+++ /dev/null
-/* Copyright (c) 2012-2013 Apple Inc. All Rights Reserved. */
-
-#include "process.h"
-#include "server.h"
-#include "session.h"
-#include "debugging.h"
-#include "authd_private.h"
-#include "authtoken.h"
-#include "authutilities.h"
-#include "ccaudit.h"
-
-#include <Security/SecCode.h>
-#include <Security/SecRequirement.h>
-
-struct _process_s {
- __AUTH_BASE_STRUCT_HEADER__;
-
- audit_info_s auditInfo;
-
- session_t session;
-
- CFMutableBagRef authTokens;
- dispatch_queue_t dispatch_queue;
-
- CFMutableSetRef connections;
-
- SecCodeRef codeRef;
- char code_url[PATH_MAX+1];
- char * code_identifier;
- CFDataRef code_requirement_data;
- SecRequirementRef code_requirement;
- CFDictionaryRef code_entitlements;
-
- mach_port_t bootstrap;
-
- bool appleSigned;
-};
-
-static void
-_unregister_auth_tokens(const void *value, void *context)
-{
- auth_token_t auth = (auth_token_t)value;
- process_t proc = (process_t)context;
-
- CFIndex count = auth_token_remove_process(auth, proc);
- if ((count == 0) && auth_token_check_state(auth, auth_token_state_registered)) {
- server_unregister_auth_token(auth);
- }
-}
-
-static void
-_destroy_zombie_tokens(process_t proc)
-{
- LOGD("process[%i] destroy zombies, %ld auth tokens", process_get_pid(proc), CFBagGetCount(proc->authTokens));
- _cf_bag_iterate(proc->authTokens, ^bool(CFTypeRef value) {
- auth_token_t auth = (auth_token_t)value;
- LOGD("process[%i] %p, creator=%i, zombie=%i, process_cout=%ld", process_get_pid(proc), auth, auth_token_is_creator(auth, proc), auth_token_check_state(auth, auth_token_state_zombie), auth_token_get_process_count(auth));
- if (auth_token_is_creator(auth, proc) && auth_token_check_state(auth, auth_token_state_zombie) && (auth_token_get_process_count(auth) == 1)) {
- CFBagRemoveValue(proc->authTokens, auth);
- }
- return true;
- });
-}
-
-static void
-_process_finalize(CFTypeRef value)
-{
- process_t proc = (process_t)value;
-
- LOGV("process[%i]: deallocated %p", proc->auditInfo.pid, proc);
-
- dispatch_barrier_sync(proc->dispatch_queue, ^{
- CFBagApplyFunction(proc->authTokens, _unregister_auth_tokens, proc);
- });
-
- session_remove_process(proc->session, proc);
-
- dispatch_release(proc->dispatch_queue);
- CFReleaseSafe(proc->authTokens);
- CFReleaseSafe(proc->connections);
- CFReleaseSafe(proc->session);
- CFReleaseSafe(proc->codeRef);
- CFReleaseSafe(proc->code_requirement);
- CFReleaseSafe(proc->code_requirement_data);
- CFReleaseSafe(proc->code_entitlements);
- free_safe(proc->code_identifier);
- if (proc->bootstrap != MACH_PORT_NULL) {
- mach_port_deallocate(mach_task_self(), proc->bootstrap);
- }
-}
-
-AUTH_TYPE_INSTANCE(process,
- .init = NULL,
- .copy = NULL,
- .finalize = _process_finalize,
- .equal = NULL,
- .hash = NULL,
- .copyFormattingDesc = NULL,
- .copyDebugDesc = NULL
- );
-
-static CFTypeID process_get_type_id() {
- static CFTypeID type_id = _kCFRuntimeNotATypeID;
- static dispatch_once_t onceToken;
-
- dispatch_once(&onceToken, ^{
- type_id = _CFRuntimeRegisterClass(&_auth_type_process);
- });
-
- return type_id;
-}
-
-process_t
-process_create(const audit_info_s * auditInfo, session_t session)
-{
- OSStatus status = errSecSuccess;
- process_t proc = NULL;
- CFDictionaryRef code_info = NULL;
- CFURLRef code_url = NULL;
-
- require(session != NULL, done);
- require(auditInfo != NULL, done);
-
- proc = (process_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, process_get_type_id(), AUTH_CLASS_SIZE(process), NULL);
- require(proc != NULL, done);
-
- proc->auditInfo = *auditInfo;
-
- proc->session = (session_t)CFRetain(session);
-
- proc->connections = CFSetCreateMutable(kCFAllocatorDefault, 0, NULL);
-
- proc->authTokens = CFBagCreateMutable(kCFAllocatorDefault, 0, &kCFTypeBagCallBacks);
- check(proc->authTokens != NULL);
-
- proc->dispatch_queue = dispatch_queue_create(NULL, DISPATCH_QUEUE_SERIAL);
- check(proc->dispatch_queue != NULL);
-
- CFMutableDictionaryRef codeDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- CFNumberRef codePid = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &proc->auditInfo.pid);
- CFDictionarySetValue(codeDict, kSecGuestAttributePid, codePid);
- status = SecCodeCopyGuestWithAttributes(NULL, codeDict, kSecCSDefaultFlags, &proc->codeRef);
- CFReleaseSafe(codeDict);
- CFReleaseSafe(codePid);
-
- if (status) {
- LOGE("process[%i]: failed to create code ref %i", proc->auditInfo.pid, status);
- CFReleaseNull(proc);
- goto done;
- }
-
- status = SecCodeCopySigningInformation(proc->codeRef, kSecCSRequirementInformation, &code_info);
- require_noerr_action(status, done, LOGV("process[%i]: SecCodeCopySigningInformation failed with %i", proc->auditInfo.pid, status));
-
- CFTypeRef value = NULL;
- if (CFDictionaryGetValueIfPresent(code_info, kSecCodeInfoDesignatedRequirement, (const void**)&value)) {
- if (CFGetTypeID(value) == SecRequirementGetTypeID()) {
- SecRequirementCopyData((SecRequirementRef)value, kSecCSDefaultFlags, &proc->code_requirement_data);
- if (proc->code_requirement_data) {
- SecRequirementCreateWithData(proc->code_requirement_data, kSecCSDefaultFlags, &proc->code_requirement);
- }
- }
- value = NULL;
- }
-
- if (SecCodeCopyPath(proc->codeRef, kSecCSDefaultFlags, &code_url) == errSecSuccess) {
- CFURLGetFileSystemRepresentation(code_url, true, (UInt8*)proc->code_url, sizeof(proc->code_url));
- }
-
- if (CFDictionaryGetValueIfPresent(code_info, kSecCodeInfoIdentifier, &value)) {
- if (CFGetTypeID(value) == CFStringGetTypeID()) {
- proc->code_identifier = _copy_cf_string(value, NULL);
- }
- value = NULL;
- }
-
- if (CFDictionaryGetValueIfPresent(code_info, kSecCodeInfoEntitlementsDict, &value)) {
- if (CFGetTypeID(value) == CFDictionaryGetTypeID()) {
- proc->code_entitlements = CFDictionaryCreateCopy(kCFAllocatorDefault, value);
- }
- value = NULL;
- }
-
- // This is the clownfish supported way to check for a Mac App Store or B&I signed build
- CFStringRef requirementString = CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9])");
- SecRequirementRef secRequirementRef = NULL;
- status = SecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &secRequirementRef);
- if (status == errSecSuccess) {
- proc->appleSigned = process_verify_requirment(proc, secRequirementRef);
- }
- CFReleaseSafe(secRequirementRef);
-
- LOGV("process[%i]: created (sid=%i) %s %p", proc->auditInfo.pid, proc->auditInfo.asid, proc->code_url, proc);
-
-done:
- CFReleaseSafe(code_info);
- CFReleaseSafe(code_url);
- return proc;
-}
-
-const void *
-process_get_key(process_t proc)
-{
- return &proc->auditInfo;
-}
-
-uid_t
-process_get_uid(process_t proc)
-{
- return proc ? proc->auditInfo.euid : (uid_t)-2;
-}
-
-pid_t
-process_get_pid(process_t proc)
-{
- return proc ? proc->auditInfo.pid : -1;
-}
-
-int32_t process_get_generation(process_t proc)
-{
- return proc->auditInfo.tid;
-}
-
-session_id_t
-process_get_session_id(process_t proc)
-{
- return proc ? proc->auditInfo.asid : -1;
-}
-
-session_t
-process_get_session(process_t proc)
-{
- return proc->session;
-}
-
-const audit_info_s *
-process_get_audit_info(process_t proc)
-{
- return &proc->auditInfo;
-}
-
-SecCodeRef
-process_get_code(process_t proc)
-{
- return proc->codeRef;
-}
-
-const char *
-process_get_code_url(process_t proc)
-{
- return proc->code_url;
-}
-
-void
-process_add_auth_token(process_t proc, auth_token_t auth)
-{
- dispatch_sync(proc->dispatch_queue, ^{
- CFBagAddValue(proc->authTokens, auth);
- if (CFBagGetCountOfValue(proc->authTokens, auth) == 1) {
- auth_token_add_process(auth, proc);
- }
- });
-}
-
-void
-process_remove_auth_token(process_t proc, auth_token_t auth, AuthorizationFlags flags)
-{
- dispatch_sync(proc->dispatch_queue, ^{
- bool destroy = false;
- bool creator = auth_token_is_creator(auth, proc);
- CFIndex count = auth_token_get_process_count(auth);
-
- // if we are the last ones associated with this auth token or the caller passed in the kAuthorizationFlagDestroyRights
- // then we break the link between the process and auth token. If another process holds a reference
- // then kAuthorizationFlagDestroyRights will only break the link and not destroy the auth token
- // <rdar://problem/14553640>
- if ((count == 1) ||
- (flags & kAuthorizationFlagDestroyRights))
- {
- destroy = true;
- goto done;
- }
-
- // If we created this token and someone else is holding a reference to it
- // don't destroy the link until they have freed the authorization ref
- // instead set the zombie state on the auth_token
- if (creator) {
- if (CFBagGetCountOfValue(proc->authTokens, auth) == 1) {
- auth_token_set_state(auth, auth_token_state_zombie);
- } else {
- destroy = true;
- }
- } else {
- destroy = true;
- }
-
- done:
- if (destroy) {
- CFBagRemoveValue(proc->authTokens, auth);
- if (!CFBagContainsValue(proc->authTokens, auth)) {
- auth_token_remove_process(auth, proc);
-
- if ((count == 1) && auth_token_check_state(auth, auth_token_state_registered)) {
- server_unregister_auth_token(auth);
- }
- }
- }
-
- // destroy all eligible zombies
- _destroy_zombie_tokens(proc);
- });
-}
-
-auth_token_t
-process_find_copy_auth_token(process_t proc, const AuthorizationBlob * blob)
-{
- __block CFTypeRef auth = NULL;
- dispatch_sync(proc->dispatch_queue, ^{
- _cf_bag_iterate(proc->authTokens, ^bool(CFTypeRef value) {
- auth_token_t iter = (auth_token_t)value;
- if (memcmp(blob, auth_token_get_blob(iter), sizeof(AuthorizationBlob)) == 0) {
- auth = iter;
- CFRetain(auth);
- return false;
- }
- return true;
- });
- });
- return (auth_token_t)auth;
-}
-
-CFIndex
-process_get_auth_token_count(process_t proc)
-{
- __block CFIndex count = 0;
- dispatch_sync(proc->dispatch_queue, ^{
- count = CFBagGetCount(proc->authTokens);
- });
- return count;
-}
-
-CFIndex
-process_add_connection(process_t proc, connection_t conn)
-{
- __block CFIndex count = 0;
- dispatch_sync(proc->dispatch_queue, ^{
- CFSetAddValue(proc->connections, conn);
- count = CFSetGetCount(proc->connections);
- });
- return count;
-}
-
-CFIndex
-process_remove_connection(process_t proc, connection_t conn)
-{
- __block CFIndex count = 0;
- dispatch_sync(proc->dispatch_queue, ^{
- CFSetRemoveValue(proc->connections, conn);
- count = CFSetGetCount(proc->connections);
- });
- return count;
-}
-
-CFIndex
-process_get_connection_count(process_t proc)
-{
- __block CFIndex count = 0;
- dispatch_sync(proc->dispatch_queue, ^{
- count = CFSetGetCount(proc->connections);
- });
- return count;
-}
-
-CFTypeRef
-process_copy_entitlement_value(process_t proc, const char * entitlement)
-{
- CFTypeRef value = NULL;
- require(entitlement != NULL, done);
-
- CFStringRef key = CFStringCreateWithCStringNoCopy(kCFAllocatorDefault, entitlement, kCFStringEncodingUTF8, kCFAllocatorNull);
- if (proc->code_entitlements && key && (CFDictionaryGetValueIfPresent(proc->code_entitlements, key, &value))) {
- CFRetainSafe(value);
- }
- CFReleaseSafe(key);
-
-done:
- return value;
-}
-
-bool
-process_has_entitlement(process_t proc, const char * entitlement)
-{
- bool entitled = false;
- require(entitlement != NULL, done);
-
- CFStringRef key = CFStringCreateWithCStringNoCopy(kCFAllocatorDefault, entitlement, kCFStringEncodingUTF8, kCFAllocatorNull);
- CFTypeRef value = NULL;
- if (proc->code_entitlements && key && (CFDictionaryGetValueIfPresent(proc->code_entitlements, key, &value))) {
- if (CFGetTypeID(value) == CFBooleanGetTypeID()) {
- entitled = CFBooleanGetValue(value);
- }
- }
- CFReleaseSafe(key);
-
-done:
- return entitled;
-}
-
-bool
-process_has_entitlement_for_right(process_t proc, const char * right)
-{
- bool entitled = false;
- require(right != NULL, done);
-
- CFTypeRef rights = NULL;
- if (proc->code_entitlements && CFDictionaryGetValueIfPresent(proc->code_entitlements, CFSTR("com.apple.private.AuthorizationServices"), &rights)) {
- if (CFGetTypeID(rights) == CFArrayGetTypeID()) {
- CFStringRef key = CFStringCreateWithCStringNoCopy(kCFAllocatorDefault, right, kCFStringEncodingUTF8, kCFAllocatorNull);
- require(key != NULL, done);
-
- CFIndex count = CFArrayGetCount(rights);
- for (CFIndex i = 0; i < count; i++) {
- if (CFEqual(CFArrayGetValueAtIndex(rights, i), key)) {
- entitled = true;
- break;
- }
- }
- CFReleaseSafe(key);
- }
- }
-
-done:
- return entitled;
-}
-
-const char *
-process_get_identifier(process_t proc)
-{
- return proc->code_identifier;
-}
-
-CFDataRef
-process_get_requirement_data(process_t proc)
-{
- return proc->code_requirement_data;
-}
-
-SecRequirementRef
-process_get_requirement(process_t proc)
-{
- return proc->code_requirement;
-}
-
-bool process_verify_requirment(process_t proc, SecRequirementRef requirment)
-{
- OSStatus status = SecCodeCheckValidity(proc->codeRef, kSecCSDefaultFlags, requirment);
- if (status != errSecSuccess) {
- LOGV("process[%i]: code requirement check failed (%d)", proc->auditInfo.pid, status);
- }
- return (status == errSecSuccess);
-}
-
-// Returns true if the process was signed by B&I or the Mac App Store
-bool process_apple_signed(process_t proc) {
- return proc->appleSigned;
-}
-
-mach_port_t process_get_bootstrap(process_t proc)
-{
- return proc->bootstrap;
-}
-
-bool process_set_bootstrap(process_t proc, mach_port_t bootstrap)
-{
- if (bootstrap != MACH_PORT_NULL) {
- if (proc->bootstrap != MACH_PORT_NULL) {
- mach_port_deallocate(mach_task_self(), proc->bootstrap);
- }
- proc->bootstrap = bootstrap;
- return true;
- }
- return false;
-}
-
projects / apple / security.git / blobdiff