]> git.saurik.com Git - apple/xnu.git/blame - bsd/kern/kern_authorization.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-792.17.14.tar.gz
[apple/xnu.git] / bsd / kern / kern_authorization.c
CommitLineData
91447636 1/*
5d5c5d0d
A		 2 * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
3 *
8f6c56a5 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
91447636 5 *
8f6c56a5
A		 6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
8ad349bb 24 * limitations under the License.
8f6c56a5
A		 25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
91447636
A		 27 */
28
29/*
30 * Centralized authorisation framework.
31 */
32
33#include <sys/appleapiopts.h>
34#include <sys/param.h> /* XXX trim includes */
35#include <sys/acct.h>
36#include <sys/systm.h>
37#include <sys/ucred.h>
38#include <sys/proc_internal.h>
39#include <sys/timeb.h>
40#include <sys/times.h>
41#include <sys/malloc.h>
42#include <sys/vnode_internal.h>
43#include <sys/kauth.h>
44#include <sys/stat.h>
45
46#include <bsm/audit_kernel.h>
47
48#include <sys/mount.h>
49#include <sys/sysproto.h>
50#include <mach/message.h>
51#include <mach/host_security.h>
52
53#include <kern/locks.h>
54
55
56/*
57 * Authorization scopes.
58 */
59
60lck_grp_t *kauth_lck_grp;
61static lck_mtx_t *kauth_scope_mtx;
62#define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx);
63#define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx);
64
65/*
66 * We support listeners for scopes that have not been registered yet.
67 * If a listener comes in for a scope that is not active we hang the listener
68 * off our kauth_dangling_listeners list and once the scope becomes active we
69 * remove it from kauth_dangling_listeners and add it to the active scope.
70 */
71struct kauth_listener {
72 TAILQ_ENTRY(kauth_listener) kl_link;
73 const char * kl_identifier;
74 kauth_scope_callback_t kl_callback;
75 void * kl_idata;
76};
77
78/* XXX - kauth_todo - there is a race if a scope listener is removed while we
79 * we are in the kauth_authorize_action code path. We intentionally do not take
80 * a scope lock in order to get the best possible performance. we will fix this
81 * post Tiger.
82 * Until the race is fixed our kext clients are responsible for all active
83 * requests that may be in their callback code or on the way to their callback
84 * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata.
85 * We keep copies of these in our kauth_local_listener in an attempt to limit
86 * our expose to unlisten race.
87 */
88struct kauth_local_listener {
89 kauth_listener_t kll_listenerp;
90 kauth_scope_callback_t kll_callback;
91 void * kll_idata;
92};
93typedef struct kauth_local_listener *kauth_local_listener_t;
94
95static TAILQ_HEAD(,kauth_listener) kauth_dangling_listeners;
96
97/*
98 * Scope listeners need to be reworked to be dynamic.
99 * We intentionally used a static table to avoid locking issues with linked
100 * lists. The listeners may be called quite often.
101 * XXX - kauth_todo
102 */
103#define KAUTH_SCOPE_MAX_LISTENERS 15
104
105struct kauth_scope {
106 TAILQ_ENTRY(kauth_scope) ks_link;
107 volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS];
108 const char * ks_identifier;
109 kauth_scope_callback_t ks_callback;
110 void * ks_idata;
111 u_int ks_flags;
112};
113
114/* values for kauth_scope.ks_flags */
115#define KS_F_HAS_LISTENERS (1 << 0)
116
117static TAILQ_HEAD(,kauth_scope) kauth_scopes;
118
119static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp);
120static void kauth_scope_init(void);
121static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata);
122static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata);
123#if 0
124static int kauth_scope_valid(kauth_scope_t scope);
125#endif
126
127kauth_scope_t kauth_scope_process;
128static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
129 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3);
130kauth_scope_t kauth_scope_generic;
131static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
132 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
133kauth_scope_t kauth_scope_fileop;
134
135extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int);
136extern char * get_pathbuff(void);
137extern void release_pathbuff(char *path);
138
139/*
140 * Initialization.
141 */
142void
143kauth_init(void)
144{
145 lck_grp_attr_t *grp_attributes;
146
147 TAILQ_INIT(&kauth_scopes);
148 TAILQ_INIT(&kauth_dangling_listeners);
149
150 /* set up our lock group */
151 grp_attributes = lck_grp_attr_alloc_init();
152 kauth_lck_grp = lck_grp_alloc_init("kauth", grp_attributes);
153 lck_grp_attr_free(grp_attributes);
154
155 /* bring up kauth subsystem components */
156 kauth_cred_init();
157 kauth_identity_init();
158 kauth_groups_init();
159 kauth_scope_init();
160 kauth_resolver_init();
161
162 /* can't alloc locks after this */
163 lck_grp_free(kauth_lck_grp);
164 kauth_lck_grp = NULL;
165}
166
167static void
168kauth_scope_init(void)
169{
170 kauth_scope_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0 /*LCK_ATTR_NULL*/);
171 kauth_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS, kauth_authorize_process_callback, NULL);
172 kauth_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC, kauth_authorize_generic_callback, NULL);
173 kauth_scope_fileop = kauth_register_scope(KAUTH_SCOPE_FILEOP, NULL, NULL);
174}
175
176/*
177 * Scope registration.
178 */
179
180static kauth_scope_t
181kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
182{
183 kauth_scope_t sp;
184
185 /*
186 * Allocate and populate the scope structure.
187 */
188 MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK);
189 if (sp == NULL)
190 return(NULL);
191 bzero(&sp->ks_listeners, sizeof(sp->ks_listeners));
192 sp->ks_flags = 0;
193 sp->ks_identifier = identifier;
194 sp->ks_idata = idata;
195 sp->ks_callback = callback;
196 return(sp);
197}
198
199static kauth_listener_t
200kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata)
201{
202 kauth_listener_t lsp;
203
204 /*
205 * Allocate and populate the listener structure.
206 */
207 MALLOC(lsp, kauth_listener_t, sizeof(*lsp), M_KAUTH, M_WAITOK);
208 if (lsp == NULL)
209 return(NULL);
210 lsp->kl_identifier = identifier;
211 lsp->kl_idata = idata;
212 lsp->kl_callback = callback;
213 return(lsp);
214}
215
216kauth_scope_t
217kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
218{
219 kauth_scope_t sp, tsp;
220 kauth_listener_t klp;
221
222 if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL)
223 return(NULL);
224
225 /*
226 * Lock the list and insert.
227 */
228 KAUTH_SCOPELOCK();
229 TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) {
230 /* duplicate! */
231 if (strcmp(tsp->ks_identifier, identifier) == 0) {
232 KAUTH_SCOPEUNLOCK();
233 FREE(sp, M_KAUTH);
234 return(NULL);
235 }
236 }
237 TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link);
238
239 /*
240 * Look for listeners waiting for this scope, move them to the active scope
241 * listener table.
242 * Note that we have to restart the scan every time we remove an entry
243 * from the list, since we can't remove the current item from the list.
244 */
245restart:
246 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
247 if (strcmp(klp->kl_identifier, sp->ks_identifier) == 0) {
248 /* found a match on the dangling listener list. add it to the
249 * the active scope.
250 */
251 if (kauth_add_callback_to_scope(sp, klp) == 0) {
252 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
253 }
254 else {
255#if 0
256 printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier);
257#endif
258 break;
259 }
260 goto restart;
261 }
262 }
263
264 KAUTH_SCOPEUNLOCK();
265 return(sp);
266}
267
268
269
270void
271kauth_deregister_scope(kauth_scope_t scope)
272{
273 int i;
274
275 KAUTH_SCOPELOCK();
276
277 TAILQ_REMOVE(&kauth_scopes, scope, ks_link);
278
279 /* relocate listeners back to the waiting list */
280 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
281 if (scope->ks_listeners[i].kll_listenerp != NULL) {
282 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link);
283 scope->ks_listeners[i].kll_listenerp = NULL;
284 /*
285 * XXX - kauth_todo - WARNING, do not clear kll_callback or
286 * kll_idata here. they are part of our scope unlisten race hack
287 */
288 }
289 }
290 KAUTH_SCOPEUNLOCK();
291 FREE(scope, M_KAUTH);
292
293 return;
294}
295
296kauth_listener_t
297kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
298{
299 kauth_listener_t klp;
300 kauth_scope_t sp;
301
302 if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL)
303 return(NULL);
304
305 /*
306 * Lock the scope list and check to see whether this scope already exists.
307 */
308 KAUTH_SCOPELOCK();
309 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
310 if (strcmp(sp->ks_identifier, identifier) == 0) {
311 /* scope exists, add it to scope listener table */
312 if (kauth_add_callback_to_scope(sp, klp) == 0) {
313 KAUTH_SCOPEUNLOCK();
314 return(klp);
315 }
316 /* table already full */
317 KAUTH_SCOPEUNLOCK();
318 FREE(klp, M_KAUTH);
319 return(NULL);
320 }
321 }
322
323 /* scope doesn't exist, put on waiting list. */
324 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link);
325
326 KAUTH_SCOPEUNLOCK();
327
328 return(klp);
329}
330
331void
332kauth_unlisten_scope(kauth_listener_t listener)
333{
334 kauth_scope_t sp;
335 kauth_listener_t klp;
336 int i, listener_count, do_free;
337
338 KAUTH_SCOPELOCK();
339
340 /* search the active scope for this listener */
341 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
342 do_free = 0;
343 if ((sp->ks_flags & KS_F_HAS_LISTENERS) != 0) {
344 listener_count = 0;
345 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
346 if (sp->ks_listeners[i].kll_listenerp == listener) {
347 sp->ks_listeners[i].kll_listenerp = NULL;
348 do_free = 1;
349 /*
350 * XXX - kauth_todo - WARNING, do not clear kll_callback or
351 * kll_idata here. they are part of our scope unlisten race hack
352 */
353 }
354 else if (sp->ks_listeners[i].kll_listenerp != NULL) {
355 listener_count++;
356 }
357 }
358 if (do_free) {
359 if (listener_count == 0) {
360 sp->ks_flags &= ~KS_F_HAS_LISTENERS;
361 }
362 KAUTH_SCOPEUNLOCK();
363 FREE(listener, M_KAUTH);
364 return;
365 }
366 }
367 }
368
369 /* if not active, check the dangling list */
370 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
371 if (klp == listener) {
372 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
373 KAUTH_SCOPEUNLOCK();
374 FREE(listener, M_KAUTH);
375 return;
376 }
377 }
378
379 KAUTH_SCOPEUNLOCK();
380 return;
381}
382
383/*
384 * Authorization requests.
385 */
386int
387kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action,
388 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
389{
390 int result, ret, i;
391
392 /* ask the scope */
393 if (scope->ks_callback != NULL)
394 result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3);
395 else
396 result = KAUTH_RESULT_DEFER;
397
398 /* check with listeners */
399 if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) {
400 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
401 /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger.
402 * Until the race is fixed our kext clients are responsible for all active requests that may
403 * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata.
404 * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to
405 * unlisten race.
406 */
407 if (scope->ks_listeners[i].kll_listenerp == NULL ||
408 scope->ks_listeners[i].kll_callback == NULL)
409 continue;
410
411 ret = scope->ks_listeners[i].kll_callback(
412 credential, scope->ks_listeners[i].kll_idata,
413 action, arg0, arg1, arg2, arg3);
414 if ((ret == KAUTH_RESULT_DENY) ||
415 (result == KAUTH_RESULT_DEFER))
416 result = ret;
417 }
418 }
419
420 /* we need an explicit allow, or the auth fails */
421 /* XXX need a mechanism for auth failure to be signalled vs. denial */
422 return(result == KAUTH_RESULT_ALLOW ? 0 : EPERM);
423}
424
425/*
426 * Default authorization handlers.
427 */
428int
429kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action,
430 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
431{
432
433 return(KAUTH_RESULT_ALLOW);
434}
435
436#if 0
437/*
438 * Debugging support.
439 */
440static int
441kauth_scope_valid(kauth_scope_t scope)
442{
443 kauth_scope_t sp;
444
445 KAUTH_SCOPELOCK();
446 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
447 if (sp == scope)
448 break;
449 }
450 KAUTH_SCOPEUNLOCK();
451 return((sp == NULL) ? 0 : 1);
452}
453#endif
454
455/*
456 * Process authorization scope.
457 */
458
459int
460kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
461{
462 return(kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3));
463}
464
465static int
466kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
467 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
468{
469 switch(action) {
470 case KAUTH_PROCESS_CANSIGNAL:
471 panic("KAUTH_PROCESS_CANSIGNAL not implemented");
472 /* XXX credential wrong here */
473 /* arg0 - process to signal
474 * arg1 - signal to send the process
475 */
476 if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1))
477 return(KAUTH_RESULT_ALLOW);
478 break;
479 case KAUTH_PROCESS_CANTRACE:
480 /* current_proc() - process that will do the tracing
481 * arg0 - process to be traced
482 * arg1 - pointer to int - reason (errno) for denial
483 */
484 if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1))
485 return(KAUTH_RESULT_ALLOW);
486 break;
487 }
488
489 /* no explicit result, so defer to others in the chain */
490 return(KAUTH_RESULT_DEFER);
491}
492
493/*
494 * File system operation authorization scope. This is really only a notification
495 * of the file system operation, not an authorization check. Thus the result is
496 * not relevant.
497 * arguments passed to KAUTH_FILEOP_OPEN listeners
498 * arg0 is pointer to vnode (vnode *) for given user path.
499 * arg1 is pointer to path (char *) passed in to open.
500 * arguments passed to KAUTH_FILEOP_CLOSE listeners
501 * arg0 is pointer to vnode (vnode *) for file to be closed.
502 * arg1 is pointer to path (char *) of file to be closed.
503 * arg2 is close flags.
504 * arguments passed to KAUTH_FILEOP_RENAME listeners
505 * arg0 is pointer to "from" path (char *).
506 * arg1 is pointer to "to" path (char *).
507 * arguments passed to KAUTH_FILEOP_EXCHANGE listeners
508 * arg0 is pointer to file 1 path (char *).
509 * arg1 is pointer to file 2 path (char *).
510 * arguments passed to KAUTH_FILEOP_EXEC listeners
511 * arg0 is pointer to vnode (vnode *) for executable.
512 * arg1 is pointer to path (char *) to executable.
513 */
514
515int
516kauth_authorize_fileop_has_listeners(void)
517{
518 /*
519 * return 1 if we have any listeners for the fileop scope
520 * otherwize return 0
521 */
522 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) {
523 return(1);
524 }
525 return (0);
526}
527
528int
529kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1)
530{
531 char *namep = NULL;
532 int name_len;
533 uintptr_t arg2 = 0;
534
535 /* we do not have a primary handler for the fileop scope so bail out if
536 * there are no listeners.
537 */
538 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) {
539 return(0);
540 }
541
542 if (action == KAUTH_FILEOP_OPEN || action == KAUTH_FILEOP_CLOSE || action == KAUTH_FILEOP_EXEC) {
543 /* get path to the given vnode as a convenience to our listeners.
544 */
545 namep = get_pathbuff();
546 name_len = MAXPATHLEN;
547 if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) {
548 release_pathbuff(namep);
549 return(0);
550 }
551 if (action == KAUTH_FILEOP_CLOSE) {
552 arg2 = arg1; /* close has some flags that come in via arg1 */
553 }
554 arg1 = (uintptr_t)namep;
555 }
556 kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0);
557
558 if (namep != NULL) {
559 release_pathbuff(namep);
560 }
561
562 return(0);
563}
564
565/*
566 * Generic authorization scope.
567 */
568
569int
570kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action)
571{
572 if (credential == NULL)
573 panic("auth against NULL credential");
574
575 return(kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0));
576
577}
578
579static int
580kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
581 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
582{
583 switch(action) {
584 case KAUTH_GENERIC_ISSUSER:
585 /* XXX == 0 ? */
586 return((kauth_cred_getuid(credential) == 0) ?
587 KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY);
588 break;
589 }
590
591 /* no explicit result, so defer to others in the chain */
592 return(KAUTH_RESULT_DEFER);
593}
594
595/*
596 * ACL evaluator.
597 *
598 * Determines whether the credential has the requested rights for an object secured by the supplied
599 * ACL.
600 *
601 * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested
602 * rights, or granted if all of the requested rights are satisfied by the ACEs so far.
603 */
604int
605kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval)
606{
607 int applies, error, i;
608 kauth_ace_t ace;
609 guid_t guid;
610 uint32_t rights;
611 int wkguid;
612
613 /* always allowed to do nothing */
614 if (eval->ae_requested == 0) {
615 eval->ae_result = KAUTH_RESULT_ALLOW;
616 return(0);
617 }
618
619 eval->ae_residual = eval->ae_requested;
620
621 /*
622 * Get our guid for comparison purposes.
623 */
624 if ((error = kauth_cred_getguid(cred, &guid)) != 0) {
625 eval->ae_result = KAUTH_RESULT_DENY;
626 KAUTH_DEBUG(" ACL - can't get credential GUID (%d), ACL denied", error);
627 return(error);
628 }
629
630 KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual);
631 for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) {
632
633 /*
634 * Skip inherit-only entries.
635 */
636 if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT)
637 continue;
638
639 /*
640 * Expand generic rights, if appropriate.
641 */
642 rights = ace->ace_rights;
643 if (rights & KAUTH_ACE_GENERIC_ALL)
644 rights |= eval->ae_exp_gall;
645 if (rights & KAUTH_ACE_GENERIC_READ)
646 rights |= eval->ae_exp_gread;
647 if (rights & KAUTH_ACE_GENERIC_WRITE)
648 rights |= eval->ae_exp_gwrite;
649 if (rights & KAUTH_ACE_GENERIC_EXECUTE)
650 rights |= eval->ae_exp_gexec;
651
652 /*
653 * Determine whether this entry applies to the current request. This
654 * saves us checking the GUID if the entry has nothing to do with what
655 * we're currently doing.
656 */
657 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
658 case KAUTH_ACE_PERMIT:
659 if (!(eval->ae_residual & rights))
660 continue;
661 break;
662 case KAUTH_ACE_DENY:
663 if (!(eval->ae_requested & rights))
664 continue;
665 break;
666 default:
667 /* we don't recognise this ACE, skip it */
668 continue;
669 }
670
671 /*
672 * Verify whether this entry applies to the credential.
673 */
674 wkguid = kauth_wellknown_guid(&ace->ace_applicable);
675 switch(wkguid) {
676 case KAUTH_WKG_OWNER:
677 applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER;
678 break;
679 case KAUTH_WKG_GROUP:
680 applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP;
681 break;
682 /* we short-circuit these here rather than wasting time calling the group membership code */
683 case KAUTH_WKG_EVERYBODY:
684 applies = 1;
685 break;
686 case KAUTH_WKG_NOBODY:
687 applies = 0;
688 break;
689
690 default:
691 /* check to see whether it's exactly us, or a group we are a member of */
692 applies = kauth_guid_equal(&guid, &ace->ace_applicable);
693 KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched",
694 K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not ");
695
696 if (!applies) {
697 error = kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies);
698 /*
699 * If we can't resolve group membership, we have to limit misbehaviour.
700 * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid
701 * granting excess access). If the ACE is a 'deny' ACE, assume the cred
702 * is a member (avoid failing to deny).
703 */
704 if (error != 0) {
705 KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i);
706 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
707 case KAUTH_ACE_PERMIT:
708 applies = 0;
709 break;
710 case KAUTH_ACE_DENY:
711 applies = 1;
712 break;
713 }
714 } else {
715 KAUTH_DEBUG(" ACL - %s group member", applies ? "is" : "not");
716 }
717 } else {
718 KAUTH_DEBUG(" ACL - entry matches caller");
719 }
720 }
721 if (!applies)
722 continue;
723
724 /*
725 * Apply ACE to outstanding rights.
726 */
727 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
728 case KAUTH_ACE_PERMIT:
729 /* satisfy any rights that this ACE grants */
730 eval->ae_residual = eval->ae_residual & ~rights;
731 KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i, rights, eval->ae_residual);
732 /* all rights satisfied? */
733 if (eval->ae_residual == 0) {
734 eval->ae_result = KAUTH_RESULT_ALLOW;
735 return(0);
736 }
737 break;
738 case KAUTH_ACE_DENY:
739 /* deny the request if any of the requested rights is denied */
740 if (eval->ae_requested & rights) {
741 KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights);
742 eval->ae_result = KAUTH_RESULT_DENY;
743 return(0);
744 }
745 break;
746 default:
747 KAUTH_DEBUG(" ACL - unknown entry kind %d", ace->ace_flags & KAUTH_ACE_KINDMASK);
748 break;
749 }
750 }
751 /* if not permitted, defer to other modes of authorisation */
752 eval->ae_result = KAUTH_RESULT_DEFER;
753 return(0);
754}
755
756/*
757 * Perform ACL inheritance and umask-ACL handling.
758 *
759 * Entries are inherited from the ACL on dvp. A caller-supplied
760 * ACL is in initial, and the result is output into product.
761 * If the process has a umask ACL and one is not supplied, we use
762 * the umask ACL.
763 * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file.
764 */
765int
766kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx)
767{
768 int entries, error, index;
769 unsigned int i;
770 struct vnode_attr dva;
771 kauth_acl_t inherit, result;
772
773 /*
774 * Fetch the ACL from the directory. This should never fail. Note that we don't
775 * manage inheritance when the remote server is doing authorization; we just
776 * want to compose the umask-ACL and any initial ACL.
777 */
778 inherit = NULL;
779 if ((dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) {
780 VATTR_INIT(&dva);
781 VATTR_WANTED(&dva, va_acl);
782 if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) {
783 KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance");
784 return(error);
785 }
786 if (VATTR_IS_SUPPORTED(&dva, va_acl))
787 inherit = dva.va_acl;
788 }
789
790 /*
791 * Compute the number of entries in the result ACL by scanning the input lists.
792 */
793 entries = 0;
794 if (inherit != NULL) {
795 for (i = 0; i < inherit->acl_entrycount; i++) {
796 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT))
797 entries++;
798 }
799 }
800
801 if (initial == NULL) {
802 /* XXX 3634665 TODO: fetch umask ACL from the process, set in initial */
803 }
804
805 if (initial != NULL) {
806 entries += initial->acl_entrycount;
807 }
808
809 /*
810 * If there is no initial ACL, and no inheritable entries, the
811 * object should have no ACL at all.
812 * Note that this differs from the case where the initial ACL
813 * is empty, in which case the object must also have an empty ACL.
814 */
815 if ((entries == 0) && (initial == NULL)) {
816 *product = NULL;
817 error = 0;
818 goto out;
819 }
820
821 /*
822 * Allocate the result buffer.
823 */
824 if ((result = kauth_acl_alloc(entries)) == NULL) {
825 KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL");
826 error = ENOMEM;
827 goto out;
828 }
829
830 /*
831 * Composition is simply:
832 * - initial
833 * - inherited
834 */
835 index = 0;
836 if (initial != NULL) {
837 for (i = 0; i < initial->acl_entrycount; i++)
838 result->acl_ace[index++] = initial->acl_ace[i];
839 KAUTH_DEBUG(" INHERIT - applied %d initial entries", index);
840 }
841 if (inherit != NULL) {
842 for (i = 0; i < inherit->acl_entrycount; i++) {
843 /* inherit onto this object? */
844 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
845 result->acl_ace[index] = inherit->acl_ace[i];
846 result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED;
847 /* don't re-inherit? */
848 if (result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT)
849 result->acl_ace[index].ace_flags &=
850 ~(KAUTH_ACE_DIRECTORY_INHERIT | KAUTH_ACE_FILE_INHERIT | KAUTH_ACE_LIMIT_INHERIT);
851 index++;
852 }
853 }
854 }
855 result->acl_entrycount = index;
856 *product = result;
857 KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index);
858 error = 0;
859out:
860 if (inherit != NULL)
861 kauth_acl_free(inherit);
862 return(error);
863}
864
865/*
866 * Optimistically copy in a kauth_filesec structure
867 * Parameters: xsecurity user space kauth_filesec_t
8f6c56a5 868 * xsecdstpp pointer to kauth_filesec_t
5d5c5d0d 869 *
8f6c56a5
A		 870 * Returns: 0 on success, EINVAL or EFAULT depending on failure mode.
871 * Modifies: xsecdestpp, which contains a pointer to an allocated
872 * and copied-in kauth_filesec_t
91447636 873 */
8f6c56a5 874
91447636
A		 875int
876kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp)
877{
878 user_addr_t uaddr, known_bound;
879 int error;
880 kauth_filesec_t fsec;
881 u_int32_t count;
882 size_t copysize;
883
884 error = 0;
885 fsec = NULL;
886
887 /*
888 * Make a guess at the size of the filesec. We start with the base
889 * pointer, and look at how much room is left on the page, clipped
890 * to a sensible upper bound. If it turns out this isn't enough,
891 * we'll size based on the actual ACL contents and come back again.
892 *
893 * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The
894 * value here is fairly arbitrary. It's ok to have a zero count.
895 */
896 known_bound = xsecurity + sizeof(struct kauth_filesec);
897 uaddr = mach_vm_round_page(known_bound);
898 count = (uaddr - known_bound) / sizeof(struct kauth_ace);
899 if (count > 32)
900 count = 32;
901restart:
902 if ((fsec = kauth_filesec_alloc(count)) == NULL) {
903 error = ENOMEM;
904 goto out;
905 }
906 copysize = KAUTH_FILESEC_SIZE(count);
907 if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0)
908 goto out;
909
910 /* validate the filesec header */
911 if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) {
912 error = EINVAL;
913 goto out;
914 }
915
916 /*
917 * Is there an ACL payload, and is it too big?
918 */
919 if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) &&
920 (fsec->fsec_entrycount > count)) {
921 if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) {
922 error = EINVAL;
923 goto out;
924 }
925 count = fsec->fsec_entrycount;
926 kauth_filesec_free(fsec);
927 goto restart;
928 }
929
930out:
931 if (error) {
932 if (fsec)
933 kauth_filesec_free(fsec);
934 } else {
935 *xsecdestpp = fsec;
936 }
937 return(error);
938}
939
940/*
8f6c56a5 941 * Allocate a filesec structure.
91447636
A		 942 */
943kauth_filesec_t
944kauth_filesec_alloc(int count)
945{
946 kauth_filesec_t fsp;
947
948 /* if the caller hasn't given us a valid size hint, assume the worst */
949 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
950 return(NULL);
951
952 MALLOC(fsp, kauth_filesec_t, KAUTH_FILESEC_SIZE(count), M_KAUTH, M_WAITOK);
953 if (fsp != NULL) {
954 fsp->fsec_magic = KAUTH_FILESEC_MAGIC;
955 fsp->fsec_owner = kauth_null_guid;
956 fsp->fsec_group = kauth_null_guid;
957 fsp->fsec_entrycount = KAUTH_FILESEC_NOACL;
958 fsp->fsec_flags = 0;
959 }
960 return(fsp);
961}
962
963void
964kauth_filesec_free(kauth_filesec_t fsp)
965{
966#ifdef KAUTH_DEBUG_ENABLE
967 if (fsp == KAUTH_FILESEC_NONE)
968 panic("freeing KAUTH_FILESEC_NONE");
969 if (fsp == KAUTH_FILESEC_WANTED)
970 panic("freeing KAUTH_FILESEC_WANTED");
971#endif
972 FREE(fsp, M_KAUTH);
973}
974
975
976/*
977 * Allocate an ACL buffer.
978 */
979kauth_acl_t
980kauth_acl_alloc(int count)
981{
982 kauth_acl_t aclp;
983
984 /* if the caller hasn't given us a valid size hint, assume the worst */
985 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
986 return(NULL);
987
988 MALLOC(aclp, kauth_acl_t, KAUTH_ACL_SIZE(count), M_KAUTH, M_WAITOK);
989 if (aclp != NULL) {
990 aclp->acl_entrycount = 0;
991 aclp->acl_flags = 0;
992 }
993 return(aclp);
994}
995
996void
997kauth_acl_free(kauth_acl_t aclp)
998{
999 FREE(aclp, M_KAUTH);
1000}
1001
1002
1003/*
1004 * WARNING - caller must hold KAUTH_SCOPELOCK
1005 */
1006static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp)
1007{
1008 int i;
1009
1010 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
1011 if (sp->ks_listeners[i].kll_listenerp == NULL) {
1012 sp->ks_listeners[i].kll_callback = klp->kl_callback;
1013 sp->ks_listeners[i].kll_idata = klp->kl_idata;
1014 sp->ks_listeners[i].kll_listenerp = klp;
1015 sp->ks_flags |= KS_F_HAS_LISTENERS;
1016 return(0);
1017 }
1018 }
1019 return(ENOSPC);
1020}
mirror of XNU