]> git.saurik.com Git - apple/security.git/blob - sectask/SecTask.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57336.10.29.tar.gz
[apple/security.git] / sectask / SecTask.c
1 /*
2 * Copyright (c) 2008,2010-2013 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include "SecTask.h"
25
26 #include <utilities/debugging.h>
27
28 #include <AssertMacros.h>
29 #include <CoreFoundation/CFRuntime.h>
30 #include <IOKit/IOKitLib.h>
31 #include <IOKit/IOCFUnserialize.h>
32 #include <System/sys/codesign.h>
33 #include <bsm/libbsm.h>
34 #include <inttypes.h>
35 #include <syslog.h>
36 #include <utilities/SecCFWrappers.h>
37
38 #define USE_LIBPROC 0
39 #if USE_LIBPROC
40 #include <libproc.h>
41 #else
42 #include <sys/sysctl.h>
43 #endif
44
45 struct __SecTask {
46 CFRuntimeBase base;
47
48 pid_t pid_self;
49 audit_token_t token;
50
51 /* Track whether we've loaded entitlements independently since after the
52 * load, entitlements may legitimately be NULL */
53 Boolean entitlementsLoaded;
54 CFDictionaryRef entitlements;
55 };
56
57 static bool check_task(SecTaskRef task) {
58 return SecTaskGetTypeID() == CFGetTypeID(task);
59 }
60
61 static void SecTaskFinalize(CFTypeRef cfTask)
62 {
63 SecTaskRef task = (SecTaskRef) cfTask;
64
65 if (task->entitlements != NULL) {
66 CFRelease(task->entitlements);
67 task->entitlements = NULL;
68 }
69 }
70
71
72 // Define PRIdPID (proper printf format string for pid_t)
73 #define PRIdPID PRId32
74
75 static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask)
76 {
77 SecTaskRef task = (SecTaskRef) cfTask;
78 pid_t pid;
79 if (task->pid_self==-1) {
80 audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
81 } else {
82 pid = task->pid_self;
83 }
84
85 #if USE_LIBPROC
86 #define MAX_PROCNAME 32
87 char task_name[MAX_PROCNAME + 1] = {};
88 proc_name(pid, task_name, MAX_PROCNAME);
89 #else
90 const char *task_name;
91 int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
92 struct kinfo_proc kp;
93 size_t len = sizeof(kp);
94 if (sysctl(mib, 4, &kp, &len, NULL, 0) == -1 || len == 0)
95 task_name = strerror(errno);
96 else
97 task_name = kp.kp_proc.p_comm;
98 #endif
99
100 return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]"), task_name, pid);
101 }
102
103 CFGiblisWithFunctions(SecTask, NULL, NULL, SecTaskFinalize, NULL, NULL, NULL, SecTaskCopyDebugDescription, NULL, NULL, NULL)
104
105 static SecTaskRef init_task_ref(CFAllocatorRef allocator)
106 {
107 CFIndex extra = sizeof(struct __SecTask) - sizeof(CFRuntimeBase);
108 return (SecTaskRef) _CFRuntimeCreateInstance(allocator, SecTaskGetTypeID(), extra, NULL);
109 }
110
111 SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef allocator)
112 {
113 SecTaskRef task = init_task_ref(allocator);
114 if (task != NULL) {
115
116 memset(&task->token, 0, sizeof(task->token));
117 task->entitlementsLoaded = false;
118 task->entitlements = NULL;
119 task->pid_self = getpid();
120 }
121
122 return task;
123 }
124
125 SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
126 {
127 SecTaskRef task = init_task_ref(allocator);
128 if (task != NULL) {
129
130 memcpy(&task->token, &token, sizeof(token));
131 task->entitlementsLoaded = false;
132 task->entitlements = NULL;
133 task->pid_self = -1;
134 }
135
136 return task;
137 }
138
139 struct csheader {
140 uint32_t magic;
141 uint32_t length;
142 };
143
144 static int
145 csops_task(SecTaskRef task, int ops, void *blob, size_t size)
146 {
147 if (task->pid_self==-1) {
148 pid_t pid;
149 audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
150 return csops_audittoken(pid, ops, blob, size, &task->token);
151 }
152 else
153 return csops(task->pid_self, ops, blob, size);
154 }
155
156 /* This may need to be exported at some point */
157 CFStringRef
158 SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
159 {
160 CFStringRef signingId = NULL;
161 char *data = NULL;
162 struct csheader header;
163 uint32_t bufferlen;
164 int ret;
165
166 ret = csops_task(task, CS_OPS_IDENTITY, &header, sizeof(header));
167 if (ret != -1 || errno != ERANGE)
168 return NULL;
169
170 bufferlen = ntohl(header.length);
171 /* check for insane values */
172 if (bufferlen > 1024 * 1024 || bufferlen < 8) {
173 ret = EINVAL;
174 goto out;
175 }
176 data = malloc(bufferlen + 1);
177 if (data == NULL) {
178 ret = ENOMEM;
179 goto out;
180 }
181 ret = csops_task(task, CS_OPS_IDENTITY, data, bufferlen);
182 if (ret) {
183 ret = errno;
184 goto out;
185 }
186 data[bufferlen] = '\0';
187
188 signingId = CFStringCreateWithCString(NULL, data + 8, kCFStringEncodingUTF8);
189
190 out:
191 if (data)
192 free(data);
193 if (ret && error)
194 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL);
195
196 return signingId;
197 }
198
199
200 static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
201 {
202 CFMutableDictionaryRef entitlements = NULL;
203 struct csheader header;
204 uint8_t *buffer = NULL;
205 uint32_t bufferlen;
206 int ret;
207
208
209 ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
210 /* Any other combination means no entitlements */
211 if (ret == -1) {
212 if (errno != ERANGE) {
213 int entitlementErrno = errno;
214
215 uint32_t cs_flags = -1;
216 if (-1 == csops_task(task, CS_OPS_STATUS, &cs_flags, sizeof(cs_flags))) {
217 syslog(LOG_NOTICE, "Failed to get cs_flags, error=%d", errno);
218 }
219
220 syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d cs_flags=%x, task->pid_self=%d", entitlementErrno, cs_flags, task->pid_self); // to ease diagnostics
221
222 CFStringRef description = SecTaskCopyDebugDescription(task);
223 char *descriptionBuf = NULL;
224 CFIndex descriptionSize = CFStringGetLength(description) * 4;
225 descriptionBuf = (char *)malloc(descriptionSize);
226 if (!CFStringGetCString(description, descriptionBuf, descriptionSize, kCFStringEncodingUTF8)) {
227 descriptionBuf[0] = 0;
228 }
229
230 syslog(LOG_NOTICE, "SecTaskCopyDebugDescription: %s", descriptionBuf);
231 CFRelease(description);
232 free(descriptionBuf);
233
234 // EINVAL is what the kernel says for unsigned code, so we'll have to let that pass
235 if (entitlementErrno == EINVAL) {
236 task->entitlementsLoaded = true;
237 return true;
238 }
239 ret = entitlementErrno; // what really went wrong
240 goto out; // bail out
241 }
242 bufferlen = ntohl(header.length);
243 /* check for insane values */
244 if (bufferlen > 1024 * 1024 || bufferlen < 8) {
245 ret = EINVAL;
246 goto out;
247 }
248 buffer = malloc(bufferlen);
249 if (buffer == NULL) {
250 ret = ENOMEM;
251 goto out;
252 }
253 ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, buffer, bufferlen);
254 if (ret) {
255 ret = errno;
256 goto out;
257 }
258
259 CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, buffer+8, bufferlen-8, kCFAllocatorNull);
260 entitlements = (CFMutableDictionaryRef) CFPropertyListCreateWithData(kCFAllocatorDefault, data, kCFPropertyListMutableContainers, NULL, error);
261 CFRelease(data);
262
263 if((entitlements==NULL) || (CFGetTypeID(entitlements)!=CFDictionaryGetTypeID())){
264 ret = EINVAL;
265 goto out;
266 }
267 }
268
269 task->entitlements = entitlements ? CFRetain(entitlements) : NULL;
270 task->entitlementsLoaded = true;
271
272 out:
273 if(entitlements)
274 CFRelease(entitlements);
275 if(buffer)
276 free(buffer);
277 if (ret && error && *error==NULL)
278 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL);
279 return ret == 0;
280 }
281
282
283 CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef task, CFStringRef entitlement, CFErrorRef *error)
284 {
285 CFTypeRef value = NULL;
286 require(check_task(task), out);
287
288 /* Load entitlements if necessary */
289 if (task->entitlementsLoaded == false) {
290 require_quiet(SecTaskLoadEntitlements(task, error), out);
291 }
292
293 if (task->entitlements != NULL) {
294 value = CFDictionaryGetValue(task->entitlements, entitlement);
295
296 /* Return something the caller must release */
297 if (value != NULL) {
298 CFRetain(value);
299 }
300 }
301 out:
302 return value;
303 }
304
305 CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef entitlements, CFErrorRef *error)
306 {
307 CFMutableDictionaryRef values = NULL;
308 require(check_task(task), out);
309
310 /* Load entitlements if necessary */
311 if (task->entitlementsLoaded == false) {
312 SecTaskLoadEntitlements(task, error);
313 }
314
315 /* Iterate over the passed in entitlements, populating the dictionary
316 * If entitlements were loaded but none were present, return an empty
317 * dictionary */
318 if (task->entitlementsLoaded == true) {
319
320 CFIndex i, count = CFArrayGetCount(entitlements);
321 values = CFDictionaryCreateMutable(CFGetAllocator(task), count, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
322 if (task->entitlements != NULL) {
323 for (i = 0; i < count; i++) {
324 CFStringRef entitlement = CFArrayGetValueAtIndex(entitlements, i);
325 CFTypeRef value = CFDictionaryGetValue(task->entitlements, entitlement);
326 if (value != NULL) {
327 CFDictionarySetValue(values, entitlement, value);
328 }
329 }
330 }
331 }
332 out:
333 return values;
334 }
mirror of Security