection_create(proc
);
258 conn_count
= process_add_connection(proc
, conn
);
259 session_add_process(session
, proc
);
260 CFDictionarySetValue(gProcessMap
, process_get_key(proc
), proc
);
264 if (!gXPCTransaction
) {
265 xpc_transaction_begin();
266 gXPCTransaction
= true;
270 os_log_debug(AUTHD_LOG
, "server: registered connection (total=%li)", conn_count
);
273 CFReleaseSafe(session
);
279 server_unregister_connection(connection_t conn
)
281 assert(conn
); // marked non-null
282 process_t proc
= connection_get_process(conn
);
284 dispatch_sync(get_server_dispatch_queue(), ^{
285 CFIndex connectionCount
= process_get_connection_count(proc
);
286 os_log_debug(AUTHD_LOG
, "server: unregistered connection (total=%li)", connectionCount
);
288 if (connectionCount
== 1) {
289 CFDictionaryRemoveValue(gProcessMap
, process_get_key(proc
));
292 if (CFDictionaryGetCount(gProcessMap
) == 0) {
293 xpc_transaction_end();
294 gXPCTransaction
= false;
297 // move the destruction of the connection/process off the server queue
302 server_register_auth_token(auth_token_t auth
)
304 assert(auth
); // marked non-null
305 dispatch_sync(get_server_dispatch_queue(), ^{
306 os_log_debug(AUTHD_LOG
, "server: registering authorization");
307 CFDictionarySetValue(gAuthTokenMap
, auth_token_get_key(auth
), auth
);
308 auth_token_set_state(auth
, auth_token_state_registered
);
313 server_unregister_auth_token(auth_token_t auth
)
316 AuthorizationBlob blob
= *(AuthorizationBlob
*)auth_token_get_key(auth
);
317 dispatch_async(get_server_dispatch_queue(), ^{
318 os_log_debug(AUTHD_LOG
, "server: unregistering authorization");
319 CFDictionaryRemoveValue(gAuthTokenMap
, &blob
);
324 server_find_copy_auth_token(AuthorizationBlob
* blob
)
326 assert(blob
); // marked non-null
327 __block auth_token_t auth
= NULL
;
328 dispatch_sync(get_server_dispatch_queue(), ^{
329 auth
= (auth_token_t
)CFDictionaryGetValue(gAuthTokenMap
, blob
);
338 server_find_copy_session(session_id_t sid
, bool create
)
340 __block session_t session
= NULL
;
342 dispatch_sync(get_server_dispatch_queue(), ^{
343 session
= (session_t
)CFDictionaryGetValue(gSessionMap
, &sid
);
347 session
= session_create(sid
);
349 CFDictionarySetValue(gSessionMap
, session_get_key(session
), session
);
361 _process_find_copy_auth_token_from_xpc(process_t proc
, xpc_object_t message
, auth_token_t
* auth_out
)
363 OSStatus status
= errAuthorizationSuccess
;
364 require_action(auth_out
!= NULL
, done
, status
= errAuthorizationInternal
);
367 AuthorizationBlob
* blob
= (AuthorizationBlob
*)xpc_dictionary_get_data(message
, AUTH_XPC_BLOB
, &len
);
368 require_action(blob
!= NULL
, done
, status
= errAuthorizationInvalidRef
);
369 require_action(len
== sizeof(AuthorizationBlob
), done
, status
= errAuthorizationInvalidRef
);
371 auth_token_t auth
= process_find_copy_auth_token(proc
, blob
);
372 require_action(auth
!= NULL
, done
, status
= errAuthorizationInvalidRef
);
375 os_log_debug(AUTHD_LOG
, "server: authtoken lookup %#x%x %p", blob
->data
[1],blob
->data
[0], auth
);
377 os_log_debug(AUTHD_LOG
, "server: authtoken lookup");
386 static OSStatus
_server_preauthorize(connection_t conn
, auth_token_t auth
, auth_items_t context
, engine_t
* engine_out
)
388 __block OSStatus status
= errAuthorizationDenied
;
389 engine_t engine
= NULL
;
391 require_action(conn
, done
, status
= errAuthorizationInternal
);
393 engine
= engine_create(conn
, auth
);
394 require_action(engine
, done
, status
= errAuthorizationInternal
);
396 status
= engine_preauthorize(engine
, context
);
401 *engine_out
= engine
;
409 static OSStatus
_server_authorize(connection_t conn
, auth_token_t auth
, AuthorizationFlags flags
, auth_rights_t rights
, auth_items_t environment
, engine_t
* engine_out
)
411 __block OSStatus status
= errAuthorizationDenied
;
412 engine_t engine
= NULL
;
414 require_action(conn
, done
, status
= errAuthorizationInternal
);
416 engine
= engine_create(conn
, auth
);
417 require_action(engine
, done
, status
= errAuthorizationInternal
);
419 if (flags
& kAuthorizationFlagInteractionAllowed
) {
420 dispatch_sync(connection_get_dispatch_queue(conn
), ^{
421 connection_set_engine(conn
, engine
);
422 status
= engine_authorize(engine
, rights
, environment
, flags
);
423 connection_set_engine(conn
, NULL
);
426 status
= engine_authorize(engine
, rights
, environment
, flags
);
432 *engine_out
= engine
;
440 // IN: AUTH_XPC_RIGHTS, AUTH_XPC_ENVIRONMENT, AUTH_XPC_FLAGS
441 // OUT: AUTH_XPC_BLOB
443 authorization_create(connection_t conn
, xpc_object_t message
, xpc_object_t reply
)
445 OSStatus status
= errAuthorizationDenied
;
447 process_t proc
= connection_get_process(conn
);
450 auth_rights_t rights
= auth_rights_create_with_xpc(xpc_dictionary_get_value(message
, AUTH_XPC_RIGHTS
));
451 auth_items_t environment
= auth_items_create_with_xpc(xpc_dictionary_get_value(message
, AUTH_XPC_ENVIRONMENT
));
452 AuthorizationFlags flags
= (AuthorizationFlags
)xpc_dictionary_get_uint64(message
, AUTH_XPC_FLAGS
);
454 // Create Authorization Token
455 auth_token_t auth
= auth_token_create(proc
, flags
& kAuthorizationFlagLeastPrivileged
);
456 require_action(auth
!= NULL
, done
, status
= errAuthorizationInternal
);
458 if (!(flags
& kAuthorizationFlagNoData
)) {
459 process_add_auth_token(proc
,auth
);
462 status
= _server_authorize(conn
, auth
, flags
, rights
, environment
, NULL
);
463 require_noerr(status
, done
);
466 xpc_dictionary_set_data(reply
, AUTH_XPC_BLOB
, auth_token_get_blob(auth
), sizeof(AuthorizationBlob
));
469 CFReleaseSafe(rights
);
470 CFReleaseSafe(environment
);
475 // IN: AUTH_XPC_DATA, AUTH_XPC_ENVIRONMENT, AUTH_XPC_FLAGS
476 // OUT: AUTH_XPC_BLOB
477 OSStatus
authorization_create_with_audit_token(connection_t conn
, xpc_object_t message
, xpc_object_t reply
)
479 OSStatus status
= errAuthorizationDenied
;
480 auth_token_t auth
= NULL
;
482 process_t proc
= connection_get_process(conn
);
483 require(process_get_uid(proc
) == 0, done
); //only root can use this call
487 const char * data
= xpc_dictionary_get_data(message
, AUTH_XPC_DATA
, &len
);
488 require(data
!= NULL
, done
);
489 require(len
== sizeof(audit_token_t
), done
);
491 // auth_items_t environment = auth_items_create_with_xpc(xpc_dictionary_get_value(message, AUTH_XPC_ENVIRONMENT));
492 AuthorizationFlags flags
= (AuthorizationFlags
)xpc_dictionary_get_uint64(message
, AUTH_XPC_FLAGS
);
494 audit_info_s auditInfo
;
495 _server_parse_audit_token((audit_token_t
*)data
, &auditInfo
);
497 // Create Authorization Token
498 auth
= auth_token_create(proc
, flags
& kAuthorizationFlagLeastPrivileged
);
499 require_action(auth
!= NULL
, done
, status
= errAuthorizationInternal
);
501 process_add_auth_token(proc
,auth
);
504 xpc_dictionary_set_data(reply
, AUTH_XPC_BLOB
, auth_token_get_blob(auth
), sizeof(AuthorizationBlob
));
507 // CFReleaseSafe(environment);
512 // IN: AUTH_XPC_BLOB, AUTH_XPC_FLAGS
515 authorization_free(connection_t conn
, xpc_object_t message
, xpc_object_t reply AUTH_UNUSED
)
517 OSStatus status
= errAuthorizationSuccess
;
518 AuthorizationFlags flags
= 0;
519 process_t proc
= connection_get_process(conn
);
521 auth_token_t auth
= NULL
;
522 status
= _process_find_copy_auth_token_from_xpc(proc
, message
, &auth
);
523 require_noerr(status
, done
);
525 flags
= (AuthorizationFlags
)xpc_dictionary_get_uint64(message
, AUTH_XPC_FLAGS
);
527 if (flags
& kAuthorizationFlagDestroyRights
) {
528 auth_token_credentials_iterate(auth
, ^bool(credential_t cred
) {
529 credential_invalidate(cred
);
530 os_log_debug(AUTHD_LOG
, "engine[%i]: invalidating %{public}scredential %{public}s (%i)", connection_get_pid(conn
), credential_get_shared(cred
) ? "shared " : "", credential_get_name(cred
), credential_get_uid(cred
));
534 session_credentials_purge(auth_token_get_session(auth
));
537 process_remove_auth_token(proc
, auth
, flags
);
541 os_log_debug(AUTHD_LOG
, "server: AuthorizationFree %d (flags:%x)", (int)status
, (unsigned int)flags
);
545 // IN: AUTH_XPC_BLOB, AUTH_XPC_DATA
548 authorization_preauthorize_credentials(connection_t conn
, xpc_object_t message
, xpc_object_t reply
)
550 OSStatus status
= errAuthorizationDenied
;
551 engine_t engine
= NULL
;
553 process_t proc
= connection_get_process(conn
);
556 auth_items_t context
= auth_items_create_with_xpc(xpc_dictionary_get_value(message
, AUTH_XPC_DATA
));
558 auth_token_t auth
= NULL
;
559 status
= _process_find_copy_auth_token_from_xpc(proc
, message
, &auth
);
560 require_noerr_action_quiet(status
, done
, os_log_error(AUTHD_LOG
, "preauthorize_credentials: no auth token"));
562 status
= _server_preauthorize(conn
, auth
, context
, &engine
);
563 require_noerr_action_quiet(status
, done
, os_log_error(AUTHD_LOG
, "preauthorize_credentials: authorization failed"));
566 CFReleaseSafe(context
);
568 CFReleaseSafe(engine
);
574 // IN: AUTH_XPC_BLOB, AUTH_XPC_RIGHTS, AUTH_XPC_ENVIRONMENT, AUTH_XPC_FLAGS
575 // OUT: AUTH_XPC_OUT_ITEMS
577 authorization_copy_rights(connection_t conn
, xpc_object_t message
, xpc_object_t reply
)
579 OSStatus status
= errAuthorizationDenied
;
580 engine_t engine
= NULL
;
582 process_t proc
= connection_get_process(conn
);
585 auth_rights_t rights
= auth_rights_create_with_xpc(xpc_dictionary_get_value(message
, AUTH_XPC_RIGHTS
));
586 auth_items_t environment
= auth_items_create_with_xpc(xpc_dictionary_get_value(message
, AUTH_XPC_ENVIRONMENT
));
587 AuthorizationFlags flags
= (AuthorizationFlags
)xpc_dictionary_get_uint64(message
, AUTH_XPC_FLAGS
);
589 auth_token_t auth
= NULL
;
590 status
= _process_find_copy_auth_token_from_xpc(proc
, message
, &auth
);
591 require_noerr_action_quiet(status
, done
, os_log_error(AUTHD_LOG
, "copy_rights: no auth token"));
593 status
= _server_authorize(conn
, auth
, flags
, rights
, environment
, &engine
);
594 require_noerr_action_quiet(status
, done
, os_log_error(AUTHD_LOG
, "copy_rights: authorization failed"));
597 xpc_object_t outItems
= auth_rights_export_xpc(engine_get_granted_rights(engine
));
598 xpc_dictionary_set_value(reply
, AUTH_XPC_OUT_ITEMS
, outItems
);
599 xpc_release_safe(outItems
);
602 CFReleaseSafe(rights
);
603 CFReleaseSafe(environment
);
605 CFReleaseSafe(engine
);
610 // IN: AUTH_XPC_BLOB, AUTH_XPC_TAG
611 // OUT: AUTH_XPC_OUT_ITEMS
613 authorization_copy_info(connection_t conn
, xpc_object_t message
, xpc_object_t reply
)
616 OSStatus status
= errAuthorizationSuccess
;
617 auth_items_t items
= NULL
;
618 auth_items_t local_items
= NULL
;
619 const char * tag
= NULL
;
621 process_t proc
= connection_get_process(conn
);
623 auth_token_t auth
= NULL
;
624 status
= _process_find_copy_auth_token_from_xpc(proc
, message
, &auth
);
625 require_noerr_action_quiet(status
, done
, os_log_error(AUTHD_LOG
, "copy_info: no auth token"));
627 items
= auth_items_create();
629 tag
= xpc_dictionary_get_string(message
, AUTH_XPC_TAG
);
630 os_log_debug(AUTHD_LOG
, "server: requested tag: %{public}s", tag
? tag
: "(all)");
633 const void * data
= auth_items_get_data_with_flags(auth_token_get_context(auth
), tag
, &len
, kAuthorizationContextFlagExtractable
);
635 os_log_debug(AUTHD_LOG
, "server: requested tag found");
636 auth_items_set_data(items
, tag
, data
, len
);
639 auth_items_copy_with_flags(items
, auth_token_get_context(auth
), kAuthorizationContextFlagExtractable
);
642 local_items
= auth_items_create();
643 auth_items_content_copy(local_items
, items
); // we do not want decrypt content of the authorizationref memory which is where pointers point to
644 auth_items_decrypt(local_items
, auth_token_get_encryption_key(auth
));
645 os_log_debug(AUTHD_LOG
, "server: decrypted authorization context data");
648 os_log_debug(AUTHD_LOG
, "server: Dumping requested AuthRef items: %{public}@", items
);
652 xpc_object_t outItems
= auth_items_export_xpc(local_items
);
653 xpc_dictionary_set_value(reply
, AUTH_XPC_OUT_ITEMS
, outItems
);
654 xpc_release_safe(outItems
);
657 CFReleaseSafe(local_items
);
658 CFReleaseSafe(items
);
660 os_log_debug(AUTHD_LOG
, "server: AuthorizationCopyInfo %i", (int) status
);
665 // OUT: AUTH_XPC_EXTERNAL
667 authorization_make_external_form(connection_t conn
, xpc_object_t message
, xpc_object_t reply
)
669 OSStatus status
= errAuthorizationSuccess
;
671 process_t proc
= connection_get_process(conn
);
673 auth_token_t auth
= NULL
;
674 status
= _process_find_copy_auth_token_from_xpc(proc
, message
, &auth
);
675 require_noerr(status
, done
);
677 AuthorizationExternalForm exForm
;
678 AuthorizationExternalBlob
* exBlob
= (AuthorizationExternalBlob
*)&exForm
;
679 memset(&exForm
, 0, sizeof(exForm
));
681 exBlob
->blob
= *auth_token_get_blob(auth
);
682 exBlob
->session
= process_get_session_id(proc
);
684 xpc_dictionary_set_data(reply
, AUTH_XPC_EXTERNAL
, &exForm
, sizeof(exForm
));
685 server_register_auth_token(auth
);
689 os_log_debug(AUTHD_LOG
, "server: AuthorizationMakeExternalForm %d", (int)status
);
693 // IN: AUTH_XPC_EXTERNAL
694 // OUT: AUTH_XPC_BLOB
696 authorization_create_from_external_form(connection_t conn
, xpc_object_t message
, xpc_object_t reply
)
698 OSStatus status
= errAuthorizationSuccess
;
699 auth_token_t auth
= NULL
;
701 process_t proc
= connection_get_process(conn
);
704 AuthorizationExternalForm
* exForm
= (AuthorizationExternalForm
*)xpc_dictionary_get_data(message
, AUTH_XPC_EXTERNAL
, &len
);
705 require_action(exForm
!= NULL
, done
, status
= errAuthorizationInternal
);
706 require_action(len
== sizeof(AuthorizationExternalForm
), done
, status
= errAuthorizationInvalidRef
);
708 AuthorizationExternalBlob
* exBlob
= (AuthorizationExternalBlob
*)exForm
;
709 auth
= server_find_copy_auth_token(&exBlob
->blob
);
710 require_action(auth
!= NULL
, done
, status
= errAuthorizationDenied
);
712 process_add_auth_token(proc
, auth
);
713 xpc_dictionary_set_data(reply
, AUTH_XPC_BLOB
, auth_token_get_blob(auth
), sizeof(AuthorizationBlob
));
717 os_log_debug(AUTHD_LOG
, "server: AuthorizationCreateFromExternalForm %d", (int)status
);
721 // IN: AUTH_XPC_RIGHT_NAME
722 // OUT: AUTH_XPC_DATA
724 authorization_right_get(connection_t conn AUTH_UNUSED
, xpc_object_t message
, xpc_object_t reply
)
726 OSStatus status
= errAuthorizationDenied
;
728 CFTypeRef cfdict
= NULL
;
729 xpc_object_t xpcdict
= NULL
;
731 authdb_connection_t dbconn
= authdb_connection_acquire(server_get_database());
732 rule
= rule_create_with_string(xpc_dictionary_get_string(message
, AUTH_XPC_RIGHT_NAME
), dbconn
);
733 require(rule
!= NULL
, done
);
734 require(rule_get_id(rule
) != 0, done
);
736 cfdict
= rule_copy_to_cfobject(rule
, dbconn
);
737 require(cfdict
!= NULL
, done
);
739 xpcdict
= _CFXPCCreateXPCObjectFromCFObject(cfdict
);
740 require(xpcdict
!= NULL
, done
);
743 xpc_dictionary_set_value(reply
, AUTH_XPC_DATA
, xpcdict
);
745 status
= errAuthorizationSuccess
;
748 authdb_connection_release(&dbconn
);
749 CFReleaseSafe(cfdict
);
750 xpc_release_safe(xpcdict
);
752 os_log_debug(AUTHD_LOG
, "server: AuthorizationRightGet %d", (int)status
);
756 static bool _prompt_for_modifications(process_t __unused proc
, rule_t __unused rule
)
758 // <rdar://problem/13853228> will put back it back at some later date
759 // SecRequirementRef ruleReq = rule_get_requirement(rule);
761 // if (ruleReq && process_verify_requirment(proc, ruleReq)) {
768 static CFIndex
_get_mechanism_index(CFArrayRef mechanisms
, CFStringRef m_name
)
771 require(mechanisms
, done
);
773 CFIndex c
= CFArrayGetCount(mechanisms
);
774 CFStringRef i_name
= NULL
;
775 for (CFIndex i
= 0; i
< c
; ++i
)
777 i_name
= CFArrayGetValueAtIndex(mechanisms
, i
);
778 if (i_name
&& (CFGetTypeID(m_name
) == CFStringGetTypeID())) {
779 if (CFStringCompare(i_name
, m_name
, kCFCompareCaseInsensitive
) == kCFCompareEqualTo
) {
790 static bool _update_rule_mechanism(authdb_connection_t dbconn
, const char * rule_name
, CFStringRef mechanism_name
, CFStringRef insert_after_name
, bool remove
)
792 bool updated
= false;
794 rule_t update_rule
= NULL
;
795 CFMutableDictionaryRef cfdict
= NULL
;
796 CFStringRef update_name
= NULL
;
798 require(mechanism_name
, done
);
800 rule
= rule_create_with_string(rule_name
, dbconn
);
801 require(rule_get_id(rule
) != 0, done
); // rule doesn't exist in the database
803 cfdict
= rule_copy_to_cfobject(rule
, dbconn
);
804 require(cfdict
!= NULL
, done
);
806 CFMutableArrayRef mechanisms
= NULL
;
807 bool res
= CFDictionaryGetValueIfPresent(cfdict
, CFSTR(kAuthorizationRuleParameterMechanisms
), (void*)&mechanisms
);
808 require(res
== true, done
);
813 index
= _get_mechanism_index(mechanisms
, mechanism_name
);
815 if (insert_after_name
) {
816 if ((index
= _get_mechanism_index(mechanisms
, insert_after_name
)) != -1) {
819 index
= 0; // if we couldn't find the index add it to the begining
828 CFArrayRemoveValueAtIndex(mechanisms
, index
);
830 if (index
< CFArrayGetCount(mechanisms
)) {
831 require_action(CFStringCompare(CFArrayGetValueAtIndex(mechanisms
, index
), mechanism_name
, kCFCompareCaseInsensitive
) != kCFCompareEqualTo
, done
, updated
= true);
833 CFArrayInsertValueAtIndex(mechanisms
, index
, mechanism_name
);
836 CFDictionarySetValue(cfdict
, CFSTR(kAuthorizationRuleParameterMechanisms
), mechanisms
);
839 update_name
= CFStringCreateWithCString(kCFAllocatorDefault
, rule_name
, kCFStringEncodingUTF8
);
840 require(update_name
, done
);
841 update_rule
= rule_create_with_plist(rule_get_type(rule
), update_name
, cfdict
, dbconn
);
842 require(update_rule
, done
);
844 require(rule_sql_commit(update_rule
, dbconn
, CFAbsoluteTimeGetCurrent(), NULL
), done
);
851 CFReleaseSafe(update_rule
);
852 CFReleaseSafe(cfdict
);
853 CFReleaseSafe(update_name
);
857 /// IN: AUTH_XPC_BLOB, AUTH_XPC_INT64
860 authorization_enable_smartcard(connection_t conn
, xpc_object_t message
, xpc_object_t reply AUTH_UNUSED
)
862 const CFStringRef SMARTCARD_LINE
= CFSTR("builtin:smartcard-sniffer,privileged");
863 const CFStringRef BUILTIN_LINE
= CFSTR("builtin:policy-banner");
864 const char* SYSTEM_LOGIN_CONSOLE
= "system.login.console";
865 const char* AUTHENTICATE
= "authenticate";
867 __block OSStatus status
= errAuthorizationSuccess
;
868 bool enable_smartcard
= false;
869 authdb_connection_t dbconn
= NULL
;
870 auth_token_t auth
= NULL
;
871 auth_rights_t checkRight
= NULL
;
873 process_t proc
= connection_get_process(conn
);
875 status
= _process_find_copy_auth_token_from_xpc(proc
, message
, &auth
);
876 require_noerr(status
, done
);
878 checkRight
= auth_rights_create();
879 auth_rights_add(checkRight
, "config.modify.smartcard");
880 status
= _server_authorize(conn
, auth
, kAuthorizationFlagDefaults
| kAuthorizationFlagInteractionAllowed
| kAuthorizationFlagExtendRights
, checkRight
, NULL
, NULL
);
881 require_noerr(status
, done
);
883 enable_smartcard
= xpc_dictionary_get_bool(message
, AUTH_XPC_DATA
);
885 dbconn
= authdb_connection_acquire(server_get_database());
887 if (!_update_rule_mechanism(dbconn
, SYSTEM_LOGIN_CONSOLE
, SMARTCARD_LINE
, BUILTIN_LINE
, enable_smartcard
? false : true)) {
888 status
= errAuthorizationInternal
;
889 os_log_error(AUTHD_LOG
, "server: smartcard: enable(%i) failed to update %{public}s", enable_smartcard
, SYSTEM_LOGIN_CONSOLE
);
891 if (!_update_rule_mechanism(dbconn
, AUTHENTICATE
, SMARTCARD_LINE
, NULL
, enable_smartcard
? false : true)) {
892 status
= errAuthorizationInternal
;
893 os_log_error(AUTHD_LOG
, "server: smartcard: enable(%i) failed to update %{public}s", enable_smartcard
, AUTHENTICATE
);
896 authdb_checkpoint(dbconn
);
899 authdb_connection_release(&dbconn
);
900 CFReleaseSafe(checkRight
);
905 static int64_t _process_get_identifier_count(process_t proc
, authdb_connection_t conn
)
907 __block
int64_t result
= 0;
909 authdb_step(conn
, "SELECT COUNT(*) AS cnt FROM rules WHERE identifier = ? ", ^(sqlite3_stmt
*stmt
) {
910 sqlite3_bind_text(stmt
, 1, process_get_identifier(proc
), -1, NULL
);
911 }, ^bool(auth_items_t data
) {
912 result
= auth_items_get_int64(data
, "cnt");
919 static int64_t _get_max_process_rights()
921 static dispatch_once_t onceToken
;
922 static int64_t max_rights
= MAX_PROCESS_RIGHTS
;
924 //sudo defaults write /Library/Preferences/com.apple.authd max_process_rights -bool true
925 dispatch_once(&onceToken
, ^{
926 CFTypeRef max
= (CFNumberRef
)CFPreferencesCopyValue(CFSTR("max_process_rights"), CFSTR(SECURITY_AUTH_NAME
), kCFPreferencesAnyUser
, kCFPreferencesCurrentHost
);
928 if (max
&& CFGetTypeID(max
) == CFNumberGetTypeID()) {
929 CFNumberGetValue(max
, kCFNumberSInt64Type
, &max_rights
);
937 // IN: AUTH_XPC_BLOB, AUTH_XPC_RIGHT_NAME, AUTH_XPC_DATA
940 authorization_right_set(connection_t conn
, xpc_object_t message
, xpc_object_t reply AUTH_UNUSED
)
942 __block OSStatus status
= errAuthorizationDenied
;
943 __block engine_t engine
= NULL
;
944 CFStringRef cf_rule_name
= NULL
;
945 CFDictionaryRef cf_rule_dict
= NULL
;
947 rule_t existingRule
= NULL
;
948 authdb_connection_t dbconn
= NULL
;
949 auth_token_t auth
= NULL
;
950 bool force_modify
= false;
951 RuleType rule_type
= RT_RIGHT
;
952 const char * rule_name
= NULL
;
953 bool auth_rule
= false;
955 process_t proc
= connection_get_process(conn
);
957 status
= _process_find_copy_auth_token_from_xpc(proc
, message
, &auth
);
958 require_noerr(status
, done
);
960 require_action(xpc_dictionary_get_string(message
, AUTH_XPC_RIGHT_NAME
) != NULL
, done
, status
= errAuthorizationInternal
);
961 require_action(xpc_dictionary_get_value(message
, AUTH_XPC_DATA
) != NULL
, done
, status
= errAuthorizationInternal
);
963 rule_name
= xpc_dictionary_get_string(message
, AUTH_XPC_RIGHT_NAME
);
964 require(rule_name
!= NULL
, done
);
966 if (_compare_string(rule_name
, "authenticate")) {
971 cf_rule_name
= CFStringCreateWithCString(kCFAllocatorDefault
, rule_name
, kCFStringEncodingUTF8
);
972 require(cf_rule_name
!= NULL
, done
);
974 cf_rule_dict
= _CFXPCCreateCFObjectFromXPCObject(xpc_dictionary_get_value(message
, AUTH_XPC_DATA
));
975 require(cf_rule_dict
!= NULL
, done
);
977 dbconn
= authdb_connection_acquire(server_get_database());
979 rule
= rule_create_with_plist(rule_type
, cf_rule_name
, cf_rule_dict
, dbconn
);
980 if (process_get_uid(proc
) != 0) {
981 require_action(rule_get_extract_password(rule
) == false, done
, status
= errAuthorizationDenied
; os_log_error(AUTHD_LOG
, "server: AuthorizationRightSet not allowed to set extract-password. (denied)"));
984 // if rule doesn't currently exist then we have to check to see if they are over the Max.
985 if (rule_get_id(rule
) == 0) {
986 if (process_get_identifier(proc
) == NULL
) {
987 os_log_error(AUTHD_LOG
, "server: AuthorizationRightSet required for process %{public}s (missing code signature). To add rights to the Authorization database, your process must have a code signature.", process_get_code_url(proc
));
990 int64_t process_rule_count
= _process_get_identifier_count(proc
, dbconn
);
991 if ((process_rule_count
>= _get_max_process_rights())) {
992 if (!connection_get_syslog_warn(conn
)) {
993 os_log_error(AUTHD_LOG
, "server: AuthorizationRightSet Denied API abuse process %{public}s already contains %lli rights.", process_get_code_url(proc
), _get_max_process_rights());
994 connection_set_syslog_warn(conn
);
996 status
= errAuthorizationDenied
;
1002 if (process_get_uid(proc
) != 0) {
1003 os_log_error(AUTHD_LOG
, "server: AuthorizationRightSet denied, root required to update the 'authenticate' rule");
1004 status
= errAuthorizationDenied
;
1008 // verify they are updating a right and not a rule
1009 existingRule
= rule_create_with_string(rule_get_name(rule
), dbconn
);
1010 if (rule_get_type(existingRule
) == RT_RULE
) {
1011 os_log_error(AUTHD_LOG
, "server: AuthorizationRightSet Denied updating '%{public}s' rule is prohibited", rule_get_name(existingRule
));
1012 status
= errAuthorizationDenied
;
1018 if (_prompt_for_modifications(proc
,rule
)) {
1019 authdb_connection_release(&dbconn
);
1021 dispatch_sync(connection_get_dispatch_queue(conn
), ^{
1022 engine
= engine_create(conn
, auth
);
1023 connection_set_engine(conn
, engine
);
1024 status
= engine_verify_modification(engine
, rule
, false, force_modify
);
1025 connection_set_engine(conn
, NULL
);
1027 require_noerr(status
, done
);
1029 dbconn
= authdb_connection_acquire(server_get_database());
1032 if (rule_sql_commit(rule
, dbconn
, engine
? engine_get_time(engine
) : CFAbsoluteTimeGetCurrent(), proc
)) {
1033 os_log_debug(AUTHD_LOG
, "server: Successfully updated rule %{public}s", rule_get_name(rule
));
1034 authdb_checkpoint(dbconn
);
1035 status
= errAuthorizationSuccess
;
1037 os_log_error(AUTHD_LOG
, "server: Failed to update rule %{public}s", rule_get_name(rule
));
1038 status
= errAuthorizationDenied
;
1042 authdb_connection_release(&dbconn
);
1043 CFReleaseSafe(existingRule
);
1044 CFReleaseSafe(cf_rule_name
);
1045 CFReleaseSafe(cf_rule_dict
);
1046 CFReleaseSafe(auth
);
1047 CFReleaseSafe(rule
);
1048 CFReleaseSafe(engine
);
1052 // IN: AUTH_XPC_BLOB, AUTH_XPC_RIGHT_NAME
1055 authorization_right_remove(connection_t conn
, xpc_object_t message
, xpc_object_t reply AUTH_UNUSED
)
1057 __block OSStatus status
= errAuthorizationDenied
;
1058 __block engine_t engine
= NULL
;
1060 authdb_connection_t dbconn
= NULL
;
1062 process_t proc
= connection_get_process(conn
);
1064 auth_token_t auth
= NULL
;
1065 status
= _process_find_copy_auth_token_from_xpc(proc
, message
, &auth
);
1066 require_noerr(status
, done
);
1068 dbconn
= authdb_connection_acquire(server_get_database());
1070 rule
= rule_create_with_string(xpc_dictionary_get_string(message
, AUTH_XPC_RIGHT_NAME
), dbconn
);
1071 require(rule
!= NULL
, done
);
1073 if (_prompt_for_modifications(proc
,rule
)) {
1074 authdb_connection_release(&dbconn
);
1076 dispatch_sync(connection_get_dispatch_queue(conn
), ^{
1077 engine
= engine_create(conn
, auth
);
1078 connection_set_engine(conn
, engine
);
1079 status
= engine_verify_modification(engine
, rule
, true, false);
1080 connection_set_engine(conn
, NULL
);
1082 require_noerr(status
, done
);
1084 dbconn
= authdb_connection_acquire(server_get_database());
1087 if (rule_get_id(rule
) != 0) {
1088 rule_sql_remove(rule
, dbconn
, proc
);
1092 authdb_connection_release(&dbconn
);
1093 CFReleaseSafe(auth
);
1094 CFReleaseSafe(rule
);
1095 CFReleaseSafe(engine
);
1096 os_log_debug(AUTHD_LOG
, "server: AuthorizationRightRemove %d", (int)status
);
1101 #pragma mark test code
1104 session_set_user_preferences(connection_t conn
, xpc_object_t message
, xpc_object_t reply
)
1109 return errAuthorizationSuccess
;
1114 // rule_t rule = rule_create_with_string("system.preferences.accounts");
1115 // CFDictionaryRef dict = rule_copy_to_cfobject(rule);
1117 // CFReleaseSafe(rule);
1118 // CFReleaseSafe(dict);
1120 // auth_items_t config = NULL;
1121 // double d2 = 0, d1 = 5;
1122 // authdb_get_key_value(server_get_authdb_reader(), "config", &config);
1123 // auth_items_set_double(config, "test", d1);
1124 // d2 = auth_items_get_double(config, "test");
1125 // os_log_debug(AUTHD_LOG, "d1=%f d2=%f", d1, d2);
1126 // CFReleaseSafe(config);
1129 // auth_items_t items = auth_items_create();
1130 // auth_items_set_string(items, "test", "testing 1");
1131 // auth_items_set_string(items, "test2", "testing 2");
1132 // auth_items_set_string(items, "test3", "testing 3");
1133 // auth_items_set_flags(items, "test3", 4);
1134 // auth_items_set_string(items, "apple", "apple");
1135 // auth_items_set_flags(items, "apple", 1);
1136 // auth_items_set_int(items, "int", 45);
1137 // auth_items_set_flags(items, "int", 2);
1138 // auth_items_set_bool(items, "true", true);
1139 // auth_items_set_bool(items, "false", false);
1140 // auth_items_set(items, "com.apple.");
1141 // auth_show(items);
1142 // LOGD("Yeah it works: %s", auth_items_get_string(items, "test3"));
1143 // LOGD("Yeah it works: %i", auth_items_get_bool(items, "true"));
1144 // LOGD("Yeah it works: %i", auth_items_get_bool(items, "false"));
1145 // LOGD("Yeah it works: %i", auth_items_get_int(items, "int"));
1146 // (void)auth_items_get_bool(items, "test3");
1147 // AuthorizationItemSet * itemSet = auth_items_get_item_set(items);
1148 // for (uint32_t i = 0; i < itemSet->count; i++) {
1149 // LOGD("item: %s", itemSet->items[i].name);
1152 // xpc_object_t xpcdata = SerializeItemSet(auth_items_get_item_set(items));
1153 // auth_items_t items2 = auth_items_create_with_xpc(xpcdata);
1154 // xpc_release(xpcdata);
1155 // auth_items_remove_with_flags(items2, 7);
1156 //// auth_items_set_string(items2, "test3", "testing 3 very good");
1157 // auth_items_copy_with_flags(items2, items, 7);
1158 // LOGD("Yeah it works: %s", auth_items_get_string(items2, "test3"));
1159 // auth_show(items2);
1160 // CFReleaseSafe(items2);
1162 // CFReleaseSafe(items);