Security-59306.101.1.tar.gz

[apple/security.git] / sectask / SecTask.c
diff --git a/sectask/SecTask.c b/sectask/SecTask.c

index 5932609ead63cc8ea3b830ca54e495e2239c8f9e..a73416c7e31e113a349cbea5937bb8860e5f6df4 100644 (file)
--- a/sectask/SecTask.c
+++ b/sectask/SecTask.c
@@ -22,6 +22,7 @@
   */
  
  #include "SecTask.h"
   */
  
  #include "SecTask.h"
+#include "SecTaskPriv.h"
  
  #include <utilities/debugging.h>
  
  
  #include <utilities/debugging.h>
  
@@ -32,25 +33,31 @@
  #include <System/sys/codesign.h>
  #include <bsm/libbsm.h>
  #include <inttypes.h>
  #include <System/sys/codesign.h>
  #include <bsm/libbsm.h>
  #include <inttypes.h>
+#include <syslog.h>
  #include <utilities/SecCFWrappers.h>
  #include <utilities/SecCFWrappers.h>
+#include <xpc/private.h>
  
  
-#define USE_LIBPROC  0
-#if USE_LIBPROC
-#include <libproc.h>
-#else
  #include <sys/sysctl.h>
  #include <sys/sysctl.h>
-#endif
+
+#if TARGET_OS_OSX
+/* These won't exist until we unify codesigning */
+#include <Security/SecCode.h>
+#include <Security/SecCodePriv.h>
+#include <Security/SecRequirement.h>
+#endif /* TARGET_OS_OSX */
  
  struct __SecTask {
      CFRuntimeBase base;
      
  
  struct __SecTask {
      CFRuntimeBase base;
      
-    pid_t pid_self;
      audit_token_t token;
      
      /* Track whether we've loaded entitlements independently since after the
       * load, entitlements may legitimately be NULL */
      Boolean entitlementsLoaded;
      CFDictionaryRef entitlements;
      audit_token_t token;
      
      /* Track whether we've loaded entitlements independently since after the
       * load, entitlements may legitimately be NULL */
      Boolean entitlementsLoaded;
      CFDictionaryRef entitlements;
+       
+       /* for debugging only, shown by debugDescription */
+       int lastFailure;
  };
  
  static bool check_task(SecTaskRef task) {
  };
  
  static bool check_task(SecTaskRef task) {
@@ -60,11 +67,7 @@ static bool check_task(SecTaskRef task) {
  static void SecTaskFinalize(CFTypeRef cfTask)
  {
      SecTaskRef task = (SecTaskRef) cfTask;
  static void SecTaskFinalize(CFTypeRef cfTask)
  {
      SecTaskRef task = (SecTaskRef) cfTask;
-    
-    if (task->entitlements != NULL) {
-        CFRelease(task->entitlements);
-        task->entitlements = NULL;
-    }
+    CFReleaseNull(task->entitlements);
  }
  
  
  }
  
  
@@ -75,17 +78,8 @@ static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask)
  {
      SecTaskRef task = (SecTaskRef) cfTask;
      pid_t pid;
  {
      SecTaskRef task = (SecTaskRef) cfTask;
      pid_t pid;
-    if (task->pid_self==-1) {
-        audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
-    } else {
-        pid = task->pid_self;
-    }
+    audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
  
  
-#if USE_LIBPROC
-#define MAX_PROCNAME 32
-    char task_name[MAX_PROCNAME + 1] = {};
-    proc_name(pid, task_name, MAX_PROCNAME);
-#else
      const char *task_name;
      int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
      struct kinfo_proc kp;
      const char *task_name;
      int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
      struct kinfo_proc kp;
@@ -94,9 +88,9 @@ static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask)
          task_name = strerror(errno);
      else
          task_name = kp.kp_proc.p_comm;
          task_name = strerror(errno);
      else
          task_name = kp.kp_proc.p_comm;
-#endif
  
  
-    return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]"), task_name, pid);
+    return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]/%d#%d LF=%d"), task_name, pid,
+                                                                       task->entitlementsLoaded, task->entitlements ? (int)CFDictionaryGetCount(task->entitlements) : -1, task->lastFailure);
  }
  
  CFGiblisWithFunctions(SecTask, NULL, NULL, SecTaskFinalize, NULL, NULL, NULL, SecTaskCopyDebugDescription, NULL, NULL, NULL)
  }
  
  CFGiblisWithFunctions(SecTask, NULL, NULL, SecTaskFinalize, NULL, NULL, NULL, SecTaskCopyDebugDescription, NULL, NULL, NULL)
@@ -112,10 +106,15 @@ SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef allocator)
      SecTaskRef task = init_task_ref(allocator);
      if (task != NULL) {
  
      SecTaskRef task = init_task_ref(allocator);
      if (task != NULL) {
  
-        memset(&task->token, 0, sizeof(task->token));
-        task->entitlementsLoaded = false;
-        task->entitlements = NULL;
-        task->pid_self = getpid();
+        kern_return_t kr = KERN_FAILURE;
+        mach_msg_type_number_t autoken_cnt = TASK_AUDIT_TOKEN_COUNT;
+        kr = task_info(mach_task_self(), TASK_AUDIT_TOKEN, (task_info_t)&task->token, &autoken_cnt);
+        if (kr == KERN_SUCCESS) {
+            task->entitlementsLoaded = false;
+            task->entitlements = NULL;
+        } else {
+            CFReleaseNull(task);
+        }
      }
  
      return task;
      }
  
      return task;
@@ -129,12 +128,26 @@ SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t t
          memcpy(&task->token, &token, sizeof(token));
          task->entitlementsLoaded = false;
          task->entitlements = NULL;
          memcpy(&task->token, &token, sizeof(token));
          task->entitlementsLoaded = false;
          task->entitlements = NULL;
-        task->pid_self = -1;
      }
      
      return task;
  }
  
      }
      
      return task;
  }
  
+_Nullable SecTaskRef
+SecTaskCreateWithXPCMessage(xpc_object_t _Nonnull message)
+{
+    audit_token_t token;
+
+    if (message == NULL || xpc_get_type(message) != XPC_TYPE_DICTIONARY) {
+        return NULL;
+    }
+    xpc_dictionary_get_audit_token(message, &token);
+
+    return SecTaskCreateWithAuditToken(NULL, token);
+}
+
+
+
  struct csheader {
          uint32_t magic;
          uint32_t length;
  struct csheader {
          uint32_t magic;
          uint32_t length;
@@ -143,18 +156,18 @@ struct csheader {
  static int
  csops_task(SecTaskRef task, int ops, void *blob, size_t size)
  {
  static int
  csops_task(SecTaskRef task, int ops, void *blob, size_t size)
  {
-    if (task->pid_self==-1) {
-        pid_t pid;
-        audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
-        return csops_audittoken(pid, ops, blob, size, &task->token);
-    }
-    else
-        return csops(task->pid_self, ops, blob, size);
+       int rc;
+    
+    pid_t pid;
+    audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
+    rc = csops_audittoken(pid, ops, blob, size, &task->token);
+
+       task->lastFailure = (rc == -1) ? errno : 0;
+       return rc;
  }
  
  }
  
-/* This may need to be exported at some point */
-CFStringRef
-SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
+static CFStringRef
+SecTaskCopyIdentifier(SecTaskRef task, int op, CFErrorRef *error)
  {
          CFStringRef signingId = NULL;
          char *data = NULL;
  {
          CFStringRef signingId = NULL;
          char *data = NULL;
@@ -162,7 +175,7 @@ SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
          uint32_t bufferlen;
          int ret;
  
          uint32_t bufferlen;
          int ret;
  
-        ret = csops_task(task, CS_OPS_IDENTITY, &header, sizeof(header));
+        ret = csops_task(task, op, &header, sizeof(header));
          if (ret != -1 || errno != ERANGE)
                  return NULL;
  
          if (ret != -1 || errno != ERANGE)
                  return NULL;
  
@@ -177,7 +190,7 @@ SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
                  ret = ENOMEM;
                  goto out;
          }
                  ret = ENOMEM;
                  goto out;
          }
-        ret = csops_task(task, CS_OPS_IDENTITY, data, bufferlen);
+        ret = csops_task(task, op, data, bufferlen);
          if (ret) {
                  ret = errno;
                  goto out;
          if (ret) {
                  ret = errno;
                  goto out;
@@ -195,6 +208,26 @@ SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
          return signingId;
  }
  
          return signingId;
  }
  
+CFStringRef
+SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
+{
+    return SecTaskCopyIdentifier(task, CS_OPS_IDENTITY, error);
+}
+
+CFStringRef
+SecTaskCopyTeamIdentifier(SecTaskRef task, CFErrorRef *error)
+{
+    return SecTaskCopyIdentifier(task, CS_OPS_TEAMID, error);
+}
+
+uint32_t
+SecTaskGetCodeSignStatus(SecTaskRef task)
+{
+    uint32_t flags = 0;
+    if (csops_task(task, CS_OPS_STATUS, &flags, sizeof(flags)) != 0)
+        return 0;
+    return flags;
+}
  
  static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
  {
  
  static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
  {
@@ -207,11 +240,47 @@ static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
      
      ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
      /* Any other combination means no entitlements */
      
      ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
      /* Any other combination means no entitlements */
-    if (ret == -1 && errno == ERANGE) {
+       if (ret == -1) {
+               if (errno != ERANGE) {
+            int entitlementErrno = errno;
+
+                       uint32_t cs_flags = -1;
+            if (-1 == csops_task(task, CS_OPS_STATUS, &cs_flags, sizeof(cs_flags))) {
+                syslog(LOG_NOTICE, "Failed to get cs_flags, error=%d", errno);
+            }
+
+                       if (cs_flags != 0) {    // was signed
+
+                               pid_t pid;
+                               audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
+                   syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d cs_flags=%x, pid=%d", entitlementErrno, cs_flags, pid); // to ease diagnostics
+
+                               CFStringRef description = SecTaskCopyDebugDescription(task);
+                               char *descriptionBuf = NULL;
+                               CFIndex descriptionSize = CFStringGetLength(description) * 4;
+                               descriptionBuf = (char *)malloc(descriptionSize);
+                               if (!CFStringGetCString(description, descriptionBuf, descriptionSize, kCFStringEncodingUTF8)) {
+                                       descriptionBuf[0] = 0;
+                               }
+
+                               syslog(LOG_NOTICE, "SecTaskCopyDebugDescription: %s", descriptionBuf);
+                               CFReleaseNull(description);
+                               free(descriptionBuf);
+                       }
+                       task->lastFailure = entitlementErrno;   // was overwritten by csops_task(CS_OPS_STATUS) above
+
+                       // EINVAL is what the kernel says for unsigned code, so we'll have to let that pass
+                       if (entitlementErrno == EINVAL) {
+                               task->entitlementsLoaded = true;
+                               return true;
+                       }
+                       ret = entitlementErrno; // what really went wrong
+                       goto out;               // bail out
+               }
          bufferlen = ntohl(header.length);
          /* check for insane values */
          if (bufferlen > 1024 * 1024 || bufferlen < 8) {
          bufferlen = ntohl(header.length);
          /* check for insane values */
          if (bufferlen > 1024 * 1024 || bufferlen < 8) {
-            ret = EINVAL;
+            ret = E2BIG;
              goto out;
          }
          buffer = malloc(bufferlen);
              goto out;
          }
          buffer = malloc(bufferlen);
@@ -227,10 +296,10 @@ static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
  
          CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, buffer+8, bufferlen-8, kCFAllocatorNull);
          entitlements = (CFMutableDictionaryRef) CFPropertyListCreateWithData(kCFAllocatorDefault, data, kCFPropertyListMutableContainers, NULL, error);
  
          CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, buffer+8, bufferlen-8, kCFAllocatorNull);
          entitlements = (CFMutableDictionaryRef) CFPropertyListCreateWithData(kCFAllocatorDefault, data, kCFPropertyListMutableContainers, NULL, error);
-        CFRelease(data);
+        CFReleaseNull(data);
  
          if((entitlements==NULL) || (CFGetTypeID(entitlements)!=CFDictionaryGetTypeID())){
  
          if((entitlements==NULL) || (CFGetTypeID(entitlements)!=CFDictionaryGetTypeID())){
-            ret = EINVAL;
+            ret = EDOM;        // don't use EINVAL here; it conflates problems with syscall error returns
              goto out;
          }
      }
              goto out;
          }
      }
@@ -239,8 +308,7 @@ static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
      task->entitlementsLoaded = true;
  
  out:
      task->entitlementsLoaded = true;
  
  out:
-    if(entitlements)
-        CFRelease(entitlements);
+    CFReleaseNull(entitlements);
      if(buffer)
          free(buffer);
      if (ret && error && *error==NULL)
      if(buffer)
          free(buffer);
      if (ret && error && *error==NULL)
@@ -301,3 +369,48 @@ CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef ent
  out:
      return values;
  }
  out:
      return values;
  }
+
+#if SEC_OS_OSX
+/*
+ * Determine if the given task meets a specified requirement.
+ */
+OSStatus
+SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement)
+{
+    OSStatus status;
+    SecCodeRef code = NULL;
+    SecRequirementRef req = NULL;
+
+    CFMutableDictionaryRef codeDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+    CFDataRef auditData = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)&task->token, sizeof(audit_token_t));
+    CFDictionarySetValue(codeDict, kSecGuestAttributeAudit, auditData);
+    status = SecCodeCopyGuestWithAttributes(NULL, codeDict, kSecCSDefaultFlags, &code);
+    CFReleaseNull(codeDict);
+    CFReleaseNull(auditData);
+
+    if (!status) {
+        status = SecRequirementCreateWithString(requirement,
+                                                kSecCSDefaultFlags, &req);
+    }
+    if (!status) {
+        status = SecCodeCheckValidity(code, kSecCSDefaultFlags, req);
+    }
+
+    CFReleaseNull(req);
+    CFReleaseNull(code);
+
+    return status;
+}
+#endif /* SEC_OS_OSX */
+
+Boolean SecTaskEntitlementsValidated(SecTaskRef task) {
+    // TODO: Cache the result
+    uint32_t csflags = 0;
+    const uint32_t mask = CS_VALID | CS_KILL | CS_ENTITLEMENTS_VALIDATED;
+       const uint32_t debug_mask = CS_DEBUGGED | CS_ENTITLEMENTS_VALIDATED;
+    int rc = csops_task(task, CS_OPS_STATUS, &csflags, sizeof(csflags));
+       // Allow debugged processes that were valid to continue being treated as valid
+       // We need this all the time (not just on internal) because third parties may need to debug their entitled process in xcode
+    return (rc != -1) && ((mask & csflags) == mask || (debug_mask & csflags) == debug_mask);
+}
+