[apple/xnu.git] / osfmk / kern / suid_cred.c

/*
 * Copyright (c) 2019-2020 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

/*
 *
 * An SUID credential is a port type which allows a process to create a new
 * process with a specific user id. It provides an alternative means to acheive
 * this to the more traditional SUID bit file permission.
 *
 * To create a new SUID credential the process must be running as root and must
 * have a special entitlement. When created, the credential is associated with a
 * specific vnode and UID so the unprivileged owner of the credential may only
 * create a new process from the file associated with that vnode and the
 * resulting effective UID will be that of the UID in the credential.
 */

#include <kern/ipc_kobject.h>
#include <kern/queue.h>
#include <kern/suid_cred.h>

#include <mach/mach_types.h>
#include <mach/task.h>

#include <IOKit/IOBSD.h>

/* Declarations necessary to call vnode_lookup()/vnode_put(). */
struct vnode;
struct vfs_context;
extern int vnode_lookup(const char *, int, struct vnode **,
    struct vfs_context *);
extern struct vfs_context * vfs_context_current(void);
extern int vnode_put(struct vnode *);

/* Declarations necessary to call kauth_cred_issuser(). */
struct ucred;
extern int kauth_cred_issuser(struct ucred *);
extern struct ucred *kauth_cred_get(void);

/* Data associated with the suid cred port. Consumed during posix_spawn(). */
struct suid_cred {
	ipc_port_t port;
	struct vnode *vnode;
	uint32_t uid;
};

static ZONE_DECLARE(suid_cred_zone, "suid_cred",
    sizeof(struct suid_cred), ZC_NONE);

/* Allocs a new suid credential. The vnode reference will be owned by the newly
 * created suid_cred_t. */
static suid_cred_t
suid_cred_alloc(struct vnode *vnode, uint32_t uid)
{
	suid_cred_t sc = SUID_CRED_NULL;

	assert(vnode != NULL);

	sc = zalloc(suid_cred_zone);
	if (sc != NULL) {
		// Lazily allocated in convert_suid_cred_to_port().
		sc->port = IP_NULL;
		sc->vnode = vnode;
		sc->uid = uid;
	}

	return sc;
}

static void
suid_cred_free(suid_cred_t sc)
{
	assert(sc != NULL);
	assert(sc->vnode != NULL);

	vnode_put(sc->vnode);

	sc->uid = UINT32_MAX;
	sc->vnode = NULL;
	sc->port = IP_NULL;

	zfree(suid_cred_zone, sc);
}

void
suid_cred_destroy(ipc_port_t port)
{
	suid_cred_t sc = NULL;

	ip_lock(port);
	assert(ip_kotype(port) == IKOT_SUID_CRED);
	sc = (suid_cred_t)port->ip_kobject;
	ipc_kobject_set_atomically(port, IKO_NULL, IKOT_NONE);
	ip_unlock(port);

	assert(sc->port == port);

	suid_cred_free(sc);
}

void
suid_cred_notify(mach_msg_header_t *msg)
{
	assert(msg->msgh_id == MACH_NOTIFY_NO_SENDERS);

	mach_no_senders_notification_t *not = (mach_no_senders_notification_t *)msg;
	ipc_port_t port = not->not_header.msgh_remote_port;

	if (IP_VALID(port)) {
		ipc_port_dealloc_kernel(port);
	}
}

ipc_port_t
convert_suid_cred_to_port(suid_cred_t sc)
{
	if (sc == NULL) {
		return IP_NULL;
	}

	if (!ipc_kobject_make_send_lazy_alloc_port(&sc->port,
	    (ipc_kobject_t) sc, IKOT_SUID_CRED, false, 0)) {
		suid_cred_free(sc);
		return IP_NULL;
	}

	return sc->port;
}

/*
 * Verify the suid cred port. The cached vnode should match the passed vnode.
 * The uid to be used to spawn the new process is returned in 'uid'.
 */
int
suid_cred_verify(ipc_port_t port, struct vnode *vnode, uint32_t *uid)
{
	suid_cred_t sc = NULL;
	int ret = -1;

	if (!IP_VALID(port)) {
		return -1;
	}

	ip_lock(port);

	if (ip_kotype(port) != IKOT_SUID_CRED) {
		ip_unlock(port);
		return -1;
	}

	if (!ip_active(port)) {
		ip_unlock(port);
		return -1;
	}

	sc = (suid_cred_t)port->ip_kobject;

	if (vnode != sc->vnode) {
		ip_unlock(port);
		return -1;
	}

	*uid = sc->uid;
	ret = 0;

	ipc_port_destroy(port);
	return ret;
}

kern_return_t
task_create_suid_cred(
	task_t task,
	suid_cred_path_t path,
	suid_cred_uid_t uid,
	suid_cred_t *sc_p)
{
	suid_cred_t sc = NULL;
	struct vnode *vnode;
	int  err = -1;

	if (task == TASK_NULL || task != current_task()) {
		return KERN_INVALID_ARGUMENT;
	}

	// Task must have entitlement.
	if (!IOTaskHasEntitlement(task, "com.apple.private.suid_cred")) {
		return KERN_NO_ACCESS;
	}

	// Thread must be root owned.
	if (!kauth_cred_issuser(kauth_cred_get())) {
		return KERN_NO_ACCESS;
	}

	// Find the vnode for the path.
	err = vnode_lookup(path, 0, &vnode, vfs_context_current());
	if (err != 0) {
		return KERN_INVALID_ARGUMENT;
	}

	sc = suid_cred_alloc(vnode, uid);
	if (sc == NULL) {
		(void) vnode_put(vnode);
		return KERN_RESOURCE_SHORTAGE;
	}

	*sc_p = sc;

	return KERN_SUCCESS;
}
Commit	Line	Data
ea3f0419	1	/*
f427ee49	2	* Copyright (c) 2019-2020 Apple Inc. All rights reserved.
ea3f0419 A	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
	25	*
	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
	29	/*
	30	*
	31	* An SUID credential is a port type which allows a process to create a new
	32	* process with a specific user id. It provides an alternative means to acheive
	33	* this to the more traditional SUID bit file permission.
	34	*
	35	* To create a new SUID credential the process must be running as root and must
	36	* have a special entitlement. When created, the credential is associated with a
	37	* specific vnode and UID so the unprivileged owner of the credential may only
	38	* create a new process from the file associated with that vnode and the
	39	* resulting effective UID will be that of the UID in the credential.
	40	*/
	41
	42	#include <kern/ipc_kobject.h>
	43	#include <kern/queue.h>
	44	#include <kern/suid_cred.h>
	45
	46	#include <mach/mach_types.h>
	47	#include <mach/task.h>
	48
	49	#include <IOKit/IOBSD.h>
	50
	51	/* Declarations necessary to call vnode_lookup()/vnode_put(). */
	52	struct vnode;
	53	struct vfs_context;
	54	extern int vnode_lookup(const char , int, struct vnode *,
	55	struct vfs_context *);
	56	extern struct vfs_context * vfs_context_current(void);
	57	extern int vnode_put(struct vnode *);
	58
	59	/* Declarations necessary to call kauth_cred_issuser(). */
	60	struct ucred;
	61	extern int kauth_cred_issuser(struct ucred *);
	62	extern struct ucred *kauth_cred_get(void);
	63
ea3f0419 A	64	/* Data associated with the suid cred port. Consumed during posix_spawn(). */
	65	struct suid_cred {
	66	ipc_port_t port;
	67	struct vnode *vnode;
	68	uint32_t uid;
	69	};
	70
f427ee49 A	71	static ZONE_DECLARE(suid_cred_zone, "suid_cred",
	72	sizeof(struct suid_cred), ZC_NONE);
	73
ea3f0419 A	74	/* Allocs a new suid credential. The vnode reference will be owned by the newly
	75	* created suid_cred_t. */
	76	static suid_cred_t
	77	suid_cred_alloc(struct vnode *vnode, uint32_t uid)
	78	{
	79	suid_cred_t sc = SUID_CRED_NULL;
	80
	81	assert(vnode != NULL);
	82
	83	sc = zalloc(suid_cred_zone);
	84	if (sc != NULL) {
	85	// Lazily allocated in convert_suid_cred_to_port().
	86	sc->port = IP_NULL;
	87	sc->vnode = vnode;
	88	sc->uid = uid;
	89	}
	90
	91	return sc;
	92	}
	93
	94	static void
	95	suid_cred_free(suid_cred_t sc)
	96	{
	97	assert(sc != NULL);
	98	assert(sc->vnode != NULL);
	99
	100	vnode_put(sc->vnode);
	101
	102	sc->uid = UINT32_MAX;
	103	sc->vnode = NULL;
	104	sc->port = IP_NULL;
	105
	106	zfree(suid_cred_zone, sc);
	107	}
	108
	109	void
	110	suid_cred_destroy(ipc_port_t port)
	111	{
	112	suid_cred_t sc = NULL;
	113
	114	ip_lock(port);
	115	assert(ip_kotype(port) == IKOT_SUID_CRED);
	116	sc = (suid_cred_t)port->ip_kobject;
	117	ipc_kobject_set_atomically(port, IKO_NULL, IKOT_NONE);
	118	ip_unlock(port);
	119
	120	assert(sc->port == port);
	121
	122	suid_cred_free(sc);
	123	}
	124
	125	void
	126	suid_cred_notify(mach_msg_header_t *msg)
	127	{
	128	assert(msg->msgh_id == MACH_NOTIFY_NO_SENDERS);
	129
	130	mach_no_senders_notification_t not = (mach_no_senders_notification_t )msg;
	131	ipc_port_t port = not->not_header.msgh_remote_port;
	132
	133	if (IP_VALID(port)) {
	134	ipc_port_dealloc_kernel(port);
	135	}
	136	}
	137
138	ipc_port_t
139	convert_suid_cred_to_port(suid_cred_t sc)
140	{
141	if (sc == NULL) {
142	return IP_NULL;
143	}
144
145	if (!ipc_kobject_make_send_lazy_alloc_port(&sc->port,
f427ee49	146	(ipc_kobject_t) sc, IKOT_SUID_CRED, false, 0)) {
ea3f0419 A	147	suid_cred_free(sc);
	148	return IP_NULL;
	149	}
	150
	151	return sc->port;
	152	}
	153
	154	/*
	155	* Verify the suid cred port. The cached vnode should match the passed vnode.
	156	* The uid to be used to spawn the new process is returned in 'uid'.
	157	*/
	158	int
	159	suid_cred_verify(ipc_port_t port, struct vnode vnode, uint32_t uid)
	160	{
	161	suid_cred_t sc = NULL;
	162	int ret = -1;
	163
	164	if (!IP_VALID(port)) {
	165	return -1;
	166	}
	167
	168	ip_lock(port);
	169
	170	if (ip_kotype(port) != IKOT_SUID_CRED) {
	171	ip_unlock(port);
	172	return -1;
	173	}
	174
	175	if (!ip_active(port)) {
	176	ip_unlock(port);
	177	return -1;
	178	}
	179
	180	sc = (suid_cred_t)port->ip_kobject;
	181
	182	if (vnode != sc->vnode) {
	183	ip_unlock(port);
	184	return -1;
	185	}
	186
	187	*uid = sc->uid;
	188	ret = 0;
	189
	190	ipc_port_destroy(port);
	191	return ret;
	192	}
	193
ea3f0419 A	194	kern_return_t
	195	task_create_suid_cred(
	196	task_t task,
	197	suid_cred_path_t path,
	198	suid_cred_uid_t uid,
	199	suid_cred_t *sc_p)
	200	{
	201	suid_cred_t sc = NULL;
	202	struct vnode *vnode;
	203	int err = -1;
	204
	205	if (task == TASK_NULL \|\| task != current_task()) {
	206	return KERN_INVALID_ARGUMENT;
	207	}
	208
	209	// Task must have entitlement.
	210	if (!IOTaskHasEntitlement(task, "com.apple.private.suid_cred")) {
	211	return KERN_NO_ACCESS;
	212	}
	213
	214	// Thread must be root owned.
	215	if (!kauth_cred_issuser(kauth_cred_get())) {
	216	return KERN_NO_ACCESS;
	217	}
	218
	219	// Find the vnode for the path.
	220	err = vnode_lookup(path, 0, &vnode, vfs_context_current());
	221	if (err != 0) {
	222	return KERN_INVALID_ARGUMENT;
	223	}
	224
	225	sc = suid_cred_alloc(vnode, uid);
	226	if (sc == NULL) {
	227	(void) vnode_put(vnode);
	228	return KERN_RESOURCE_SHORTAGE;
	229	}
	230
	231	*sc_p = sc;
	232
	233	return KERN_SUCCESS;
	234	}