]> git.saurik.com Git - apple/xnu.git/blame - bsd/kern/kern_authorization.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-3789.1.32.tar.gz
[apple/xnu.git] / bsd / kern / kern_authorization.c
CommitLineData
91447636 1/*
39037602 2 * Copyright (c) 2004-2016 Apple Inc. All rights reserved.
5d5c5d0d 3 *
2d21ac55 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
91447636 5 *
2d21ac55
A		 6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
8f6c56a5 14 *
2d21ac55
A		 15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
8f6c56a5
A		 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
2d21ac55
A		 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
8f6c56a5 25 *
2d21ac55 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
91447636
A		 27 */
28
29/*
30 * Centralized authorisation framework.
31 */
32
33#include <sys/appleapiopts.h>
34#include <sys/param.h> /* XXX trim includes */
35#include <sys/acct.h>
36#include <sys/systm.h>
37#include <sys/ucred.h>
38#include <sys/proc_internal.h>
39#include <sys/timeb.h>
40#include <sys/times.h>
41#include <sys/malloc.h>
42#include <sys/vnode_internal.h>
43#include <sys/kauth.h>
44#include <sys/stat.h>
45
b0d623f7 46#include <security/audit/audit.h>
91447636
A		 47
48#include <sys/mount.h>
49#include <sys/sysproto.h>
50#include <mach/message.h>
51#include <mach/host_security.h>
52
53#include <kern/locks.h>
54
55
56/*
57 * Authorization scopes.
58 */
59
60lck_grp_t *kauth_lck_grp;
61static lck_mtx_t *kauth_scope_mtx;
62#define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx);
63#define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx);
64
65/*
66 * We support listeners for scopes that have not been registered yet.
67 * If a listener comes in for a scope that is not active we hang the listener
68 * off our kauth_dangling_listeners list and once the scope becomes active we
69 * remove it from kauth_dangling_listeners and add it to the active scope.
70 */
71struct kauth_listener {
72 TAILQ_ENTRY(kauth_listener) kl_link;
73 const char * kl_identifier;
74 kauth_scope_callback_t kl_callback;
75 void * kl_idata;
76};
77
78/* XXX - kauth_todo - there is a race if a scope listener is removed while we
79 * we are in the kauth_authorize_action code path. We intentionally do not take
80 * a scope lock in order to get the best possible performance. we will fix this
81 * post Tiger.
82 * Until the race is fixed our kext clients are responsible for all active
83 * requests that may be in their callback code or on the way to their callback
84 * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata.
85 * We keep copies of these in our kauth_local_listener in an attempt to limit
86 * our expose to unlisten race.
87 */
88struct kauth_local_listener {
89 kauth_listener_t kll_listenerp;
90 kauth_scope_callback_t kll_callback;
91 void * kll_idata;
92};
93typedef struct kauth_local_listener *kauth_local_listener_t;
94
95static TAILQ_HEAD(,kauth_listener) kauth_dangling_listeners;
96
97/*
98 * Scope listeners need to be reworked to be dynamic.
99 * We intentionally used a static table to avoid locking issues with linked
100 * lists. The listeners may be called quite often.
101 * XXX - kauth_todo
102 */
103#define KAUTH_SCOPE_MAX_LISTENERS 15
104
105struct kauth_scope {
106 TAILQ_ENTRY(kauth_scope) ks_link;
107 volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS];
108 const char * ks_identifier;
109 kauth_scope_callback_t ks_callback;
110 void * ks_idata;
111 u_int ks_flags;
112};
113
114/* values for kauth_scope.ks_flags */
115#define KS_F_HAS_LISTENERS (1 << 0)
116
117static TAILQ_HEAD(,kauth_scope) kauth_scopes;
118
119static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp);
39236c6e 120static void kauth_scope_init(void);
91447636
A		 121static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata);
122static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata);
123#if 0
124static int kauth_scope_valid(kauth_scope_t scope);
125#endif
126
127kauth_scope_t kauth_scope_process;
128static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
129 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3);
130kauth_scope_t kauth_scope_generic;
131static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
132 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
133kauth_scope_t kauth_scope_fileop;
134
2d21ac55 135extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int, int);
91447636
A		 136extern char * get_pathbuff(void);
137extern void release_pathbuff(char *path);
138
139/*
140 * Initialization.
141 */
142void
143kauth_init(void)
144{
145 lck_grp_attr_t *grp_attributes;
146
147 TAILQ_INIT(&kauth_scopes);
148 TAILQ_INIT(&kauth_dangling_listeners);
149
150 /* set up our lock group */
151 grp_attributes = lck_grp_attr_alloc_init();
152 kauth_lck_grp = lck_grp_alloc_init("kauth", grp_attributes);
153 lck_grp_attr_free(grp_attributes);
154
155 /* bring up kauth subsystem components */
156 kauth_cred_init();
316670eb 157#if CONFIG_EXT_RESOLVER
91447636
A		 158 kauth_identity_init();
159 kauth_groups_init();
316670eb 160#endif
91447636 161 kauth_scope_init();
316670eb 162#if CONFIG_EXT_RESOLVER
91447636 163 kauth_resolver_init();
316670eb 164#endif
91447636
A		 165 /* can't alloc locks after this */
166 lck_grp_free(kauth_lck_grp);
167 kauth_lck_grp = NULL;
168}
169
170static void
171kauth_scope_init(void)
172{
173 kauth_scope_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0 /*LCK_ATTR_NULL*/);
174 kauth_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS, kauth_authorize_process_callback, NULL);
175 kauth_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC, kauth_authorize_generic_callback, NULL);
176 kauth_scope_fileop = kauth_register_scope(KAUTH_SCOPE_FILEOP, NULL, NULL);
177}
178
179/*
180 * Scope registration.
181 */
182
183static kauth_scope_t
184kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
185{
186 kauth_scope_t sp;
187
188 /*
189 * Allocate and populate the scope structure.
190 */
6d2010ae 191 MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK | M_ZERO);
91447636
A		 192 if (sp == NULL)
193 return(NULL);
91447636
A		 194 sp->ks_flags = 0;
195 sp->ks_identifier = identifier;
196 sp->ks_idata = idata;
197 sp->ks_callback = callback;
198 return(sp);
199}
200
201static kauth_listener_t
202kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata)
203{
204 kauth_listener_t lsp;
205
206 /*
207 * Allocate and populate the listener structure.
208 */
209 MALLOC(lsp, kauth_listener_t, sizeof(*lsp), M_KAUTH, M_WAITOK);
210 if (lsp == NULL)
211 return(NULL);
212 lsp->kl_identifier = identifier;
213 lsp->kl_idata = idata;
214 lsp->kl_callback = callback;
215 return(lsp);
216}
217
218kauth_scope_t
219kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
220{
221 kauth_scope_t sp, tsp;
222 kauth_listener_t klp;
223
224 if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL)
225 return(NULL);
226
227 /*
228 * Lock the list and insert.
229 */
230 KAUTH_SCOPELOCK();
231 TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) {
232 /* duplicate! */
2d21ac55
A		 233 if (strncmp(tsp->ks_identifier, identifier,
234 strlen(tsp->ks_identifier) + 1) == 0) {
91447636
A		 235 KAUTH_SCOPEUNLOCK();
236 FREE(sp, M_KAUTH);
237 return(NULL);
238 }
239 }
240 TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link);
241
242 /*
243 * Look for listeners waiting for this scope, move them to the active scope
244 * listener table.
245 * Note that we have to restart the scan every time we remove an entry
246 * from the list, since we can't remove the current item from the list.
247 */
248restart:
249 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
2d21ac55
A		 250 if (strncmp(klp->kl_identifier, sp->ks_identifier,
251 strlen(klp->kl_identifier) + 1) == 0) {
91447636
A		 252 /* found a match on the dangling listener list. add it to the
253 * the active scope.
254 */
255 if (kauth_add_callback_to_scope(sp, klp) == 0) {
256 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
257 }
258 else {
259#if 0
260 printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier);
261#endif
262 break;
263 }
264 goto restart;
265 }
266 }
267
268 KAUTH_SCOPEUNLOCK();
269 return(sp);
270}
271
272
273
274void
275kauth_deregister_scope(kauth_scope_t scope)
276{
277 int i;
278
279 KAUTH_SCOPELOCK();
280
281 TAILQ_REMOVE(&kauth_scopes, scope, ks_link);
282
283 /* relocate listeners back to the waiting list */
284 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
285 if (scope->ks_listeners[i].kll_listenerp != NULL) {
286 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link);
287 scope->ks_listeners[i].kll_listenerp = NULL;
288 /*
289 * XXX - kauth_todo - WARNING, do not clear kll_callback or
290 * kll_idata here. they are part of our scope unlisten race hack
291 */
292 }
293 }
294 KAUTH_SCOPEUNLOCK();
295 FREE(scope, M_KAUTH);
296
297 return;
298}
299
300kauth_listener_t
301kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
302{
303 kauth_listener_t klp;
304 kauth_scope_t sp;
305
306 if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL)
307 return(NULL);
308
309 /*
310 * Lock the scope list and check to see whether this scope already exists.
311 */
312 KAUTH_SCOPELOCK();
313 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
2d21ac55
A		 314 if (strncmp(sp->ks_identifier, identifier,
315 strlen(sp->ks_identifier) + 1) == 0) {
91447636
A		 316 /* scope exists, add it to scope listener table */
317 if (kauth_add_callback_to_scope(sp, klp) == 0) {
318 KAUTH_SCOPEUNLOCK();
319 return(klp);
320 }
321 /* table already full */
322 KAUTH_SCOPEUNLOCK();
323 FREE(klp, M_KAUTH);
324 return(NULL);
325 }
326 }
327
328 /* scope doesn't exist, put on waiting list. */
329 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link);
330
331 KAUTH_SCOPEUNLOCK();
332
333 return(klp);
334}
335
336void
337kauth_unlisten_scope(kauth_listener_t listener)
338{
339 kauth_scope_t sp;
340 kauth_listener_t klp;
341 int i, listener_count, do_free;
342
343 KAUTH_SCOPELOCK();
344
345 /* search the active scope for this listener */
346 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
347 do_free = 0;
348 if ((sp->ks_flags & KS_F_HAS_LISTENERS) != 0) {
349 listener_count = 0;
350 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
351 if (sp->ks_listeners[i].kll_listenerp == listener) {
352 sp->ks_listeners[i].kll_listenerp = NULL;
353 do_free = 1;
354 /*
355 * XXX - kauth_todo - WARNING, do not clear kll_callback or
356 * kll_idata here. they are part of our scope unlisten race hack
357 */
358 }
359 else if (sp->ks_listeners[i].kll_listenerp != NULL) {
360 listener_count++;
361 }
362 }
363 if (do_free) {
364 if (listener_count == 0) {
365 sp->ks_flags &= ~KS_F_HAS_LISTENERS;
366 }
367 KAUTH_SCOPEUNLOCK();
368 FREE(listener, M_KAUTH);
369 return;
370 }
371 }
372 }
373
374 /* if not active, check the dangling list */
375 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
376 if (klp == listener) {
377 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
378 KAUTH_SCOPEUNLOCK();
379 FREE(listener, M_KAUTH);
380 return;
381 }
382 }
383
384 KAUTH_SCOPEUNLOCK();
385 return;
386}
387
388/*
389 * Authorization requests.
2d21ac55
A		 390 *
391 * Returns: 0 Success
392 * EPERM Operation not permitted
393 *
394 * Imputed: *arg3, modified Callback return - depends on callback
395 * modification of *arg3, if any
91447636
A		 396 */
397int
398kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action,
399 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
400{
401 int result, ret, i;
402
403 /* ask the scope */
404 if (scope->ks_callback != NULL)
405 result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3);
406 else
407 result = KAUTH_RESULT_DEFER;
408
409 /* check with listeners */
410 if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) {
411 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
412 /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger.
413 * Until the race is fixed our kext clients are responsible for all active requests that may
414 * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata.
415 * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to
416 * unlisten race.
417 */
418 if (scope->ks_listeners[i].kll_listenerp == NULL ||
419 scope->ks_listeners[i].kll_callback == NULL)
420 continue;
421
422 ret = scope->ks_listeners[i].kll_callback(
423 credential, scope->ks_listeners[i].kll_idata,
424 action, arg0, arg1, arg2, arg3);
425 if ((ret == KAUTH_RESULT_DENY) ||
426 (result == KAUTH_RESULT_DEFER))
427 result = ret;
428 }
429 }
430
431 /* we need an explicit allow, or the auth fails */
432 /* XXX need a mechanism for auth failure to be signalled vs. denial */
433 return(result == KAUTH_RESULT_ALLOW ? 0 : EPERM);
434}
435
436/*
437 * Default authorization handlers.
438 */
439int
440kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action,
441 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
442{
443
444 return(KAUTH_RESULT_ALLOW);
445}
446
447#if 0
448/*
449 * Debugging support.
450 */
451static int
452kauth_scope_valid(kauth_scope_t scope)
453{
454 kauth_scope_t sp;
455
456 KAUTH_SCOPELOCK();
457 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
458 if (sp == scope)
459 break;
460 }
461 KAUTH_SCOPEUNLOCK();
462 return((sp == NULL) ? 0 : 1);
463}
464#endif
465
466/*
467 * Process authorization scope.
468 */
469
470int
471kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
472{
473 return(kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3));
474}
475
476static int
477kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
478 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
479{
480 switch(action) {
481 case KAUTH_PROCESS_CANSIGNAL:
482 panic("KAUTH_PROCESS_CANSIGNAL not implemented");
483 /* XXX credential wrong here */
484 /* arg0 - process to signal
485 * arg1 - signal to send the process
486 */
2d21ac55 487 if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1, 0))
91447636
A		 488 return(KAUTH_RESULT_ALLOW);
489 break;
490 case KAUTH_PROCESS_CANTRACE:
491 /* current_proc() - process that will do the tracing
492 * arg0 - process to be traced
493 * arg1 - pointer to int - reason (errno) for denial
494 */
495 if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1))
496 return(KAUTH_RESULT_ALLOW);
497 break;
498 }
499
500 /* no explicit result, so defer to others in the chain */
501 return(KAUTH_RESULT_DEFER);
502}
503
504/*
505 * File system operation authorization scope. This is really only a notification
506 * of the file system operation, not an authorization check. Thus the result is
507 * not relevant.
508 * arguments passed to KAUTH_FILEOP_OPEN listeners
509 * arg0 is pointer to vnode (vnode *) for given user path.
510 * arg1 is pointer to path (char *) passed in to open.
511 * arguments passed to KAUTH_FILEOP_CLOSE listeners
512 * arg0 is pointer to vnode (vnode *) for file to be closed.
513 * arg1 is pointer to path (char *) of file to be closed.
514 * arg2 is close flags.
515 * arguments passed to KAUTH_FILEOP_RENAME listeners
516 * arg0 is pointer to "from" path (char *).
517 * arg1 is pointer to "to" path (char *).
518 * arguments passed to KAUTH_FILEOP_EXCHANGE listeners
519 * arg0 is pointer to file 1 path (char *).
520 * arg1 is pointer to file 2 path (char *).
521 * arguments passed to KAUTH_FILEOP_EXEC listeners
522 * arg0 is pointer to vnode (vnode *) for executable.
523 * arg1 is pointer to path (char *) to executable.
524 */
525
526int
527kauth_authorize_fileop_has_listeners(void)
528{
529 /*
530 * return 1 if we have any listeners for the fileop scope
531 * otherwize return 0
532 */
533 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) {
534 return(1);
535 }
536 return (0);
537}
538
539int
540kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1)
541{
542 char *namep = NULL;
543 int name_len;
544 uintptr_t arg2 = 0;
545
546 /* we do not have a primary handler for the fileop scope so bail out if
547 * there are no listeners.
548 */
549 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) {
550 return(0);
551 }
552
553 if (action == KAUTH_FILEOP_OPEN || action == KAUTH_FILEOP_CLOSE || action == KAUTH_FILEOP_EXEC) {
554 /* get path to the given vnode as a convenience to our listeners.
555 */
556 namep = get_pathbuff();
557 name_len = MAXPATHLEN;
558 if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) {
559 release_pathbuff(namep);
560 return(0);
561 }
562 if (action == KAUTH_FILEOP_CLOSE) {
563 arg2 = arg1; /* close has some flags that come in via arg1 */
564 }
565 arg1 = (uintptr_t)namep;
566 }
567 kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0);
568
569 if (namep != NULL) {
570 release_pathbuff(namep);
571 }
572
573 return(0);
574}
575
576/*
577 * Generic authorization scope.
578 */
579
580int
581kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action)
582{
583 if (credential == NULL)
584 panic("auth against NULL credential");
585
586 return(kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0));
587
588}
589
590static int
591kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
592 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
593{
594 switch(action) {
595 case KAUTH_GENERIC_ISSUSER:
596 /* XXX == 0 ? */
597 return((kauth_cred_getuid(credential) == 0) ?
598 KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY);
91447636
A		 599 }
600
601 /* no explicit result, so defer to others in the chain */
602 return(KAUTH_RESULT_DEFER);
603}
604
605/*
606 * ACL evaluator.
607 *
608 * Determines whether the credential has the requested rights for an object secured by the supplied
609 * ACL.
610 *
611 * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested
612 * rights, or granted if all of the requested rights are satisfied by the ACEs so far.
613 */
614int
615kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval)
616{
6d2010ae 617 int applies, error, i, gotguid;
91447636
A		 618 kauth_ace_t ace;
619 guid_t guid;
620 uint32_t rights;
621 int wkguid;
622
623 /* always allowed to do nothing */
624 if (eval->ae_requested == 0) {
625 eval->ae_result = KAUTH_RESULT_ALLOW;
626 return(0);
627 }
628
629 eval->ae_residual = eval->ae_requested;
2d21ac55 630 eval->ae_found_deny = FALSE;
91447636
A		 631
632 /*
633 * Get our guid for comparison purposes.
634 */
635 if ((error = kauth_cred_getguid(cred, &guid)) != 0) {
6d2010ae
A		 636 KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error);
637 error = 0;
638 gotguid = 0;
639 } else {
640 gotguid = 1;
91447636
A		 641 }
642
643 KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual);
644 for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) {
645
646 /*
647 * Skip inherit-only entries.
648 */
649 if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT)
650 continue;
651
652 /*
653 * Expand generic rights, if appropriate.
654 */
655 rights = ace->ace_rights;
656 if (rights & KAUTH_ACE_GENERIC_ALL)
657 rights |= eval->ae_exp_gall;
658 if (rights & KAUTH_ACE_GENERIC_READ)
659 rights |= eval->ae_exp_gread;
660 if (rights & KAUTH_ACE_GENERIC_WRITE)
661 rights |= eval->ae_exp_gwrite;
662 if (rights & KAUTH_ACE_GENERIC_EXECUTE)
663 rights |= eval->ae_exp_gexec;
664
665 /*
666 * Determine whether this entry applies to the current request. This
667 * saves us checking the GUID if the entry has nothing to do with what
668 * we're currently doing.
669 */
670 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
671 case KAUTH_ACE_PERMIT:
672 if (!(eval->ae_residual & rights))
673 continue;
674 break;
675 case KAUTH_ACE_DENY:
676 if (!(eval->ae_requested & rights))
677 continue;
2d21ac55 678 eval->ae_found_deny = TRUE;
91447636
A		 679 break;
680 default:
681 /* we don't recognise this ACE, skip it */
682 continue;
683 }
6d2010ae 684
91447636
A		 685 /*
686 * Verify whether this entry applies to the credential.
687 */
688 wkguid = kauth_wellknown_guid(&ace->ace_applicable);
689 switch(wkguid) {
690 case KAUTH_WKG_OWNER:
691 applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER;
692 break;
693 case KAUTH_WKG_GROUP:
6d2010ae
A		 694 if (!gotguid || (eval->ae_options & KAUTH_AEVAL_IN_GROUP_UNKNOWN))
695 applies = ((ace->ace_flags & KAUTH_ACE_KINDMASK) == KAUTH_ACE_DENY);
696 else
697 applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP;
91447636
A		 698 break;
699 /* we short-circuit these here rather than wasting time calling the group membership code */
700 case KAUTH_WKG_EVERYBODY:
701 applies = 1;
702 break;
703 case KAUTH_WKG_NOBODY:
704 applies = 0;
705 break;
706
707 default:
708 /* check to see whether it's exactly us, or a group we are a member of */
6d2010ae 709 applies = !gotguid ? 0 : kauth_guid_equal(&guid, &ace->ace_applicable);
91447636
A		 710 KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched",
711 K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not ");
712
713 if (!applies) {
6d2010ae 714 error = !gotguid ? ENOENT : kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies);
91447636
A		 715 /*
716 * If we can't resolve group membership, we have to limit misbehaviour.
717 * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid
718 * granting excess access). If the ACE is a 'deny' ACE, assume the cred
719 * is a member (avoid failing to deny).
720 */
721 if (error != 0) {
722 KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i);
723 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
724 case KAUTH_ACE_PERMIT:
725 applies = 0;
726 break;
727 case KAUTH_ACE_DENY:
728 applies = 1;
729 break;
730 }
731 } else {
732 KAUTH_DEBUG(" ACL - %s group member", applies ? "is" : "not");
733 }
734 } else {
735 KAUTH_DEBUG(" ACL - entry matches caller");
736 }
737 }
738 if (!applies)
739 continue;
740
741 /*
742 * Apply ACE to outstanding rights.
743 */
744 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
745 case KAUTH_ACE_PERMIT:
746 /* satisfy any rights that this ACE grants */
747 eval->ae_residual = eval->ae_residual & ~rights;
748 KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i, rights, eval->ae_residual);
749 /* all rights satisfied? */
750 if (eval->ae_residual == 0) {
751 eval->ae_result = KAUTH_RESULT_ALLOW;
752 return(0);
753 }
754 break;
755 case KAUTH_ACE_DENY:
756 /* deny the request if any of the requested rights is denied */
757 if (eval->ae_requested & rights) {
758 KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights);
759 eval->ae_result = KAUTH_RESULT_DENY;
760 return(0);
761 }
762 break;
763 default:
764 KAUTH_DEBUG(" ACL - unknown entry kind %d", ace->ace_flags & KAUTH_ACE_KINDMASK);
765 break;
766 }
767 }
768 /* if not permitted, defer to other modes of authorisation */
769 eval->ae_result = KAUTH_RESULT_DEFER;
770 return(0);
771}
772
773/*
774 * Perform ACL inheritance and umask-ACL handling.
775 *
776 * Entries are inherited from the ACL on dvp. A caller-supplied
777 * ACL is in initial, and the result is output into product.
778 * If the process has a umask ACL and one is not supplied, we use
779 * the umask ACL.
780 * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file.
781 */
782int
783kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx)
784{
785 int entries, error, index;
786 unsigned int i;
787 struct vnode_attr dva;
788 kauth_acl_t inherit, result;
789
790 /*
2d21ac55
A		 791 * Fetch the ACL from the directory. This should never fail.
792 * Note that we don't manage inheritance when the remote server is
793 * doing authorization, since this means server enforcement of
794 * inheritance semantics; we just want to compose the initial
795 * ACL and any inherited ACE entries from the container object.
796 *
797 * XXX TODO: <rdar://3634665> wants a "umask ACL" from the process.
91447636
A		 798 */
799 inherit = NULL;
6d2010ae
A		 800 /*
801 * If there is no initial ACL, or there is, and the initial ACLs
802 * flags do not request "no inheritance", then we inherit. This allows
803 * initial object creation via open_extended() and mkdir_extended()
804 * to reject inheritance for themselves and for inferior nodes by
805 * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT
806 * flag set in the flags field.
807 */
808 if ((initial == NULL || !(initial->acl_flags & KAUTH_ACL_NO_INHERIT)) &&
809 (dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) {
91447636
A		 810 VATTR_INIT(&dva);
811 VATTR_WANTED(&dva, va_acl);
812 if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) {
813 KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance");
814 return(error);
815 }
39037602 816 if (VATTR_IS_SUPPORTED(&dva, va_acl))
91447636
A		 817 inherit = dva.va_acl;
818 }
819
820 /*
2d21ac55
A		 821 * Compute the number of entries in the result ACL by scanning the
822 * input lists.
91447636
A		 823 */
824 entries = 0;
825 if (inherit != NULL) {
826 for (i = 0; i < inherit->acl_entrycount; i++) {
827 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT))
828 entries++;
829 }
830 }
831
832 if (initial == NULL) {
2d21ac55
A		 833 /*
834 * XXX 3634665 TODO: if the initial ACL is not specfied by
835 * XXX the caller, fetch the umask ACL from the process,
836 * and use it in place of "initial".
837 */
91447636
A		 838 }
839
840 if (initial != NULL) {
2d21ac55
A		 841 if (initial->acl_entrycount != KAUTH_FILESEC_NOACL)
842 entries += initial->acl_entrycount;
843 else
844 initial = NULL;
91447636
A		 845 }
846
847 /*
848 * If there is no initial ACL, and no inheritable entries, the
2d21ac55 849 * object should be created with no ACL at all.
91447636
A		 850 * Note that this differs from the case where the initial ACL
851 * is empty, in which case the object must also have an empty ACL.
852 */
853 if ((entries == 0) && (initial == NULL)) {
854 *product = NULL;
855 error = 0;
856 goto out;
857 }
858
859 /*
860 * Allocate the result buffer.
861 */
862 if ((result = kauth_acl_alloc(entries)) == NULL) {
2d21ac55 863 KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL", entries);
91447636
A		 864 error = ENOMEM;
865 goto out;
866 }
867
868 /*
869 * Composition is simply:
6d2010ae
A		 870 * - initial direct ACEs
871 * - inherited ACEs from new parent
91447636
A		 872 */
873 index = 0;
874 if (initial != NULL) {
6d2010ae
A		 875 for (i = 0; i < initial->acl_entrycount; i++) {
876 if (!(initial->acl_ace[i].ace_flags & KAUTH_ACE_INHERITED)) {
877 result->acl_ace[index++] = initial->acl_ace[i];
878 }
879 }
880 KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index, initial->acl_entrycount);
91447636
A		 881 }
882 if (inherit != NULL) {
883 for (i = 0; i < inherit->acl_entrycount; i++) {
2d21ac55
A		 884 /*
885 * Inherit onto this object? We inherit only if
886 * the target object is a container object and the
887 * KAUTH_ACE_DIRECTORY_INHERIT bit is set, OR if
888 * if the target object is not a container, and
889 * the KAUTH_ACE_FILE_INHERIT bit is set.
890 */
91447636
A		 891 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
892 result->acl_ace[index] = inherit->acl_ace[i];
893 result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED;
b0d623f7 894 result->acl_ace[index].ace_flags &= ~KAUTH_ACE_ONLY_INHERIT;
2d21ac55
A		 895 /*
896 * We do not re-inherit inheritance flags
897 * if the ACE from the container has a
898 * KAUTH_ACE_LIMIT_INHERIT, OR if the new
899 * object is not itself a container (since
900 * inheritance is always container-based).
901 */
902 if ((result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT) || !isdir) {
91447636 903 result->acl_ace[index].ace_flags &=
2d21ac55
A		 904 ~(KAUTH_ACE_INHERIT_CONTROL_FLAGS);
905 }
91447636
A		 906 index++;
907 }
908 }
909 }
910 result->acl_entrycount = index;
911 *product = result;
912 KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index);
913 error = 0;
914out:
915 if (inherit != NULL)
916 kauth_acl_free(inherit);
917 return(error);
918}
919
920/*
921 * Optimistically copy in a kauth_filesec structure
0c530ab8 922 *
91447636 923 * Parameters: xsecurity user space kauth_filesec_t
0c530ab8
A		 924 * xsecdstpp pointer to kauth_filesec_t to be
925 * modified to contain the contain a
926 * pointer to an allocated copy of the
927 * user space argument
928 *
929 * Returns: 0 Success
930 * ENOMEM Insufficient memory for the copy.
931 * EINVAL The user space data was invalid, or
932 * there were too many ACE entries.
933 * EFAULT The user space address was invalid;
934 * this may mean 'fsec_entrycount' in
935 * the user copy is corrupt/incorrect.
936 *
937 * Implicit returns: xsecdestpp, modified (only if successful!)
938 *
939 * Notes: The returned kauth_filesec_t is in host byte order
940 *
941 * The caller is responsible for freeing the returned
942 * kauth_filesec_t in the success case using the function
943 * kauth_filesec_free()
4452a7af 944 *
0c530ab8
A		 945 * Our largest initial guess is 32; this needs to move to
946 * a manifest constant in <sys/kauth.h>.
91447636 947 */
91447636
A		 948int
949kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp)
950{
951 user_addr_t uaddr, known_bound;
952 int error;
953 kauth_filesec_t fsec;
954 u_int32_t count;
955 size_t copysize;
956
957 error = 0;
958 fsec = NULL;
959
960 /*
961 * Make a guess at the size of the filesec. We start with the base
962 * pointer, and look at how much room is left on the page, clipped
963 * to a sensible upper bound. If it turns out this isn't enough,
964 * we'll size based on the actual ACL contents and come back again.
965 *
966 * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The
967 * value here is fairly arbitrary. It's ok to have a zero count.
968 */
b0d623f7 969 known_bound = xsecurity + KAUTH_FILESEC_SIZE(0);
91447636
A		 970 uaddr = mach_vm_round_page(known_bound);
971 count = (uaddr - known_bound) / sizeof(struct kauth_ace);
972 if (count > 32)
973 count = 32;
974restart:
975 if ((fsec = kauth_filesec_alloc(count)) == NULL) {
976 error = ENOMEM;
977 goto out;
978 }
979 copysize = KAUTH_FILESEC_SIZE(count);
980 if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0)
981 goto out;
982
983 /* validate the filesec header */
984 if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) {
985 error = EINVAL;
986 goto out;
987 }
988
989 /*
990 * Is there an ACL payload, and is it too big?
991 */
992 if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) &&
993 (fsec->fsec_entrycount > count)) {
994 if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) {
0c530ab8 995 /* XXX This should be E2BIG */
91447636
A		 996 error = EINVAL;
997 goto out;
998 }
999 count = fsec->fsec_entrycount;
1000 kauth_filesec_free(fsec);
1001 goto restart;
1002 }
1003
1004out:
1005 if (error) {
1006 if (fsec)
1007 kauth_filesec_free(fsec);
1008 } else {
1009 *xsecdestpp = fsec;
b0d623f7 1010 AUDIT_ARG(opaque, fsec, copysize);
91447636
A		 1011 }
1012 return(error);
1013}
1014
1015/*
0c530ab8
A		 1016 * Allocate a block of memory containing a filesec structure, immediately
1017 * followed by 'count' kauth_ace structures.
1018 *
1019 * Parameters: count Number of kauth_ace structures needed
1020 *
1021 * Returns: !NULL A pointer to the allocated block
1022 * NULL Invalid 'count' or insufficient memory
1023 *
1024 * Notes: Returned memory area assumes that the structures are packed
1025 * densely, so this function may only be used by code that also
1026 * assumes no padding following structures.
1027 *
1028 * The returned structure must be freed by the caller using the
1029 * function kauth_filesec_free(), in case we decide to use an
1030 * allocation mechanism that is aware of the object size at some
1031 * point, since the object size is only available by introspecting
1032 * the object itself.
91447636
A		 1033 */
1034kauth_filesec_t
1035kauth_filesec_alloc(int count)
1036{
1037 kauth_filesec_t fsp;
1038
1039 /* if the caller hasn't given us a valid size hint, assume the worst */
1040 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
1041 return(NULL);
1042
1043 MALLOC(fsp, kauth_filesec_t, KAUTH_FILESEC_SIZE(count), M_KAUTH, M_WAITOK);
1044 if (fsp != NULL) {
1045 fsp->fsec_magic = KAUTH_FILESEC_MAGIC;
1046 fsp->fsec_owner = kauth_null_guid;
1047 fsp->fsec_group = kauth_null_guid;
1048 fsp->fsec_entrycount = KAUTH_FILESEC_NOACL;
1049 fsp->fsec_flags = 0;
1050 }
1051 return(fsp);
1052}
1053
0c530ab8
A		 1054/*
1055 * Free a kauth_filesec_t that was previous allocated, either by a direct
1056 * call to kauth_filesec_alloc() or by calling a function that calls it.
1057 *
1058 * Parameters: fsp kauth_filesec_t to free
1059 *
1060 * Returns: (void)
1061 *
1062 * Notes: The kauth_filesec_t to be freed is assumed to be in host
1063 * byte order so that this function can introspect it in the
1064 * future to determine its size, if necesssary.
1065 */
91447636
A		 1066void
1067kauth_filesec_free(kauth_filesec_t fsp)
1068{
1069#ifdef KAUTH_DEBUG_ENABLE
1070 if (fsp == KAUTH_FILESEC_NONE)
1071 panic("freeing KAUTH_FILESEC_NONE");
1072 if (fsp == KAUTH_FILESEC_WANTED)
1073 panic("freeing KAUTH_FILESEC_WANTED");
1074#endif
1075 FREE(fsp, M_KAUTH);
1076}
1077
0c530ab8
A		 1078/*
1079 * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the
1080 * ACL interior to 'fsec' instead. If the endianness doesn't change, then
1081 * this function will have no effect.
1082 *
1083 * Parameters: kendian The endianness to set; this is either
1084 * KAUTH_ENDIAN_HOST or KAUTH_ENDIAN_DISK.
1085 * fsec The filesec to convert.
1086 * acl The ACL to convert (optional)
1087 *
1088 * Returns: (void)
1089 *
1090 * Notes: We use ntohl() because it has a transitive property on Intel
1091 * machines and no effect on PPC mancines. This guarantees us
1092 * that the swapping only occurs if the endiannes is wrong.
1093 */
1094void
1095kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl)
1096{
1097 uint32_t compare_magic = KAUTH_FILESEC_MAGIC;
1098 uint32_t invert_magic = ntohl(KAUTH_FILESEC_MAGIC);
1099 uint32_t compare_acl_entrycount;
1100 uint32_t i;
1101
1102 if (compare_magic == invert_magic)
1103 return;
1104
1105 /* If no ACL, use ACL interior to 'fsec' instead */
1106 if (acl == NULL)
1107 acl = &fsec->fsec_acl;
1108
1109 compare_acl_entrycount = acl->acl_entrycount;
1110
1111 /*
1112 * Only convert what needs to be converted, and only if the arguments
1113 * are valid. The following switch and tests effectively reject
1114 * conversions on invalid magic numbers as a desirable side effect.
1115 */
1116 switch(kendian) {
1117 case KAUTH_ENDIAN_HOST: /* not in host, convert to host */
1118 if (fsec->fsec_magic != invert_magic)
1119 return;
1120 /* acl_entrycount is byteswapped */
1121 compare_acl_entrycount = ntohl(acl->acl_entrycount);
1122 break;
1123 case KAUTH_ENDIAN_DISK: /* not in disk, convert to disk */
1124 if (fsec->fsec_magic != compare_magic)
1125 return;
1126 break;
1127 default: /* bad argument */
1128 return;
1129 }
1130
1131 /* We are go for conversion */
1132 fsec->fsec_magic = ntohl(fsec->fsec_magic);
1133 acl->acl_entrycount = ntohl(acl->acl_entrycount);
1134 if (compare_acl_entrycount != KAUTH_FILESEC_NOACL) {
1135 acl->acl_flags = ntohl(acl->acl_flags);
1136
1137 /* swap ACE rights and flags */
1138 for (i = 0; i < compare_acl_entrycount; i++) {
1139 acl->acl_ace[i].ace_flags = ntohl(acl->acl_ace[i].ace_flags);
1140 acl->acl_ace[i].ace_rights = ntohl(acl->acl_ace[i].ace_rights);
1141 }
1142 }
1143 }
1144
91447636
A		 1145
1146/*
1147 * Allocate an ACL buffer.
1148 */
1149kauth_acl_t
1150kauth_acl_alloc(int count)
1151{
1152 kauth_acl_t aclp;
1153
1154 /* if the caller hasn't given us a valid size hint, assume the worst */
1155 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
1156 return(NULL);
1157
1158 MALLOC(aclp, kauth_acl_t, KAUTH_ACL_SIZE(count), M_KAUTH, M_WAITOK);
1159 if (aclp != NULL) {
1160 aclp->acl_entrycount = 0;
1161 aclp->acl_flags = 0;
1162 }
1163 return(aclp);
1164}
1165
1166void
1167kauth_acl_free(kauth_acl_t aclp)
1168{
1169 FREE(aclp, M_KAUTH);
1170}
1171
1172
1173/*
1174 * WARNING - caller must hold KAUTH_SCOPELOCK
1175 */
1176static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp)
1177{
1178 int i;
1179
1180 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
1181 if (sp->ks_listeners[i].kll_listenerp == NULL) {
1182 sp->ks_listeners[i].kll_callback = klp->kl_callback;
1183 sp->ks_listeners[i].kll_idata = klp->kl_idata;
1184 sp->ks_listeners[i].kll_listenerp = klp;
1185 sp->ks_flags |= KS_F_HAS_LISTENERS;
1186 return(0);
1187 }
1188 }
1189 return(ENOSPC);
1190}
mirror of XNU