1 /* Copyright (c) 2012-2013 Apple Inc. All Rights Reserved. */
7 #include "authd_private.h"
9 #include "authutilities.h"
12 #include <Security/SecCode.h>
13 #include <Security/SecRequirement.h>
16 __AUTH_BASE_STRUCT_HEADER__
;
18 audit_info_s auditInfo
;
22 CFMutableBagRef authTokens
;
23 dispatch_queue_t dispatch_queue
;
25 CFMutableSetRef connections
;
28 char code_url
[PATH_MAX
+1];
29 char * code_identifier
;
30 CFDataRef code_requirement_data
;
31 SecRequirementRef code_requirement
;
32 CFDictionaryRef code_entitlements
;
34 mach_port_t bootstrap
;
40 _unregister_auth_tokens(const void *value
, void *context
)
42 auth_token_t auth
= (auth_token_t
)value
;
43 process_t proc
= (process_t
)context
;
45 CFIndex count
= auth_token_remove_process(auth
, proc
);
46 if ((count
== 0) && auth_token_check_state(auth
, auth_token_state_registered
)) {
47 server_unregister_auth_token(auth
);
52 _destroy_zombie_tokens(process_t proc
)
54 LOGD("process[%i] destroy zombies, %ld auth tokens", process_get_pid(proc
), CFBagGetCount(proc
->authTokens
));
55 _cf_bag_iterate(proc
->authTokens
, ^bool(CFTypeRef value
) {
56 auth_token_t auth
= (auth_token_t
)value
;
57 LOGD("process[%i] %p, creator=%i, zombie=%i, process_cout=%ld", process_get_pid(proc
), auth
, auth_token_is_creator(auth
, proc
), auth_token_check_state(auth
, auth_token_state_zombie
), auth_token_get_process_count(auth
));
58 if (auth_token_is_creator(auth
, proc
) && auth_token_check_state(auth
, auth_token_state_zombie
) && (auth_token_get_process_count(auth
) == 1)) {
59 CFBagRemoveValue(proc
->authTokens
, auth
);
66 _process_finalize(CFTypeRef value
)
68 process_t proc
= (process_t
)value
;
70 LOGV("process[%i]: deallocated %p", proc
->auditInfo
.pid
, proc
);
72 dispatch_barrier_sync(proc
->dispatch_queue
, ^{
73 CFBagApplyFunction(proc
->authTokens
, _unregister_auth_tokens
, proc
);
76 session_remove_process(proc
->session
, proc
);
78 dispatch_release(proc
->dispatch_queue
);
79 CFReleaseSafe(proc
->authTokens
);
80 CFReleaseSafe(proc
->connections
);
81 CFReleaseSafe(proc
->session
);
82 CFReleaseSafe(proc
->codeRef
);
83 CFReleaseSafe(proc
->code_requirement
);
84 CFReleaseSafe(proc
->code_requirement_data
);
85 CFReleaseSafe(proc
->code_entitlements
);
86 free_safe(proc
->code_identifier
);
87 if (proc
->bootstrap
!= MACH_PORT_NULL
) {
88 mach_port_deallocate(mach_task_self(), proc
->bootstrap
);
92 AUTH_TYPE_INSTANCE(process
,
95 .finalize
= _process_finalize
,
98 .copyFormattingDesc
= NULL
,
102 static CFTypeID
process_get_type_id() {
103 static CFTypeID type_id
= _kCFRuntimeNotATypeID
;
104 static dispatch_once_t onceToken
;
106 dispatch_once(&onceToken
, ^{
107 type_id
= _CFRuntimeRegisterClass(&_auth_type_process
);
114 process_create(const audit_info_s
* auditInfo
, session_t session
)
116 OSStatus status
= errSecSuccess
;
117 process_t proc
= NULL
;
118 CFDictionaryRef code_info
= NULL
;
119 CFURLRef code_url
= NULL
;
121 require(session
!= NULL
, done
);
122 require(auditInfo
!= NULL
, done
);
124 proc
= (process_t
)_CFRuntimeCreateInstance(kCFAllocatorDefault
, process_get_type_id(), AUTH_CLASS_SIZE(process
), NULL
);
125 require(proc
!= NULL
, done
);
127 proc
->auditInfo
= *auditInfo
;
129 proc
->session
= (session_t
)CFRetain(session
);
131 proc
->connections
= CFSetCreateMutable(kCFAllocatorDefault
, 0, NULL
);
133 proc
->authTokens
= CFBagCreateMutable(kCFAllocatorDefault
, 0, &kCFTypeBagCallBacks
);
134 check(proc
->authTokens
!= NULL
);
136 proc
->dispatch_queue
= dispatch_queue_create(NULL
, DISPATCH_QUEUE_SERIAL
);
137 check(proc
->dispatch_queue
!= NULL
);
139 CFMutableDictionaryRef codeDict
= CFDictionaryCreateMutable(kCFAllocatorDefault
, 0, &kCFTypeDictionaryKeyCallBacks
, &kCFTypeDictionaryValueCallBacks
);
140 CFNumberRef codePid
= CFNumberCreate(kCFAllocatorDefault
, kCFNumberIntType
, &proc
->auditInfo
.pid
);
141 CFDictionarySetValue(codeDict
, kSecGuestAttributePid
, codePid
);
142 status
= SecCodeCopyGuestWithAttributes(NULL
, codeDict
, kSecCSDefaultFlags
, &proc
->codeRef
);
143 CFReleaseSafe(codeDict
);
144 CFReleaseSafe(codePid
);
147 LOGE("process[%i]: failed to create code ref %d", proc
->auditInfo
.pid
, (int)status
);
152 status
= SecCodeCopySigningInformation(proc
->codeRef
, kSecCSRequirementInformation
, &code_info
);
153 require_noerr_action(status
, done
, LOGV("process[%i]: SecCodeCopySigningInformation failed with %d", proc
->auditInfo
.pid
, (int)status
));
155 CFTypeRef value
= NULL
;
156 if (CFDictionaryGetValueIfPresent(code_info
, kSecCodeInfoDesignatedRequirement
, (const void**)&value
)) {
157 if (CFGetTypeID(value
) == SecRequirementGetTypeID()) {
158 SecRequirementCopyData((SecRequirementRef
)value
, kSecCSDefaultFlags
, &proc
->code_requirement_data
);
159 if (proc
->code_requirement_data
) {
160 SecRequirementCreateWithData(proc
->code_requirement_data
, kSecCSDefaultFlags
, &proc
->code_requirement
);
166 if (SecCodeCopyPath(proc
->codeRef
, kSecCSDefaultFlags
, &code_url
) == errSecSuccess
) {
167 CFURLGetFileSystemRepresentation(code_url
, true, (UInt8
*)proc
->code_url
, sizeof(proc
->code_url
));
170 if (CFDictionaryGetValueIfPresent(code_info
, kSecCodeInfoIdentifier
, &value
)) {
171 if (CFGetTypeID(value
) == CFStringGetTypeID()) {
172 proc
->code_identifier
= _copy_cf_string(value
, NULL
);
177 if (CFDictionaryGetValueIfPresent(code_info
, kSecCodeInfoEntitlementsDict
, &value
)) {
178 if (CFGetTypeID(value
) == CFDictionaryGetTypeID()) {
179 proc
->code_entitlements
= CFDictionaryCreateCopy(kCFAllocatorDefault
, value
);
184 // This is the clownfish supported way to check for a Mac App Store or B&I signed build
185 CFStringRef requirementString
= CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9])");
186 SecRequirementRef secRequirementRef
= NULL
;
187 status
= SecRequirementCreateWithString(requirementString
, kSecCSDefaultFlags
, &secRequirementRef
);
188 if (status
== errSecSuccess
) {
189 proc
->appleSigned
= process_verify_requirment(proc
, secRequirementRef
);
191 CFReleaseSafe(secRequirementRef
);
193 LOGV("process[%i]: created (sid=%i) %s %p", proc
->auditInfo
.pid
, proc
->auditInfo
.asid
, proc
->code_url
, proc
);
196 CFReleaseSafe(code_info
);
197 CFReleaseSafe(code_url
);
202 process_get_key(process_t proc
)
204 return &proc
->auditInfo
;
208 process_get_uid(process_t proc
)
210 assert(proc
); // marked non-null
211 return proc
->auditInfo
.euid
;
215 process_get_pid(process_t proc
)
217 assert(proc
); // marked non-null
218 return proc
->auditInfo
.pid
;
221 int32_t process_get_generation(process_t proc
)
223 assert(proc
); // marked non-null
224 return proc
->auditInfo
.tid
;
228 process_get_session_id(process_t proc
)
230 assert(proc
); // marked non-null
231 return proc
->auditInfo
.asid
;
235 process_get_session(process_t proc
)
237 assert(proc
); // marked non-null
238 return proc
->session
;
242 process_get_audit_info(process_t proc
)
244 return &proc
->auditInfo
;
248 process_get_code(process_t proc
)
250 return proc
->codeRef
;
254 process_get_code_url(process_t proc
)
256 return proc
->code_url
;
260 process_add_auth_token(process_t proc
, auth_token_t auth
)
262 dispatch_sync(proc
->dispatch_queue
, ^{
263 CFBagAddValue(proc
->authTokens
, auth
);
264 if (CFBagGetCountOfValue(proc
->authTokens
, auth
) == 1) {
265 auth_token_add_process(auth
, proc
);
271 process_remove_auth_token(process_t proc
, auth_token_t auth
, uint32_t flags
)
273 dispatch_sync(proc
->dispatch_queue
, ^{
274 bool destroy
= false;
275 bool creator
= auth_token_is_creator(auth
, proc
);
276 CFIndex count
= auth_token_get_process_count(auth
);
278 // if we are the last ones associated with this auth token or the caller passed in the kAuthorizationFlagDestroyRights
279 // then we break the link between the process and auth token. If another process holds a reference
280 // then kAuthorizationFlagDestroyRights will only break the link and not destroy the auth token
281 // <rdar://problem/14553640>
283 (flags
& kAuthorizationFlagDestroyRights
))
289 // If we created this token and someone else is holding a reference to it
290 // don't destroy the link until they have freed the authorization ref
291 // instead set the zombie state on the auth_token
293 if (CFBagGetCountOfValue(proc
->authTokens
, auth
) == 1) {
294 auth_token_set_state(auth
, auth_token_state_zombie
);
304 CFBagRemoveValue(proc
->authTokens
, auth
);
305 if (!CFBagContainsValue(proc
->authTokens
, auth
)) {
306 auth_token_remove_process(auth
, proc
);
308 if ((count
== 1) && auth_token_check_state(auth
, auth_token_state_registered
)) {
309 server_unregister_auth_token(auth
);
314 // destroy all eligible zombies
315 _destroy_zombie_tokens(proc
);
320 process_find_copy_auth_token(process_t proc
, const AuthorizationBlob
* blob
)
322 __block CFTypeRef auth
= NULL
;
323 dispatch_sync(proc
->dispatch_queue
, ^{
324 _cf_bag_iterate(proc
->authTokens
, ^bool(CFTypeRef value
) {
325 auth_token_t iter
= (auth_token_t
)value
;
326 if (memcmp(blob
, auth_token_get_blob(iter
), sizeof(AuthorizationBlob
)) == 0) {
334 return (auth_token_t
)auth
;
338 process_get_auth_token_count(process_t proc
)
340 __block CFIndex count
= 0;
341 dispatch_sync(proc
->dispatch_queue
, ^{
342 count
= CFBagGetCount(proc
->authTokens
);
348 process_add_connection(process_t proc
, connection_t conn
)
350 __block CFIndex count
= 0;
351 dispatch_sync(proc
->dispatch_queue
, ^{
352 CFSetAddValue(proc
->connections
, conn
);
353 count
= CFSetGetCount(proc
->connections
);
359 process_remove_connection(process_t proc
, connection_t conn
)
361 __block CFIndex count
= 0;
362 dispatch_sync(proc
->dispatch_queue
, ^{
363 CFSetRemoveValue(proc
->connections
, conn
);
364 count
= CFSetGetCount(proc
->connections
);
370 process_get_connection_count(process_t proc
)
372 __block CFIndex count
= 0;
373 dispatch_sync(proc
->dispatch_queue
, ^{
374 count
= CFSetGetCount(proc
->connections
);
380 process_copy_entitlement_value(process_t proc
, const char * entitlement
)
382 CFTypeRef value
= NULL
;
383 require(entitlement
!= NULL
, done
);
385 CFStringRef key
= CFStringCreateWithCStringNoCopy(kCFAllocatorDefault
, entitlement
, kCFStringEncodingUTF8
, kCFAllocatorNull
);
386 if (proc
->code_entitlements
&& key
&& (CFDictionaryGetValueIfPresent(proc
->code_entitlements
, key
, &value
))) {
396 process_has_entitlement(process_t proc
, const char * entitlement
)
398 bool entitled
= false;
399 require(entitlement
!= NULL
, done
);
401 CFStringRef key
= CFStringCreateWithCStringNoCopy(kCFAllocatorDefault
, entitlement
, kCFStringEncodingUTF8
, kCFAllocatorNull
);
402 CFTypeRef value
= NULL
;
403 if (proc
->code_entitlements
&& key
&& (CFDictionaryGetValueIfPresent(proc
->code_entitlements
, key
, &value
))) {
404 if (CFGetTypeID(value
) == CFBooleanGetTypeID()) {
405 entitled
= CFBooleanGetValue(value
);
415 process_has_entitlement_for_right(process_t proc
, const char * right
)
417 bool entitled
= false;
418 require(right
!= NULL
, done
);
420 CFTypeRef rights
= NULL
;
421 if (proc
->code_entitlements
&& CFDictionaryGetValueIfPresent(proc
->code_entitlements
, CFSTR("com.apple.private.AuthorizationServices"), &rights
)) {
422 if (CFGetTypeID(rights
) == CFArrayGetTypeID()) {
423 CFStringRef key
= CFStringCreateWithCStringNoCopy(kCFAllocatorDefault
, right
, kCFStringEncodingUTF8
, kCFAllocatorNull
);
424 require(key
!= NULL
, done
);
426 CFIndex count
= CFArrayGetCount(rights
);
427 for (CFIndex i
= 0; i
< count
; i
++) {
428 if (CFEqual(CFArrayGetValueAtIndex(rights
, i
), key
)) {
442 process_get_identifier(process_t proc
)
444 return proc
->code_identifier
;
448 process_get_requirement_data(process_t proc
)
450 return proc
->code_requirement_data
;
454 process_get_requirement(process_t proc
)
456 return proc
->code_requirement
;
459 bool process_verify_requirment(process_t proc
, SecRequirementRef requirment
)
461 OSStatus status
= SecCodeCheckValidity(proc
->codeRef
, kSecCSDefaultFlags
, requirment
);
462 if (status
!= errSecSuccess
) {
463 LOGV("process[%i]: code requirement check failed (%d)", proc
->auditInfo
.pid
, (int)status
);
465 return (status
== errSecSuccess
);
468 // Returns true if the process was signed by B&I or the Mac App Store
469 bool process_apple_signed(process_t proc
) {
470 return proc
->appleSigned
;
473 mach_port_t
process_get_bootstrap(process_t proc
)
475 return proc
->bootstrap
;
478 bool process_set_bootstrap(process_t proc
, mach_port_t bootstrap
)
480 if (bootstrap
!= MACH_PORT_NULL
) {
481 if (proc
->bootstrap
!= MACH_PORT_NULL
) {
482 mach_port_deallocate(mach_task_self(), proc
->bootstrap
);
484 proc
->bootstrap
= bootstrap
;