+++ /dev/null
-/* Copyright (c) 2012 Apple Inc. All rights reserved. */
-
-#include "authtoken.h"
-#include "authd_private.h"
-#include "process.h"
-#include "authitems.h"
-#include "debugging.h"
-#include "authutilities.h"
-#include "server.h"
-
-#include <CommonCrypto/CommonRandomSPI.h>
-#include <Security/Authorization.h>
-#include <Security/SecBase.h>
-#include <sandbox.h>
-
-static Boolean AuthTokenEqualCallBack(const void *value1, const void *value2)
-{
- return (*(uint64_t*)value1) == (*(uint64_t*)value2);
-}
-
-static CFHashCode AuthTokenHashCallBack(const void *value)
-{
-// CFHashCode hash;
-// AuthorizationBlob* blob = (AuthorizationBlob*)value;
-// hash = blob->data[1];
-// hash <<= 32;
-// hash |= blob->data[0];
-// return hash;
- //quick 64 bit aligned version
- return *((CFHashCode*)((AuthorizationBlob*)value)->data);
-}
-
-const CFDictionaryKeyCallBacks kAuthTokenKeyCallBacks = {
- .version = 0,
- .retain = NULL,
- .release = NULL,
- .copyDescription = NULL,
- .equal = &AuthTokenEqualCallBack,
- .hash = &AuthTokenHashCallBack
-};
-
-struct _auth_token_s {
- __AUTH_BASE_STRUCT_HEADER__;
-
- AuthorizationBlob blob;
- auth_token_state_t state;
- audit_info_s auditInfo;
- dispatch_queue_t dispatch_queue;
-
- CFMutableSetRef processes;
-
- session_t session;
- process_t creator; // weak reference, used for entitlement checking
- mach_port_t creator_bootstrap_port;
-
- auth_items_t context;
-
- CFMutableSetRef credentials;
- CFMutableSetRef authorized_rights;
-
- bool least_privileged;
- bool appleSigned;
-
- bool sandboxed;
- char * code_url;
-
- credential_t credential;
-};
-
-static void
-_auth_token_finalize(CFTypeRef value)
-{
- auth_token_t auth = (auth_token_t)value;
- LOGV("authtoken: deallocated %p", auth);
-
- dispatch_barrier_sync(auth->dispatch_queue, ^{});
-
- dispatch_release(auth->dispatch_queue);
- CFReleaseSafe(auth->session);
- CFReleaseSafe(auth->processes);
- CFReleaseSafe(auth->context);
- CFReleaseSafe(auth->credentials);
- CFReleaseSafe(auth->authorized_rights);
- free_safe(auth->code_url);
- CFReleaseSafe(auth->credential);
-
- if (auth->creator_bootstrap_port != MACH_PORT_NULL) {
- mach_port_deallocate(mach_task_self(), auth->creator_bootstrap_port);
- }
-}
-
-static Boolean
-_auth_token_equal(CFTypeRef value1, CFTypeRef value2)
-{
- auth_token_t auth1 = (auth_token_t)value1;
- auth_token_t auth2 = (auth_token_t)value2;
-
- return memcmp(&auth1->blob, &auth2->blob, sizeof(AuthorizationBlob)) == 0;
-}
-
-static CFStringRef
-_auth_token_copy_description(CFTypeRef value)
-{
- auth_token_t auth = (auth_token_t)value;
- return CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("auth_token: %p, uid=%i, pid=%i, processes=%li least_privileged=%i"),
- auth, auth->auditInfo.euid, auth->auditInfo.pid, CFSetGetCount(auth->processes), auth->least_privileged);
-}
-
-static CFHashCode
-_auth_token_hash(CFTypeRef value)
-{
- auth_token_t auth = (auth_token_t)value;
- return *(CFHashCode*)&auth->blob;
-}
-
-AUTH_TYPE_INSTANCE(auth_token,
- .init = NULL,
- .copy = NULL,
- .finalize = _auth_token_finalize,
- .equal = _auth_token_equal,
- .hash = _auth_token_hash,
- .copyFormattingDesc = NULL,
- .copyDebugDesc = _auth_token_copy_description
- );
-
-static CFTypeID auth_token_get_type_id() {
- static CFTypeID type_id = _kCFRuntimeNotATypeID;
- static dispatch_once_t onceToken;
-
- dispatch_once(&onceToken, ^{
- type_id = _CFRuntimeRegisterClass(&_auth_type_auth_token);
- });
-
- return type_id;
-}
-
-static auth_token_t
-_auth_token_create(const audit_info_s * auditInfo, bool operateAsLeastPrivileged)
-{
-#if __LLP64__
- __Check_Compile_Time(sizeof(CFHashCode) == sizeof(AuthorizationBlob));
-#endif
-
- auth_token_t auth = (auth_token_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, auth_token_get_type_id(), AUTH_CLASS_SIZE(auth_token), NULL);
- require(auth != NULL, done);
-
- if (CCRandomCopyBytes(kCCRandomDefault, auth->blob.data, sizeof(auth->blob.data)) != kCCSuccess) {
- LOGE("authtoken[%i]: failed to generate blob", auditInfo->pid);
- CFReleaseNull(auth);
- goto done;
- }
-
- auth->context = auth_items_create();
- auth->auditInfo = *auditInfo;
- auth->least_privileged = operateAsLeastPrivileged;
-
- auth->dispatch_queue = dispatch_queue_create(NULL, DISPATCH_QUEUE_SERIAL);
- check(auth->dispatch_queue != NULL);
-
- auth->credentials = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
- auth->authorized_rights = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
- auth->processes = CFSetCreateMutable(kCFAllocatorDefault, 0, NULL);
- auth->creator_bootstrap_port = MACH_PORT_NULL;
-
- if (sandbox_check(auth->auditInfo.pid, "authorization-right-obtain", SANDBOX_CHECK_NO_REPORT) != 0)
- auth->sandboxed = true;
- else
- auth->sandboxed = false;
-
-#if DEBUG
- CFHashCode code = AuthTokenHashCallBack(&auth->blob);
- if (memcmp(&code, auth->blob.data, sizeof(auth->blob.data)) != 0) {
- LOGD("authtoken[%i]: blob = %x%01x", auth->auditInfo.pid, auth->blob.data[1], auth->blob.data[0]);
- LOGD("authtoken[%i]: hash = %lx", auth->auditInfo.pid, code);
- assert(false);
- }
-#endif
-
-done:
- return auth;
-}
-
-auth_token_t
-auth_token_create(process_t proc, bool operateAsLeastPrivileged)
-{
- auth_token_t auth = NULL;
- require(proc != NULL, done);
-
- auth = _auth_token_create(process_get_audit_info(proc), operateAsLeastPrivileged);
- require(auth != NULL, done);
-
- auth->creator = proc;
- auth->session = (session_t)CFRetain(process_get_session(proc));
- auth->code_url = _copy_string(process_get_code_url(proc));
- auth->appleSigned = process_apple_signed(proc);
- auth->creator_bootstrap_port = process_get_bootstrap(proc);
- // This line grabs a reference to the send right to the bootstrap (our right to send to the bootstrap)
- // This makes it critical to use the same call in reverse as we are only getting a ref to one right,
- // but deallocate will free a ref to all 5 rights.
- if (auth->creator_bootstrap_port != MACH_PORT_NULL) {
- kern_return_t error_code = mach_port_mod_refs(mach_task_self(), auth->creator_bootstrap_port, MACH_PORT_RIGHT_SEND, 1);
- if (error_code != KERN_SUCCESS) {
- // If no reference to the mach port right can be obtained, we don't hold the copy, so mark it NULL again!
- auth->creator_bootstrap_port = MACH_PORT_NULL;
- }
- }
-
- LOGV("authtoken[%i]: created %p", auth->auditInfo.pid, auth);
-
-done:
- return auth;
-}
-
-auth_token_t
-auth_token_create_with_audit_info(const audit_info_s* info, bool operateAsLeastPrivileged)
-{
- OSStatus status = errSecSuccess;
- SecCodeRef code_Ref = NULL;
- CFURLRef code_url = NULL;
-
- auth_token_t auth = NULL;
- require(info != NULL, done);
-
- auth = _auth_token_create(info, operateAsLeastPrivileged);
- require(auth != NULL, done);
-
- auth->session = server_find_copy_session(info->asid, true);
- if (auth->session == NULL) {
- LOGV("authtoken[%i]: failed to create session", auth->auditInfo.pid);
- CFReleaseNull(auth);
- goto done;
- }
-
- CFMutableDictionaryRef codeDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- CFNumberRef codePid = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &auth->auditInfo.pid);
- CFDictionarySetValue(codeDict, kSecGuestAttributePid, codePid);
- status = SecCodeCopyGuestWithAttributes(NULL, codeDict, kSecCSDefaultFlags, &code_Ref);
- CFReleaseSafe(codeDict);
- CFReleaseSafe(codePid);
-
- if (status) {
- LOGV("authtoken[%i]: failed to create code ref (%i)", auth->auditInfo.pid, status);
- CFReleaseNull(auth);
- goto done;
- }
-
- if (SecCodeCopyPath(code_Ref, kSecCSDefaultFlags, &code_url) == errSecSuccess) {
- auth->code_url = calloc(1u, PATH_MAX+1);
- if (auth->code_url) {
- CFURLGetFileSystemRepresentation(code_url, true, (UInt8*)auth->code_url, PATH_MAX);
- }
- }
-
- LOGV("authtoken[%i]: created %p for %s", auth->auditInfo.pid, auth, auth->code_url);
-
-done:
- CFReleaseSafe(code_Ref);
- CFReleaseSafe(code_url);
- return auth;
-}
-
-bool
-auth_token_get_sandboxed(auth_token_t auth)
-{
- return auth->sandboxed;
-}
-
-const char *
-auth_token_get_code_url(auth_token_t auth)
-{
- return auth->code_url;
-}
-
-const void *
-auth_token_get_key(auth_token_t auth)
-{
- return &auth->blob;
-}
-
-auth_items_t
-auth_token_get_context(auth_token_t auth)
-{
- return auth->context;
-}
-
-bool
-auth_token_least_privileged(auth_token_t auth)
-{
- return auth->least_privileged;
-}
-
-uid_t
-auth_token_get_uid(auth_token_t auth)
-{
- return auth ? auth->auditInfo.euid : (uid_t)-2;
-}
-
-pid_t
-auth_token_get_pid(auth_token_t auth)
-{
- return auth ? auth->auditInfo.pid : -1;
-}
-
-session_t
-auth_token_get_session(auth_token_t auth)
-{
- return auth->session;
-}
-
-const AuthorizationBlob *
-auth_token_get_blob(auth_token_t auth)
-{
- return &auth->blob;
-}
-
-const audit_info_s *
-auth_token_get_audit_info(auth_token_t auth)
-{
- return &auth->auditInfo;
-}
-
-mach_port_t
-auth_token_get_creator_bootstrap(auth_token_t auth)
-{
- return auth->creator_bootstrap_port;
-}
-
-CFIndex
-auth_token_add_process(auth_token_t auth, process_t proc)
-{
- __block CFIndex count = 0;
- dispatch_sync(auth->dispatch_queue, ^{
- CFSetAddValue(auth->processes, proc);
- count = CFSetGetCount(auth->processes);
- });
- return count;
-}
-
-CFIndex
-auth_token_remove_process(auth_token_t auth, process_t proc)
-{
- __block CFIndex count = 0;
- dispatch_sync(auth->dispatch_queue, ^{
- if (auth->creator == proc) {
- auth->creator = NULL;
- }
- CFSetRemoveValue(auth->processes, proc);
- count = CFSetGetCount(auth->processes);
- });
- return count;
-}
-
-CFIndex
-auth_token_get_process_count(auth_token_t auth)
-{
- __block CFIndex count = 0;
- dispatch_sync(auth->dispatch_queue, ^{
- count = CFSetGetCount(auth->processes);
- });
- return count;
-}
-
-void
-auth_token_set_credential(auth_token_t auth, credential_t cred)
-{
- dispatch_sync(auth->dispatch_queue, ^{
- CFSetSetValue(auth->credentials, cred);
- });
-}
-
-bool
-auth_token_credentials_iterate(auth_token_t auth, credential_iterator_t iter)
-{
- __block bool result = false;
-
- dispatch_sync(auth->dispatch_queue, ^{
- CFIndex count = CFSetGetCount(auth->credentials);
- CFTypeRef values[count];
- CFSetGetValues(auth->credentials, values);
- for (CFIndex i = 0; i < count; i++) {
- credential_t cred = (credential_t)values[i];
- result = iter(cred);
- if (!result) {
- break;
- }
- }
- });
-
- return result;
-}
-
-void
-auth_token_set_right(auth_token_t auth, credential_t right)
-{
- dispatch_sync(auth->dispatch_queue, ^{
- CFSetSetValue(auth->authorized_rights, right);
- });
-}
-
-bool
-auth_token_rights_iterate(auth_token_t auth, credential_iterator_t iter)
-{
- __block bool result = false;
-
- dispatch_sync(auth->dispatch_queue, ^{
- CFIndex count = CFSetGetCount(auth->authorized_rights);
- CFTypeRef values[count];
- CFSetGetValues(auth->authorized_rights, values);
- for (CFIndex i = 0; i < count; i++) {
- credential_t right = (credential_t)values[i];
- result = iter(right);
- if (!result) {
- break;
- }
- }
- });
-
- return result;
-}
-
-CFTypeRef
-auth_token_copy_entitlement_value(auth_token_t auth, const char * entitlement)
-{
- __block CFTypeRef value = NULL;
- dispatch_sync(auth->dispatch_queue, ^{
- if (auth->creator) {
- value = process_copy_entitlement_value(auth->creator, entitlement);
- }
- });
-
- return value;
-}
-
-bool
-auth_token_has_entitlement(auth_token_t auth, const char * entitlement)
-{
- __block bool entitled = false;
-
- dispatch_sync(auth->dispatch_queue, ^{
- if (auth->creator) {
- entitled = process_has_entitlement(auth->creator, entitlement);
- }
- });
-
- return entitled;
-}
-
-bool
-auth_token_has_entitlement_for_right(auth_token_t auth, const char * right)
-{
- __block bool entitled = false;
-
- dispatch_sync(auth->dispatch_queue, ^{
- if (auth->creator) {
- entitled = process_has_entitlement_for_right(auth->creator, right);
- }
- });
-
- return entitled;
-}
-
-credential_t
-auth_token_get_credential(auth_token_t auth)
-{
- dispatch_sync(auth->dispatch_queue, ^{
- if (auth->credential == NULL) {
- auth->credential = credential_create(auth->auditInfo.euid);
- }
- });
-
- return auth->credential;
-}
-
-bool
-auth_token_apple_signed(auth_token_t auth)
-{
- return auth->appleSigned;
-}
-
-bool auth_token_is_creator(auth_token_t auth, process_t proc)
-{
- __block bool creator = false;
- if (proc) {
- dispatch_sync(auth->dispatch_queue, ^{
- if (auth->creator == proc) {
- creator = true;
- }
- });
- }
- return creator;
-}
-
-void auth_token_set_state(auth_token_t auth, auth_token_state_t state)
-{
- auth->state |= state;
-}
-
-void auth_token_clear_state(auth_token_t auth, auth_token_state_t state)
-{
- auth->state &= ~state;
-}
-
-auth_token_state_t auth_token_get_state(auth_token_t auth)
-{
- return auth->state;
-}
-
-bool auth_token_check_state(auth_token_t auth, auth_token_state_t state)
-{
- if (state) {
- return (auth->state & state) != 0;
- } else {
- return auth->state == 0;
- }
-}
projects / apple / security.git / blobdiff