Security-59754.80.3.tar.gz

[apple/security.git] / sectask / SecTask.c
diff --git a/sectask/SecTask.c b/sectask/SecTask.c

index 70917b9810b99581f607828f5557d8f3de092d3d..4b38f13d94f06551c15b7724dac18a9341f10f00 100644 (file)
--- a/sectask/SecTask.c
+++ b/sectask/SecTask.c
@@ -22,8 +22,10 @@
   */
  
  #include "SecTask.h"
   */
  
  #include "SecTask.h"
+#include "SecTaskPriv.h"
  
  #include <utilities/debugging.h>
  
  #include <utilities/debugging.h>
+#include <utilities/entitlements.h>
  
  #include <AssertMacros.h>
  #include <CoreFoundation/CFRuntime.h>
  
  #include <AssertMacros.h>
  #include <CoreFoundation/CFRuntime.h>
@@ -34,18 +36,20 @@
  #include <inttypes.h>
  #include <syslog.h>
  #include <utilities/SecCFWrappers.h>
  #include <inttypes.h>
  #include <syslog.h>
  #include <utilities/SecCFWrappers.h>
+#include <xpc/private.h>
  
  
-#define USE_LIBPROC  0
-#if USE_LIBPROC
-#include <libproc.h>
-#else
  #include <sys/sysctl.h>
  #include <sys/sysctl.h>
-#endif
+
+#if TARGET_OS_OSX
+/* These won't exist until we unify codesigning */
+#include <Security/SecCode.h>
+#include <Security/SecCodePriv.h>
+#include <Security/SecRequirement.h>
+#endif /* TARGET_OS_OSX */
  
  struct __SecTask {
      CFRuntimeBase base;
      
  
  struct __SecTask {
      CFRuntimeBase base;
      
-    pid_t pid_self;
      audit_token_t token;
      
      /* Track whether we've loaded entitlements independently since after the
      audit_token_t token;
      
      /* Track whether we've loaded entitlements independently since after the
@@ -64,11 +68,7 @@ static bool check_task(SecTaskRef task) {
  static void SecTaskFinalize(CFTypeRef cfTask)
  {
      SecTaskRef task = (SecTaskRef) cfTask;
  static void SecTaskFinalize(CFTypeRef cfTask)
  {
      SecTaskRef task = (SecTaskRef) cfTask;
-    
-    if (task->entitlements != NULL) {
-        CFRelease(task->entitlements);
-        task->entitlements = NULL;
-    }
+    CFReleaseNull(task->entitlements);
  }
  
  
  }
  
  
@@ -79,17 +79,8 @@ static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask)
  {
      SecTaskRef task = (SecTaskRef) cfTask;
      pid_t pid;
  {
      SecTaskRef task = (SecTaskRef) cfTask;
      pid_t pid;
-    if (task->pid_self==-1) {
-        audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
-    } else {
-        pid = task->pid_self;
-    }
+    audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
  
  
-#if USE_LIBPROC
-#define MAX_PROCNAME 32
-    char task_name[MAX_PROCNAME + 1] = {};
-    proc_name(pid, task_name, MAX_PROCNAME);
-#else
      const char *task_name;
      int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
      struct kinfo_proc kp;
      const char *task_name;
      int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
      struct kinfo_proc kp;
@@ -98,7 +89,6 @@ static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask)
          task_name = strerror(errno);
      else
          task_name = kp.kp_proc.p_comm;
          task_name = strerror(errno);
      else
          task_name = kp.kp_proc.p_comm;
-#endif
  
      return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]/%d#%d LF=%d"), task_name, pid,
                                                                         task->entitlementsLoaded, task->entitlements ? (int)CFDictionaryGetCount(task->entitlements) : -1, task->lastFailure);
  
      return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]/%d#%d LF=%d"), task_name, pid,
                                                                         task->entitlementsLoaded, task->entitlements ? (int)CFDictionaryGetCount(task->entitlements) : -1, task->lastFailure);
@@ -117,10 +107,15 @@ SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef allocator)
      SecTaskRef task = init_task_ref(allocator);
      if (task != NULL) {
  
      SecTaskRef task = init_task_ref(allocator);
      if (task != NULL) {
  
-        memset(&task->token, 0, sizeof(task->token));
-        task->entitlementsLoaded = false;
-        task->entitlements = NULL;
-        task->pid_self = getpid();
+        kern_return_t kr = KERN_FAILURE;
+        mach_msg_type_number_t autoken_cnt = TASK_AUDIT_TOKEN_COUNT;
+        kr = task_info(mach_task_self(), TASK_AUDIT_TOKEN, (task_info_t)&task->token, &autoken_cnt);
+        if (kr == KERN_SUCCESS) {
+            task->entitlementsLoaded = false;
+            task->entitlements = NULL;
+        } else {
+            CFReleaseNull(task);
+        }
      }
  
      return task;
      }
  
      return task;
@@ -134,12 +129,26 @@ SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t t
          memcpy(&task->token, &token, sizeof(token));
          task->entitlementsLoaded = false;
          task->entitlements = NULL;
          memcpy(&task->token, &token, sizeof(token));
          task->entitlementsLoaded = false;
          task->entitlements = NULL;
-        task->pid_self = -1;
      }
      
      return task;
  }
  
      }
      
      return task;
  }
  
+_Nullable SecTaskRef
+SecTaskCreateWithXPCMessage(xpc_object_t _Nonnull message)
+{
+    audit_token_t token;
+
+    if (message == NULL || xpc_get_type(message) != XPC_TYPE_DICTIONARY) {
+        return NULL;
+    }
+    xpc_dictionary_get_audit_token(message, &token);
+
+    return SecTaskCreateWithAuditToken(NULL, token);
+}
+
+
+
  struct csheader {
          uint32_t magic;
          uint32_t length;
  struct csheader {
          uint32_t magic;
          uint32_t length;
@@ -149,19 +158,17 @@ static int
  csops_task(SecTaskRef task, int ops, void *blob, size_t size)
  {
         int rc;
  csops_task(SecTaskRef task, int ops, void *blob, size_t size)
  {
         int rc;
-    if (task->pid_self==-1) {
-        pid_t pid;
-        audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
-        rc = csops_audittoken(pid, ops, blob, size, &task->token);
-    }
-    else
-        rc = csops(task->pid_self, ops, blob, size);
+    
+    pid_t pid;
+    audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
+    rc = csops_audittoken(pid, ops, blob, size, &task->token);
+
         task->lastFailure = (rc == -1) ? errno : 0;
         return rc;
  }
  
         task->lastFailure = (rc == -1) ? errno : 0;
         return rc;
  }
  
-CFStringRef
-SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
+static CFStringRef
+SecTaskCopyIdentifier(SecTaskRef task, int op, CFErrorRef *error)
  {
          CFStringRef signingId = NULL;
          char *data = NULL;
  {
          CFStringRef signingId = NULL;
          char *data = NULL;
@@ -169,7 +176,7 @@ SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
          uint32_t bufferlen;
          int ret;
  
          uint32_t bufferlen;
          int ret;
  
-        ret = csops_task(task, CS_OPS_IDENTITY, &header, sizeof(header));
+        ret = csops_task(task, op, &header, sizeof(header));
          if (ret != -1 || errno != ERANGE)
                  return NULL;
  
          if (ret != -1 || errno != ERANGE)
                  return NULL;
  
@@ -184,7 +191,7 @@ SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
                  ret = ENOMEM;
                  goto out;
          }
                  ret = ENOMEM;
                  goto out;
          }
-        ret = csops_task(task, CS_OPS_IDENTITY, data, bufferlen);
+        ret = csops_task(task, op, data, bufferlen);
          if (ret) {
                  ret = errno;
                  goto out;
          if (ret) {
                  ret = errno;
                  goto out;
@@ -202,6 +209,18 @@ SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
          return signingId;
  }
  
          return signingId;
  }
  
+CFStringRef
+SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
+{
+    return SecTaskCopyIdentifier(task, CS_OPS_IDENTITY, error);
+}
+
+CFStringRef
+SecTaskCopyTeamIdentifier(SecTaskRef task, CFErrorRef *error)
+{
+    return SecTaskCopyIdentifier(task, CS_OPS_TEAMID, error);
+}
+
  uint32_t
  SecTaskGetCodeSignStatus(SecTaskRef task)
  {
  uint32_t
  SecTaskGetCodeSignStatus(SecTaskRef task)
  {
@@ -219,43 +238,44 @@ static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
      uint32_t bufferlen;
      int ret;
  
      uint32_t bufferlen;
      int ret;
  
-    
      ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
      /* Any other combination means no entitlements */
      ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
      /* Any other combination means no entitlements */
-       if (ret == -1) {
-               if (errno != ERANGE) {
+    if (ret == -1) {
+        if (errno != ERANGE) {
              int entitlementErrno = errno;
  
              int entitlementErrno = errno;
  
-                       uint32_t cs_flags = -1;
+            uint32_t cs_flags = -1;
              if (-1 == csops_task(task, CS_OPS_STATUS, &cs_flags, sizeof(cs_flags))) {
                  syslog(LOG_NOTICE, "Failed to get cs_flags, error=%d", errno);
              }
  
              if (-1 == csops_task(task, CS_OPS_STATUS, &cs_flags, sizeof(cs_flags))) {
                  syslog(LOG_NOTICE, "Failed to get cs_flags, error=%d", errno);
              }
  
-                       if (cs_flags != 0) {    // was signed
-                   syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d cs_flags=%x, task->pid_self=%d", entitlementErrno, cs_flags, task->pid_self);   // to ease diagnostics
-
-                               CFStringRef description = SecTaskCopyDebugDescription(task);
-                               char *descriptionBuf = NULL;
-                               CFIndex descriptionSize = CFStringGetLength(description) * 4;
-                               descriptionBuf = (char *)malloc(descriptionSize);
-                               if (!CFStringGetCString(description, descriptionBuf, descriptionSize, kCFStringEncodingUTF8)) {
-                                       descriptionBuf[0] = 0;
-                               }
-
-                               syslog(LOG_NOTICE, "SecTaskCopyDebugDescription: %s", descriptionBuf);
-                               CFRelease(description);
-                               free(descriptionBuf);
-                       }
-                       task->lastFailure = entitlementErrno;   // was overwritten by csops_task(CS_OPS_STATUS) above
-
-                       // EINVAL is what the kernel says for unsigned code, so we'll have to let that pass
-                       if (entitlementErrno == EINVAL) {
-                               task->entitlementsLoaded = true;
-                               return true;
-                       }
-                       ret = entitlementErrno; // what really went wrong
-                       goto out;               // bail out
-               }
+            if (cs_flags != 0) {       // was signed
+                pid_t pid;
+                audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
+                syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d cs_flags=%x, pid=%d", entitlementErrno, cs_flags, pid);    // to ease diagnostics
+
+                CFStringRef description = SecTaskCopyDebugDescription(task);
+                char *descriptionBuf = NULL;
+                CFIndex descriptionSize = CFStringGetLength(description) * 4;
+                descriptionBuf = (char *)malloc(descriptionSize);
+                if (!CFStringGetCString(description, descriptionBuf, descriptionSize, kCFStringEncodingUTF8)) {
+                    descriptionBuf[0] = 0;
+                }
+
+                syslog(LOG_NOTICE, "SecTaskCopyDebugDescription: %s", descriptionBuf);
+                CFReleaseNull(description);
+                free(descriptionBuf);
+            }
+            task->lastFailure = entitlementErrno;      // was overwritten by csops_task(CS_OPS_STATUS) above
+
+            // EINVAL is what the kernel says for unsigned code, so we'll have to let that pass
+            if (entitlementErrno == EINVAL) {
+                task->entitlementsLoaded = true;
+                return true;
+            }
+            ret = entitlementErrno;    // what really went wrong
+            goto out;          // bail out
+        }
          bufferlen = ntohl(header.length);
          /* check for insane values */
          if (bufferlen > 1024 * 1024 || bufferlen < 8) {
          bufferlen = ntohl(header.length);
          /* check for insane values */
          if (bufferlen > 1024 * 1024 || bufferlen < 8) {
@@ -275,20 +295,26 @@ static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
  
          CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, buffer+8, bufferlen-8, kCFAllocatorNull);
          entitlements = (CFMutableDictionaryRef) CFPropertyListCreateWithData(kCFAllocatorDefault, data, kCFPropertyListMutableContainers, NULL, error);
  
          CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, buffer+8, bufferlen-8, kCFAllocatorNull);
          entitlements = (CFMutableDictionaryRef) CFPropertyListCreateWithData(kCFAllocatorDefault, data, kCFPropertyListMutableContainers, NULL, error);
-        CFRelease(data);
+        CFReleaseNull(data);
  
  
-        if((entitlements==NULL) || (CFGetTypeID(entitlements)!=CFDictionaryGetTypeID())){
+        if ((entitlements==NULL) || (CFGetTypeID(entitlements)!=CFDictionaryGetTypeID())){
              ret = EDOM;        // don't use EINVAL here; it conflates problems with syscall error returns
              goto out;
          }
              ret = EDOM;        // don't use EINVAL here; it conflates problems with syscall error returns
              goto out;
          }
+
+        bool entitlementsModified = updateCatalystEntitlements(entitlements);
+        if (entitlementsModified) {
+            pid_t pid;
+            audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
+            secinfo("SecTask", "Fixed catalyst entitlements for process %d", pid);
+        }
      }
  
      task->entitlements = entitlements ? CFRetain(entitlements) : NULL;
      task->entitlementsLoaded = true;
  
  out:
      }
  
      task->entitlements = entitlements ? CFRetain(entitlements) : NULL;
      task->entitlementsLoaded = true;
  
  out:
-    if(entitlements)
-        CFRelease(entitlements);
+    CFReleaseNull(entitlements);
      if(buffer)
          free(buffer);
      if (ret && error && *error==NULL)
      if(buffer)
          free(buffer);
      if (ret && error && *error==NULL)
@@ -349,3 +375,48 @@ CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef ent
  out:
      return values;
  }
  out:
      return values;
  }
+
+#if SEC_OS_OSX
+/*
+ * Determine if the given task meets a specified requirement.
+ */
+OSStatus
+SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement)
+{
+    OSStatus status;
+    SecCodeRef code = NULL;
+    SecRequirementRef req = NULL;
+
+    CFMutableDictionaryRef codeDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+    CFDataRef auditData = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)&task->token, sizeof(audit_token_t));
+    CFDictionarySetValue(codeDict, kSecGuestAttributeAudit, auditData);
+    status = SecCodeCopyGuestWithAttributes(NULL, codeDict, kSecCSDefaultFlags, &code);
+    CFReleaseNull(codeDict);
+    CFReleaseNull(auditData);
+
+    if (!status) {
+        status = SecRequirementCreateWithString(requirement,
+                                                kSecCSDefaultFlags, &req);
+    }
+    if (!status) {
+        status = SecCodeCheckValidity(code, kSecCSDefaultFlags, req);
+    }
+
+    CFReleaseNull(req);
+    CFReleaseNull(code);
+
+    return status;
+}
+#endif /* SEC_OS_OSX */
+
+Boolean SecTaskEntitlementsValidated(SecTaskRef task) {
+    // TODO: Cache the result
+    uint32_t csflags = 0;
+    const uint32_t mask = CS_VALID | CS_KILL | CS_ENTITLEMENTS_VALIDATED;
+       const uint32_t debug_mask = CS_DEBUGGED | CS_ENTITLEMENTS_VALIDATED;
+    int rc = csops_task(task, CS_OPS_STATUS, &csflags, sizeof(csflags));
+       // Allow debugged processes that were valid to continue being treated as valid
+       // We need this all the time (not just on internal) because third parties may need to debug their entitled process in xcode
+    return (rc != -1) && ((mask & csflags) == mask || (debug_mask & csflags) == debug_mask);
+}
+