]> git.saurik.com Git - apple/securityd.git/blobdiff - src/server.cpp
projects / apple / securityd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
securityd-55199.3.tar.gz
[apple/securityd.git] / src / server.cpp
diff --git a/src/server.cpp b/src/server.cpp
index f440a7d8fff07b252ceb20bbbb092377c7aaaab5..017767901c18f2537b6d925497b85f605d024c49 100644 (file)
--- a/src/server.cpp
+++ b/src/server.cpp
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2009 Apple Inc. All Rights Reserved.
  * 
  * @APPLE_LICENSE_HEADER_START@
  * 
  * 
  * @APPLE_LICENSE_HEADER_START@
  * 
@@ -36,6 +36,10 @@
 #include "child.h"
 #include <mach/mach_error.h>
 #include <security_utilities/ccaudit.h>
 #include "child.h"
 #include <mach/mach_error.h>
 #include <security_utilities/ccaudit.h>
+#include "pcscmonitor.h"
+
+#include "agentquery.h"
+
 
 using namespace MachPlusPlus;
 
 
 using namespace MachPlusPlus;
 
@@ -51,6 +55,7 @@ Authority::~Authority()
 {
 }
 
 {
 }
 
+
 //
 // Construct the server object
 //
 //
 // Construct the server object
 //
@@ -60,13 +65,12 @@ Server::Server(Authority &authority, CodeSignatures &signatures, const char *boo
     mCSPModule(gGuidAppleCSP, mCssm), mCSP(mCSPModule),
     mAuthority(authority),
        mCodeSignatures(signatures), 
     mCSPModule(gGuidAppleCSP, mCssm), mCSP(mCSPModule),
     mAuthority(authority),
        mCodeSignatures(signatures), 
-       mAudit(geteuid(), getpid())
+       mVerbosity(0),
+       mWaitForClients(true), mShuttingDown(false)
 {
        // make me eternal (in the object mesh)
        ref();
 
 {
        // make me eternal (in the object mesh)
        ref();
 
-       mAudit.registerSession();
-
     // engage the subsidiary port handler for sleep notifications
        add(sleepWatcher);
 }
     // engage the subsidiary port handler for sleep notifications
        add(sleepWatcher);
 }
@@ -87,13 +91,14 @@ Server::~Server()
 // by calling Server::connection() [no argument] until it is released by
 // calling Connection::endWork().
 //
 // by calling Server::connection() [no argument] until it is released by
 // calling Connection::endWork().
 //
-Connection &Server::connection(mach_port_t port)
+Connection &Server::connection(mach_port_t port, audit_token_t &auditToken)
 {
        Server &server = active();
        StLock<Mutex> _(server);
        Connection *conn = server.mConnections.get(port, CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
 {
        Server &server = active();
        StLock<Mutex> _(server);
        Connection *conn = server.mConnections.get(port, CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
+       conn->process().checkSession(auditToken);
        active().mCurrentConnection() = conn;
        active().mCurrentConnection() = conn;
-       conn->beginWork();
+       conn->beginWork(auditToken);
        return *conn;
 }
 
        return *conn;
 }
 
@@ -106,11 +111,11 @@ Connection &Server::connection(bool tolerant)
        return *conn;
 }
 
        return *conn;
 }
 
-void Server::requestComplete()
+void Server::requestComplete(CSSM_RETURN &rcode)
 {
        // note: there may not be an active connection if connection setup failed
        if (RefPointer<Connection> &conn = active().mCurrentConnection()) {
 {
        // note: there may not be an active connection if connection setup failed
        if (RefPointer<Connection> &conn = active().mCurrentConnection()) {
-               conn->endWork();
+               conn->endWork(rcode);
                conn = NULL;
        }
        IFDUMPING("state", NodeCore::dumpAll());
                conn = NULL;
        }
        IFDUMPING("state", NodeCore::dumpAll());
@@ -133,7 +138,7 @@ Session &Server::session()
 
 RefPointer<Key> Server::key(KeyHandle key)
 {
 
 RefPointer<Key> Server::key(KeyHandle key)
 {
-       return HandleObject::findRef<Key>(key, CSSMERR_CSP_INVALID_KEY_REFERENCE);
+       return U32HandleObject::findRef<Key>(key, CSSMERR_CSP_INVALID_KEY_REFERENCE);
 }
 
 RefPointer<Database> Server::database(DbHandle db)
 }
 
 RefPointer<Database> Server::database(DbHandle db)
@@ -157,10 +162,11 @@ RefPointer<Database> Server::optionalDatabase(DbHandle db, bool persistent)
 
 //
 // Locate an ACL bearer (database or key) by handle
 
 //
 // Locate an ACL bearer (database or key) by handle
+// The handle might be used across IPC, so we clamp it accordingly
 //
 //
-AclSource &Server::aclBearer(AclKind kind, CSSM_HANDLE handle)
+AclSource &Server::aclBearer(AclKind kind, U32HandleObject::Handle handle)
 {
 {
-       AclSource &bearer = HandleObject::find<AclSource>(handle, CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
+       AclSource &bearer = U32HandleObject::find<AclSource>(handle, CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
        if (kind != bearer.acl().aclKind())
                CssmError::throwMe(CSSMERR_CSSM_INVALID_HANDLE_USAGE);
        return bearer;
        if (kind != bearer.acl().aclKind())
                CssmError::throwMe(CSSMERR_CSSM_INVALID_HANDLE_USAGE);
        return bearer;
@@ -199,36 +205,12 @@ void Server::threadLimitReached(UInt32 limit)
 boolean_t ucsp_server(mach_msg_header_t *, mach_msg_header_t *);
 boolean_t self_server(mach_msg_header_t *, mach_msg_header_t *);
 
 boolean_t ucsp_server(mach_msg_header_t *, mach_msg_header_t *);
 boolean_t self_server(mach_msg_header_t *, mach_msg_header_t *);
 
-#if defined(NDEBUG)
 
 boolean_t Server::handle(mach_msg_header_t *in, mach_msg_header_t *out)
 {
        return ucsp_server(in, out) || self_server(in, out);
 }
 
 
 boolean_t Server::handle(mach_msg_header_t *in, mach_msg_header_t *out)
 {
        return ucsp_server(in, out) || self_server(in, out);
 }
 
-#else //NDEBUG
-
-struct IPCName { const char *name; int ipc; };
-static IPCName ucspNames[] = { subsystem_to_name_map_ucsp }; // generated by MIG
-static IPCName selfNames[] = { subsystem_to_name_map_self }; // generated by MIG
-
-boolean_t Server::handle(mach_msg_header_t *in, mach_msg_header_t *out)
-{
-       const int id = in->msgh_id;
-       const int ucspBase = ucspNames[0].ipc;
-       const int selfBase = selfNames[0].ipc;
-    const char *name =
-               (id >= ucspBase && id < ucspBase + ucsp_MSG_COUNT) ? ucspNames[id - ucspBase].name :
-               (id >= selfBase && id < selfBase + self_MSG_COUNT) ? selfNames[id - selfBase].name :
-               "OUT OF BOUNDS";
-    secdebug("SSreq", "begin %s (%d)", name, in->msgh_id);
-       boolean_t result = ucsp_server(in, out) || self_server(in, out);
-    secdebug("SSreq", "end %s (%d)", name, in->msgh_id);
-    return result;
-}
-
-#endif //NDEBUG
-
 
 //
 // Set up a new Connection. This establishes the environment (process et al) as needed
 
 //
 // Set up a new Connection. This establishes the environment (process et al) as needed
@@ -237,27 +219,29 @@ boolean_t Server::handle(mach_msg_header_t *in, mach_msg_header_t *out)
 // Everything at and below that level is constructed. This is straight-forward except
 // in the case of session re-initialization (see below).
 //
 // Everything at and below that level is constructed. This is straight-forward except
 // in the case of session re-initialization (see below).
 //
-void Server::setupConnection(ConnectLevel type, Port servicePort, Port replyPort, Port taskPort,
-    const audit_token_t &auditToken, const ClientSetupInfo *info, const char *identity)
+void Server::setupConnection(ConnectLevel type, Port replyPort, Port taskPort,
+    const audit_token_t &auditToken, const ClientSetupInfo *info)
 {
 {
+       AuditToken audit(auditToken);
+       
        // first, make or find the process based on task port
        StLock<Mutex> _(*this);
        RefPointer<Process> &proc = mProcesses[taskPort];
        // first, make or find the process based on task port
        StLock<Mutex> _(*this);
        RefPointer<Process> &proc = mProcesses[taskPort];
-       if (type == connectNewSession && proc) {
-               // The client has talked to us before and now wants to create a new session.
-               proc->changeSession(servicePort);
-       }
+       if (proc && proc->session().sessionId() != audit.sessionId())
+               proc->changeSession(audit.sessionId());
        if (proc && type == connectNewProcess) {
                // the client has amnesia - reset it
        if (proc && type == connectNewProcess) {
                // the client has amnesia - reset it
-               assert(info && identity);
-               proc->reset(servicePort, taskPort, info, identity, AuditToken(auditToken));
+               assert(info);
+               proc->reset(taskPort, info, audit);
+               proc->changeSession(audit.sessionId());
        }
        if (!proc) {
                if (type == connectNewThread)   // client error (or attack)
                        CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR);
        }
        if (!proc) {
                if (type == connectNewThread)   // client error (or attack)
                        CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR);
-               assert(info && identity);
-               proc = new Process(servicePort, taskPort, info, identity, AuditToken(auditToken));
+               assert(info);
+               proc = new Process(taskPort, info, audit);
                notifyIfDead(taskPort);
                notifyIfDead(taskPort);
+               mPids[proc->pid()] = proc;
        }
 
        // now, establish a connection and register it in the server
        }
 
        // now, establish a connection and register it in the server
@@ -291,30 +275,41 @@ void Server::endConnection(Port replyPort)
 //
 void Server::notifyDeadName(Port port)
 {
 //
 void Server::notifyDeadName(Port port)
 {
-       StLock<Mutex> _(*this);
+       // We need the lock to get a proper iterator on mConnections or mProcesses,
+       // but must release it before we call abort or kill, as these might take 
+       // unbounded time, including calls out to token daemons etc.
+       
+       StLock<Mutex> serverLock(*this);
        secdebug("SSports", "port %d is dead", port.port());
     
     // is it a connection?
     PortMap<Connection>::iterator conIt = mConnections.find(port);
     if (conIt != mConnections.end()) {
        secdebug("SSports", "port %d is dead", port.port());
     
     // is it a connection?
     PortMap<Connection>::iterator conIt = mConnections.find(port);
     if (conIt != mConnections.end()) {
-               conIt->second->abort();
+               SECURITYD_PORTS_DEAD_CONNECTION(port);
+        RefPointer<Connection> con = conIt->second;
                mConnections.erase(conIt);
                mConnections.erase(conIt);
+        serverLock.unlock();
+               con->abort();        
         return;
     }
     
     // is it a process?
     PortMap<Process>::iterator procIt = mProcesses.find(port);
     if (procIt != mProcesses.end()) {
         return;
     }
     
     // is it a process?
     PortMap<Process>::iterator procIt = mProcesses.find(port);
     if (procIt != mProcesses.end()) {
-               procIt->second->kill();
+               SECURITYD_PORTS_DEAD_PROCESS(port);
+        RefPointer<Process> proc = procIt->second;
+               mPids.erase(proc->pid());
                mProcesses.erase(procIt);
                mProcesses.erase(procIt);
+        serverLock.unlock();
+               // The kill may take some time; make sure there is a spare thread around
+               // to prevent deadlocks
+               StLock<MachServer, &Server::busy, &Server::idle> _(*this);
+               proc->kill();
         return;
     }
     
         return;
     }
     
-    // is it a notification client?
-    if (Listener::remove(port))
-        return;
-    
        // well, what IS IT?!
        // well, what IS IT?!
+       SECURITYD_PORTS_DEAD_ORPHAN(port);
        secdebug("server", "spurious dead port notification for port %d", port.port());
 }
 
        secdebug("server", "spurious dead port notification for port %d", port.port());
 }
 
@@ -325,8 +320,7 @@ void Server::notifyDeadName(Port port)
 //
 void Server::notifyNoSenders(Port port, mach_port_mscount_t)
 {
 //
 void Server::notifyNoSenders(Port port, mach_port_mscount_t)
 {
-       secdebug("SSports", "port %d no senders", port.port());
-       Session::destroy(port);
+       SECURITYD_PORTS_DEAD_SESSION(port);
 }
 
 
 }
 
 
@@ -339,26 +333,39 @@ kern_return_t self_server_handleSignal(mach_port_t sport,
        mach_port_t taskPort, int sig)
 {
     try {
        mach_port_t taskPort, int sig)
 {
     try {
+               SECURITYD_SIGNAL_HANDLED(sig);
         if (taskPort != mach_task_self()) {
             Syslog::error("handleSignal: received from someone other than myself");
         if (taskPort != mach_task_self()) {
             Syslog::error("handleSignal: received from someone other than myself");
-                       secdebug("SS", "unauthorized handleSignal");
-                       return 0;
+                       return KERN_SUCCESS;
                }
                }
-               secdebug("SS", "dispatching indirect signal %d", sig);
                switch (sig) {
                case SIGCHLD:
                        ServerChild::checkChildren();
                        break;
                case SIGINT:
                switch (sig) {
                case SIGCHLD:
                        ServerChild::checkChildren();
                        break;
                case SIGINT:
+                       SECURITYD_SHUTDOWN_NOW();
+                       Syslog::notice("securityd terminated due to SIGINT");
+                       _exit(0);
                case SIGTERM:
                case SIGTERM:
-                       secdebug("SS", "signal %d received: terminating", sig);
-                       Syslog::notice("securityd terminating due to signal %d", sig);
-                       exit(0);
+                       Server::active().beginShutdown();
+                       break;
+               case SIGPIPE:
+                       fprintf(stderr, "securityd ignoring SIGPIPE received");
+                       break;
+
 #if defined(DEBUGDUMP)
                case SIGUSR1:
                        NodeCore::dumpAll();
                        break;
 #endif //DEBUGDUMP
 #if defined(DEBUGDUMP)
                case SIGUSR1:
                        NodeCore::dumpAll();
                        break;
 #endif //DEBUGDUMP
+
+               case SIGUSR2:
+                       {
+                               extern PCSCMonitor *gPCSC;
+                               gPCSC->startSoftTokens();
+                               break;
+                       }
+
                default:
                        assert(false);
         }
                default:
                        assert(false);
         }
@@ -366,7 +373,25 @@ kern_return_t self_server_handleSignal(mach_port_t sport,
                secdebug("SS", "exception handling a signal (ignored)");
        }
     mach_port_deallocate(mach_task_self(), taskPort);
                secdebug("SS", "exception handling a signal (ignored)");
        }
     mach_port_deallocate(mach_task_self(), taskPort);
-    return 0;
+    return KERN_SUCCESS;
+}
+
+
+kern_return_t self_server_handleSession(mach_port_t sport,
+       mach_port_t taskPort, uint32_t event, uint64_t ident)
+{
+    try {
+        if (taskPort != mach_task_self()) {
+            Syslog::error("handleSession: received from someone other than myself");
+                       return KERN_SUCCESS;
+               }
+               if (event == AUE_SESSION_CLOSE)
+                       Session::destroy(ident);
+    } catch(...) {
+               secdebug("SS", "exception handling a signal (ignored)");
+       }
+    mach_port_deallocate(mach_task_self(), taskPort);
+    return KERN_SUCCESS;
 }
 
 
 }
 
 
@@ -375,20 +400,27 @@ kern_return_t self_server_handleSignal(mach_port_t sport,
 //
 void Server::SleepWatcher::systemWillSleep()
 {
 //
 void Server::SleepWatcher::systemWillSleep()
 {
-    secdebug("SS", "sleep notification received");
+       SECURITYD_POWER_SLEEP();
     Session::processSystemSleep();
     Session::processSystemSleep();
-       secdebug("server", "distributing sleep event to %ld clients", mPowerClients.size());
        for (set<PowerWatcher *>::const_iterator it = mPowerClients.begin(); it != mPowerClients.end(); it++)
                (*it)->systemWillSleep();
 }
 
 void Server::SleepWatcher::systemIsWaking()
 {
        for (set<PowerWatcher *>::const_iterator it = mPowerClients.begin(); it != mPowerClients.end(); it++)
                (*it)->systemWillSleep();
 }
 
 void Server::SleepWatcher::systemIsWaking()
 {
-       secdebug("server", "distributing wakeup event to %ld clients", mPowerClients.size());
+       SECURITYD_POWER_WAKE();
        for (set<PowerWatcher *>::const_iterator it = mPowerClients.begin(); it != mPowerClients.end(); it++)
                (*it)->systemIsWaking();
 }
 
        for (set<PowerWatcher *>::const_iterator it = mPowerClients.begin(); it != mPowerClients.end(); it++)
                (*it)->systemIsWaking();
 }
 
+void Server::SleepWatcher::systemWillPowerOn()
+{
+       SECURITYD_POWER_ON();
+       Server::active().longTermActivity();
+       for (set<PowerWatcher *>::const_iterator it = mPowerClients.begin(); it != mPowerClients.end(); it++)
+               (*it)->systemWillPowerOn();
+}
+
 void Server::SleepWatcher::add(PowerWatcher *client)
 {
        assert(mPowerClients.find(client) == mPowerClients.end());
 void Server::SleepWatcher::add(PowerWatcher *client)
 {
        assert(mPowerClients.find(client) == mPowerClients.end());
@@ -402,19 +434,111 @@ void Server::SleepWatcher::remove(PowerWatcher *client)
 }
 
 
 }
 
 
+//
+// Expose the process/pid map to the outside
+//
+Process *Server::findPid(pid_t pid) const
+{
+       PidMap::const_iterator it = mPids.find(pid);
+       return (it == mPids.end()) ? NULL : it->second;
+}
+
+
+//
+// Set delayed shutdown mode
+//
+void Server::waitForClients(bool waiting)
+{
+       mWaitForClients = waiting;
+}
+
+
+//
+// Begin shutdown processing.
+// We relinquish our primary state authority. From now on, we'll be
+// kept alive (only) by our current clients.
+//
+static FILE *reportFile;
+
+void Server::beginShutdown()
+{
+       StLock<Mutex> _(*this);
+       if (!mWaitForClients) {
+               SECURITYD_SHUTDOWN_NOW();
+               _exit(0);
+       } else {
+               if (!mShuttingDown) {
+                       mShuttingDown = true;
+            Session::invalidateAuthHosts();
+                       SECURITYD_SHUTDOWN_BEGIN();
+                       if (verbosity() >= 2) {
+                               reportFile = fopen("/var/log/securityd-shutdown.log", "w");
+                               shutdownSnitch();
+                       }
+               }
+       }
+}
+
+
+//
+// During shutdown, we report residual clients to dtrace, and allow a state dump
+// for debugging.
+// We don't bother locking for the shuttingDown() check; it's a latching boolean
+// and we'll be good enough without a lock.
+//
+void Server::eventDone()
+{
+       if (this->shuttingDown()) {
+               StLock<Mutex> lazy(*this, false);       // lazy lock acquisition
+               if (SECURITYD_SHUTDOWN_COUNT_ENABLED()) {
+                       lazy.lock();
+                       SECURITYD_SHUTDOWN_COUNT(mProcesses.size(), VProc::Transaction::debugCount());
+               }
+               if (verbosity() >= 2) {
+                       lazy.lock();
+                       shutdownSnitch();
+               }
+               IFDUMPING("shutdown", NodeCore::dumpAll());
+       }
+}
+
+
+void Server::shutdownSnitch()
+{
+       time_t now;
+       time(&now);
+       fprintf(reportFile, "%.24s %d residual clients:\n",     ctime(&now), int(mPids.size()));
+       for (PidMap::const_iterator it = mPids.begin(); it != mPids.end(); ++it)
+               if (SecCodeRef clientCode = it->second->processCode()) {
+                       CFRef<CFURLRef> path;
+                       OSStatus rc = SecCodeCopyPath(clientCode, kSecCSDefaultFlags, &path.aref());
+                       if (path)
+                               fprintf(reportFile, " %s (%d)\n", cfString(path).c_str(), it->first);
+                       else
+                               fprintf(reportFile,  "pid=%d (error %d)\n", it->first, int32_t(rc));
+               }
+       fprintf(reportFile, "\n");
+       fflush(reportFile);
+}
+
+
 //
 // Initialize the CSSM/MDS subsystem.
 // This was once done lazily on demand. These days, we are setting up the
 // system MDS here, and CSSM is pretty much always needed, so this is called
 // early during program startup. Do note that the server may not (yet) be running.
 //
 //
 // Initialize the CSSM/MDS subsystem.
 // This was once done lazily on demand. These days, we are setting up the
 // system MDS here, and CSSM is pretty much always needed, so this is called
 // early during program startup. Do note that the server may not (yet) be running.
 //
-void Server::loadCssm()
+void Server::loadCssm(bool mdsIsInstalled)
 {
        if (!mCssm->isActive()) {
                StLock<Mutex> _(*this);
 {
        if (!mCssm->isActive()) {
                StLock<Mutex> _(*this);
+               VProc::Transaction xact;
                if (!mCssm->isActive()) {
                if (!mCssm->isActive()) {
-                       secdebug("SS", "Installing MDS");
-                       MDSClient::mds().install();
+            if (!mdsIsInstalled) {  // non-system securityd instance should not reinitialize MDS
+                secdebug("SS", "Installing MDS");
+                IFDEBUG(if (geteuid() == 0))
+                               MDSClient::mds().install();
+            }
                        secdebug("SS", "CSSM initializing");
                        mCssm->init();
                        mCSP->attach();
                        secdebug("SS", "CSSM initializing");
                        mCssm->init();
                        mCSP->attach();
@@ -422,3 +546,18 @@ void Server::loadCssm()
                }
        }
 }
                }
        }
 }
+
+
+//
+// LongtermActivity/lock combo
+//
+LongtermStLock::LongtermStLock(Mutex &lck)
+       : StLock<Mutex>(lck, false)     // don't take the lock yet
+{
+       if (lck.tryLock()) {    // uncontested
+               this->mActive = true;
+       } else {                                // contested - need backup thread
+               Server::active().longTermActivity();
+               this->lock();
+       }
+}
mirror of securityd