projects / apple / xnu.git / blame
| Commit | Line | Data |
|---|---|---|
| 91447636 | 1 | /* |
| 39037602 | 2 | * Copyright (c) 2004-2016 Apple Inc. All rights reserved. |
| 5d5c5d0d | 3 | * |
| 2d21ac55 | 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
| 0a7de745 | 5 | * |
| 2d21ac55 A |
6 | * This file contains Original Code and/or Modifications of Original Code |
| 7 | * as defined in and that are subject to the Apple Public Source License | |
| 8 | * Version 2.0 (the 'License'). You may not use this file except in | |
| 9 | * compliance with the License. The rights granted to you under the License | |
| 10 | * may not be used to create, or enable the creation or redistribution of, | |
| 11 | * unlawful or unlicensed copies of an Apple operating system, or to | |
| 12 | * circumvent, violate, or enable the circumvention or violation of, any | |
| 13 | * terms of an Apple operating system software license agreement. | |
| 0a7de745 | 14 | * |
| 2d21ac55 A |
15 | * Please obtain a copy of the License at |
| 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. | |
| 0a7de745 | 17 | * |
| 2d21ac55 A |
18 | * The Original Code and all software distributed under the License are |
| 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
| 8f6c56a5 A |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
| 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
| 2d21ac55 A |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
| 23 | * Please see the License for the specific language governing rights and | |
| 24 | * limitations under the License. | |
| 0a7de745 | 25 | * |
| 2d21ac55 | 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
| 91447636 A |
27 | */ |
| 28 | ||
| 29 | /* | |
| 30 | * Centralized authorisation framework. | |
| 31 | */ | |
| 32 | ||
| 33 | #include <sys/appleapiopts.h> | |
| 0a7de745 | 34 | #include <sys/param.h> /* XXX trim includes */ |
| 91447636 A |
35 | #include <sys/acct.h> |
| 36 | #include <sys/systm.h> | |
| 37 | #include <sys/ucred.h> | |
| 38 | #include <sys/proc_internal.h> | |
| 39 | #include <sys/timeb.h> | |
| 40 | #include <sys/times.h> | |
| 41 | #include <sys/malloc.h> | |
| 42 | #include <sys/vnode_internal.h> | |
| 43 | #include <sys/kauth.h> | |
| 44 | #include <sys/stat.h> | |
| 45 | ||
| b0d623f7 | 46 | #include <security/audit/audit.h> |
| 91447636 A |
47 | |
| 48 | #include <sys/mount.h> | |
| 49 | #include <sys/sysproto.h> | |
| 50 | #include <mach/message.h> | |
| 51 | #include <mach/host_security.h> | |
| 52 | ||
| 53 | #include <kern/locks.h> | |
| 54 | ||
| 55 | ||
| 56 | /* | |
| 57 | * Authorization scopes. | |
| 58 | */ | |
| 59 | ||
| 60 | lck_grp_t *kauth_lck_grp; | |
| 61 | static lck_mtx_t *kauth_scope_mtx; | |
| 0a7de745 A |
62 | #define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx); |
| 63 | #define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx); | |
| 91447636 A |
64 | |
| 65 | /* | |
| 66 | * We support listeners for scopes that have not been registered yet. | |
| 67 | * If a listener comes in for a scope that is not active we hang the listener | |
| 68 | * off our kauth_dangling_listeners list and once the scope becomes active we | |
| 69 | * remove it from kauth_dangling_listeners and add it to the active scope. | |
| 70 | */ | |
| 71 | struct kauth_listener { | |
| 0a7de745 A |
72 | TAILQ_ENTRY(kauth_listener) kl_link; |
| 73 | const char * kl_identifier; | |
| 74 | kauth_scope_callback_t kl_callback; | |
| 75 | void * kl_idata; | |
| 91447636 A |
76 | }; |
| 77 | ||
| 78 | /* XXX - kauth_todo - there is a race if a scope listener is removed while we | |
| 79 | * we are in the kauth_authorize_action code path. We intentionally do not take | |
| 0a7de745 A |
80 | * a scope lock in order to get the best possible performance. we will fix this |
| 81 | * post Tiger. | |
| 82 | * Until the race is fixed our kext clients are responsible for all active | |
| 91447636 A |
83 | * requests that may be in their callback code or on the way to their callback |
| 84 | * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata. | |
| 0a7de745 A |
85 | * We keep copies of these in our kauth_local_listener in an attempt to limit |
| 86 | * our expose to unlisten race. | |
| 91447636 A |
87 | */ |
| 88 | struct kauth_local_listener { | |
| 0a7de745 A |
89 | kauth_listener_t kll_listenerp; |
| 90 | kauth_scope_callback_t kll_callback; | |
| 91 | void * kll_idata; | |
| 91447636 A |
92 | }; |
| 93 | typedef struct kauth_local_listener *kauth_local_listener_t; | |
| 94 | ||
| 0a7de745 | 95 | static TAILQ_HEAD(, kauth_listener) kauth_dangling_listeners; |
| 91447636 | 96 | |
| 0a7de745 | 97 | /* |
| 91447636 | 98 | * Scope listeners need to be reworked to be dynamic. |
| 0a7de745 | 99 | * We intentionally used a static table to avoid locking issues with linked |
| 91447636 A |
100 | * lists. The listeners may be called quite often. |
| 101 | * XXX - kauth_todo | |
| 102 | */ | |
| 103 | #define KAUTH_SCOPE_MAX_LISTENERS 15 | |
| 104 | ||
| 105 | struct kauth_scope { | |
| 0a7de745 | 106 | TAILQ_ENTRY(kauth_scope) ks_link; |
| 91447636 | 107 | volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS]; |
| 0a7de745 A |
108 | const char * ks_identifier; |
| 109 | kauth_scope_callback_t ks_callback; | |
| 110 | void * ks_idata; | |
| 111 | u_int ks_flags; | |
| 91447636 A |
112 | }; |
| 113 | ||
| 114 | /* values for kauth_scope.ks_flags */ | |
| 0a7de745 | 115 | #define KS_F_HAS_LISTENERS (1 << 0) |
| 91447636 | 116 | |
| 0a7de745 | 117 | static TAILQ_HEAD(, kauth_scope) kauth_scopes; |
| 91447636 A |
118 | |
| 119 | static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp); | |
| 0a7de745 | 120 | static void kauth_scope_init(void); |
| 91447636 A |
121 | static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata); |
| 122 | static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata); | |
| 123 | #if 0 | |
| 0a7de745 | 124 | static int kauth_scope_valid(kauth_scope_t scope); |
| 91447636 A |
125 | #endif |
| 126 | ||
| 0a7de745 A |
127 | kauth_scope_t kauth_scope_process; |
| 128 | static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action, | |
| 91447636 | 129 | uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3); |
| 0a7de745 A |
130 | kauth_scope_t kauth_scope_generic; |
| 131 | static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action, | |
| 91447636 | 132 | uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3); |
| 0a7de745 | 133 | kauth_scope_t kauth_scope_fileop; |
| 91447636 | 134 | |
| 0a7de745 A |
135 | extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int); |
| 136 | extern char * get_pathbuff(void); | |
| 137 | extern void release_pathbuff(char *path); | |
| 91447636 A |
138 | |
| 139 | /* | |
| 140 | * Initialization. | |
| 141 | */ | |
| 142 | void | |
| 143 | kauth_init(void) | |
| 144 | { | |
| 0a7de745 | 145 | lck_grp_attr_t *grp_attributes; |
| 91447636 A |
146 | |
| 147 | TAILQ_INIT(&kauth_scopes); | |
| 148 | TAILQ_INIT(&kauth_dangling_listeners); | |
| 149 | ||
| 150 | /* set up our lock group */ | |
| 151 | grp_attributes = lck_grp_attr_alloc_init(); | |
| 152 | kauth_lck_grp = lck_grp_alloc_init("kauth", grp_attributes); | |
| 153 | lck_grp_attr_free(grp_attributes); | |
| 154 | ||
| 155 | /* bring up kauth subsystem components */ | |
| 156 | kauth_cred_init(); | |
| 316670eb | 157 | #if CONFIG_EXT_RESOLVER |
| 91447636 A |
158 | kauth_identity_init(); |
| 159 | kauth_groups_init(); | |
| 316670eb | 160 | #endif |
| 91447636 | 161 | kauth_scope_init(); |
| 316670eb | 162 | #if CONFIG_EXT_RESOLVER |
| 91447636 | 163 | kauth_resolver_init(); |
| 316670eb | 164 | #endif |
| 91447636 A |
165 | /* can't alloc locks after this */ |
| 166 | lck_grp_free(kauth_lck_grp); | |
| 167 | kauth_lck_grp = NULL; | |
| 168 | } | |
| 169 | ||
| 170 | static void | |
| 171 | kauth_scope_init(void) | |
| 172 | { | |
| 173 | kauth_scope_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0 /*LCK_ATTR_NULL*/); | |
| 174 | kauth_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS, kauth_authorize_process_callback, NULL); | |
| 175 | kauth_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC, kauth_authorize_generic_callback, NULL); | |
| 176 | kauth_scope_fileop = kauth_register_scope(KAUTH_SCOPE_FILEOP, NULL, NULL); | |
| 177 | } | |
| 178 | ||
| 179 | /* | |
| 180 | * Scope registration. | |
| 181 | */ | |
| 182 | ||
| 183 | static kauth_scope_t | |
| 184 | kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata) | |
| 185 | { | |
| 0a7de745 | 186 | kauth_scope_t sp; |
| 91447636 A |
187 | |
| 188 | /* | |
| 189 | * Allocate and populate the scope structure. | |
| 190 | */ | |
| 6d2010ae | 191 | MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK | M_ZERO); |
| 0a7de745 A |
192 | if (sp == NULL) { |
| 193 | return NULL; | |
| 194 | } | |
| 91447636 A |
195 | sp->ks_flags = 0; |
| 196 | sp->ks_identifier = identifier; | |
| 197 | sp->ks_idata = idata; | |
| 198 | sp->ks_callback = callback; | |
| 0a7de745 | 199 | return sp; |
| 91447636 A |
200 | } |
| 201 | ||
| 202 | static kauth_listener_t | |
| 203 | kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata) | |
| 204 | { | |
| 205 | kauth_listener_t lsp; | |
| 206 | ||
| 207 | /* | |
| 208 | * Allocate and populate the listener structure. | |
| 209 | */ | |
| 210 | MALLOC(lsp, kauth_listener_t, sizeof(*lsp), M_KAUTH, M_WAITOK); | |
| 0a7de745 A |
211 | if (lsp == NULL) { |
| 212 | return NULL; | |
| 213 | } | |
| 91447636 A |
214 | lsp->kl_identifier = identifier; |
| 215 | lsp->kl_idata = idata; | |
| 216 | lsp->kl_callback = callback; | |
| 0a7de745 | 217 | return lsp; |
| 91447636 A |
218 | } |
| 219 | ||
| 220 | kauth_scope_t | |
| 221 | kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata) | |
| 222 | { | |
| 0a7de745 A |
223 | kauth_scope_t sp, tsp; |
| 224 | kauth_listener_t klp; | |
| 91447636 | 225 | |
| 0a7de745 A |
226 | if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL) { |
| 227 | return NULL; | |
| 228 | } | |
| 91447636 A |
229 | |
| 230 | /* | |
| 231 | * Lock the list and insert. | |
| 232 | */ | |
| 233 | KAUTH_SCOPELOCK(); | |
| 234 | TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) { | |
| 235 | /* duplicate! */ | |
| 0a7de745 A |
236 | if (strncmp(tsp->ks_identifier, identifier, |
| 237 | strlen(tsp->ks_identifier) + 1) == 0) { | |
| 91447636 A |
238 | KAUTH_SCOPEUNLOCK(); |
| 239 | FREE(sp, M_KAUTH); | |
| 0a7de745 | 240 | return NULL; |
| 91447636 A |
241 | } |
| 242 | } | |
| 243 | TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link); | |
| 244 | ||
| 245 | /* | |
| 246 | * Look for listeners waiting for this scope, move them to the active scope | |
| 247 | * listener table. | |
| 248 | * Note that we have to restart the scan every time we remove an entry | |
| 249 | * from the list, since we can't remove the current item from the list. | |
| 250 | */ | |
| 251 | restart: | |
| 252 | TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) { | |
| 2d21ac55 | 253 | if (strncmp(klp->kl_identifier, sp->ks_identifier, |
| 0a7de745 | 254 | strlen(klp->kl_identifier) + 1) == 0) { |
| 91447636 A |
255 | /* found a match on the dangling listener list. add it to the |
| 256 | * the active scope. | |
| 257 | */ | |
| 258 | if (kauth_add_callback_to_scope(sp, klp) == 0) { | |
| 259 | TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link); | |
| 0a7de745 | 260 | } else { |
| 91447636 A |
261 | #if 0 |
| 262 | printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier); | |
| 263 | #endif | |
| 264 | break; | |
| 265 | } | |
| 266 | goto restart; | |
| 267 | } | |
| 268 | } | |
| 269 | ||
| 270 | KAUTH_SCOPEUNLOCK(); | |
| 0a7de745 | 271 | return sp; |
| 91447636 A |
272 | } |
| 273 | ||
| 274 | ||
| 275 | ||
| 276 | void | |
| 277 | kauth_deregister_scope(kauth_scope_t scope) | |
| 278 | { | |
| 0a7de745 | 279 | int i; |
| 91447636 A |
280 | |
| 281 | KAUTH_SCOPELOCK(); | |
| 282 | ||
| 283 | TAILQ_REMOVE(&kauth_scopes, scope, ks_link); | |
| 0a7de745 | 284 | |
| 91447636 A |
285 | /* relocate listeners back to the waiting list */ |
| 286 | for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { | |
| 287 | if (scope->ks_listeners[i].kll_listenerp != NULL) { | |
| 288 | TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link); | |
| 289 | scope->ks_listeners[i].kll_listenerp = NULL; | |
| 0a7de745 | 290 | /* |
| 91447636 A |
291 | * XXX - kauth_todo - WARNING, do not clear kll_callback or |
| 292 | * kll_idata here. they are part of our scope unlisten race hack | |
| 293 | */ | |
| 294 | } | |
| 295 | } | |
| 296 | KAUTH_SCOPEUNLOCK(); | |
| 297 | FREE(scope, M_KAUTH); | |
| 0a7de745 | 298 | |
| 91447636 A |
299 | return; |
| 300 | } | |
| 301 | ||
| 302 | kauth_listener_t | |
| 303 | kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata) | |
| 304 | { | |
| 305 | kauth_listener_t klp; | |
| 0a7de745 | 306 | kauth_scope_t sp; |
| 91447636 | 307 | |
| 0a7de745 A |
308 | if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL) { |
| 309 | return NULL; | |
| 310 | } | |
| 91447636 A |
311 | |
| 312 | /* | |
| 313 | * Lock the scope list and check to see whether this scope already exists. | |
| 314 | */ | |
| 315 | KAUTH_SCOPELOCK(); | |
| 316 | TAILQ_FOREACH(sp, &kauth_scopes, ks_link) { | |
| 2d21ac55 | 317 | if (strncmp(sp->ks_identifier, identifier, |
| 0a7de745 | 318 | strlen(sp->ks_identifier) + 1) == 0) { |
| 91447636 A |
319 | /* scope exists, add it to scope listener table */ |
| 320 | if (kauth_add_callback_to_scope(sp, klp) == 0) { | |
| 321 | KAUTH_SCOPEUNLOCK(); | |
| 0a7de745 | 322 | return klp; |
| 91447636 A |
323 | } |
| 324 | /* table already full */ | |
| 325 | KAUTH_SCOPEUNLOCK(); | |
| 326 | FREE(klp, M_KAUTH); | |
| 0a7de745 | 327 | return NULL; |
| 91447636 A |
328 | } |
| 329 | } | |
| 0a7de745 | 330 | |
| 91447636 A |
331 | /* scope doesn't exist, put on waiting list. */ |
| 332 | TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link); | |
| 333 | ||
| 334 | KAUTH_SCOPEUNLOCK(); | |
| 335 | ||
| 0a7de745 | 336 | return klp; |
| 91447636 A |
337 | } |
| 338 | ||
| 339 | void | |
| 340 | kauth_unlisten_scope(kauth_listener_t listener) | |
| 341 | { | |
| 0a7de745 A |
342 | kauth_scope_t sp; |
| 343 | kauth_listener_t klp; | |
| 344 | int i, listener_count, do_free; | |
| 345 | ||
| 91447636 A |
346 | KAUTH_SCOPELOCK(); |
| 347 | ||
| 348 | /* search the active scope for this listener */ | |
| 349 | TAILQ_FOREACH(sp, &kauth_scopes, ks_link) { | |
| 350 | do_free = 0; | |
| 351 | if ((sp->ks_flags & KS_F_HAS_LISTENERS) != 0) { | |
| 352 | listener_count = 0; | |
| 353 | for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { | |
| 354 | if (sp->ks_listeners[i].kll_listenerp == listener) { | |
| 355 | sp->ks_listeners[i].kll_listenerp = NULL; | |
| 356 | do_free = 1; | |
| 0a7de745 | 357 | /* |
| 91447636 A |
358 | * XXX - kauth_todo - WARNING, do not clear kll_callback or |
| 359 | * kll_idata here. they are part of our scope unlisten race hack | |
| 360 | */ | |
| 0a7de745 | 361 | } else if (sp->ks_listeners[i].kll_listenerp != NULL) { |
| 91447636 A |
362 | listener_count++; |
| 363 | } | |
| 364 | } | |
| 365 | if (do_free) { | |
| 366 | if (listener_count == 0) { | |
| 367 | sp->ks_flags &= ~KS_F_HAS_LISTENERS; | |
| 368 | } | |
| 369 | KAUTH_SCOPEUNLOCK(); | |
| 370 | FREE(listener, M_KAUTH); | |
| 371 | return; | |
| 372 | } | |
| 373 | } | |
| 374 | } | |
| 375 | ||
| 376 | /* if not active, check the dangling list */ | |
| 377 | TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) { | |
| 378 | if (klp == listener) { | |
| 379 | TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link); | |
| 380 | KAUTH_SCOPEUNLOCK(); | |
| 381 | FREE(listener, M_KAUTH); | |
| 382 | return; | |
| 383 | } | |
| 384 | } | |
| 385 | ||
| 386 | KAUTH_SCOPEUNLOCK(); | |
| 387 | return; | |
| 388 | } | |
| 389 | ||
| 390 | /* | |
| 391 | * Authorization requests. | |
| 2d21ac55 A |
392 | * |
| 393 | * Returns: 0 Success | |
| 394 | * EPERM Operation not permitted | |
| 395 | * | |
| 396 | * Imputed: *arg3, modified Callback return - depends on callback | |
| 397 | * modification of *arg3, if any | |
| 91447636 A |
398 | */ |
| 399 | int | |
| 400 | kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action, | |
| 401 | uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) | |
| 402 | { | |
| 403 | int result, ret, i; | |
| 404 | ||
| 405 | /* ask the scope */ | |
| 0a7de745 | 406 | if (scope->ks_callback != NULL) { |
| 91447636 | 407 | result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3); |
| 0a7de745 | 408 | } else { |
| 91447636 | 409 | result = KAUTH_RESULT_DEFER; |
| 0a7de745 | 410 | } |
| 91447636 A |
411 | |
| 412 | /* check with listeners */ | |
| 413 | if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) { | |
| 414 | for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { | |
| 0a7de745 | 415 | /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger. |
| 91447636 A |
416 | * Until the race is fixed our kext clients are responsible for all active requests that may |
| 417 | * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata. | |
| 0a7de745 A |
418 | * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to |
| 419 | * unlisten race. | |
| 91447636 | 420 | */ |
| 0a7de745 A |
421 | if (scope->ks_listeners[i].kll_listenerp == NULL || |
| 422 | scope->ks_listeners[i].kll_callback == NULL) { | |
| 91447636 | 423 | continue; |
| 0a7de745 | 424 | } |
| 91447636 A |
425 | |
| 426 | ret = scope->ks_listeners[i].kll_callback( | |
| 0a7de745 A |
427 | credential, scope->ks_listeners[i].kll_idata, |
| 428 | action, arg0, arg1, arg2, arg3); | |
| 91447636 | 429 | if ((ret == KAUTH_RESULT_DENY) || |
| 0a7de745 | 430 | (result == KAUTH_RESULT_DEFER)) { |
| 91447636 | 431 | result = ret; |
| 0a7de745 | 432 | } |
| 91447636 A |
433 | } |
| 434 | } | |
| 435 | ||
| 436 | /* we need an explicit allow, or the auth fails */ | |
| 0a7de745 A |
437 | /* XXX need a mechanism for auth failure to be signalled vs. denial */ |
| 438 | return result == KAUTH_RESULT_ALLOW ? 0 : EPERM; | |
| 91447636 A |
439 | } |
| 440 | ||
| 441 | /* | |
| 442 | * Default authorization handlers. | |
| 443 | */ | |
| 444 | int | |
| 445 | kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action, | |
| 0a7de745 | 446 | __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) |
| 91447636 | 447 | { |
| 0a7de745 | 448 | return KAUTH_RESULT_ALLOW; |
| 91447636 A |
449 | } |
| 450 | ||
| 451 | #if 0 | |
| 452 | /* | |
| 453 | * Debugging support. | |
| 454 | */ | |
| 455 | static int | |
| 456 | kauth_scope_valid(kauth_scope_t scope) | |
| 457 | { | |
| 0a7de745 | 458 | kauth_scope_t sp; |
| 91447636 A |
459 | |
| 460 | KAUTH_SCOPELOCK(); | |
| 461 | TAILQ_FOREACH(sp, &kauth_scopes, ks_link) { | |
| 0a7de745 | 462 | if (sp == scope) { |
| 91447636 | 463 | break; |
| 0a7de745 | 464 | } |
| 91447636 A |
465 | } |
| 466 | KAUTH_SCOPEUNLOCK(); | |
| 0a7de745 | 467 | return (sp == NULL) ? 0 : 1; |
| 91447636 A |
468 | } |
| 469 | #endif | |
| 470 | ||
| 471 | /* | |
| 472 | * Process authorization scope. | |
| 473 | */ | |
| 474 | ||
| 475 | int | |
| 476 | kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) | |
| 477 | { | |
| 0a7de745 | 478 | return kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3); |
| 91447636 A |
479 | } |
| 480 | ||
| 481 | static int | |
| 482 | kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action, | |
| 483 | uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) | |
| 484 | { | |
| 0a7de745 | 485 | switch (action) { |
| 91447636 A |
486 | case KAUTH_PROCESS_CANSIGNAL: |
| 487 | panic("KAUTH_PROCESS_CANSIGNAL not implemented"); | |
| 488 | /* XXX credential wrong here */ | |
| 489 | /* arg0 - process to signal | |
| 490 | * arg1 - signal to send the process | |
| 491 | */ | |
| 0a7de745 A |
492 | if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1)) { |
| 493 | return KAUTH_RESULT_ALLOW; | |
| 494 | } | |
| 91447636 A |
495 | break; |
| 496 | case KAUTH_PROCESS_CANTRACE: | |
| 0a7de745 A |
497 | /* current_proc() - process that will do the tracing |
| 498 | * arg0 - process to be traced | |
| 499 | * arg1 - pointer to int - reason (errno) for denial | |
| 91447636 | 500 | */ |
| 0a7de745 A |
501 | if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1)) { |
| 502 | return KAUTH_RESULT_ALLOW; | |
| 503 | } | |
| 91447636 A |
504 | break; |
| 505 | } | |
| 506 | ||
| 507 | /* no explicit result, so defer to others in the chain */ | |
| 0a7de745 | 508 | return KAUTH_RESULT_DEFER; |
| 91447636 A |
509 | } |
| 510 | ||
| 511 | /* | |
| 512 | * File system operation authorization scope. This is really only a notification | |
| 513 | * of the file system operation, not an authorization check. Thus the result is | |
| 514 | * not relevant. | |
| 515 | * arguments passed to KAUTH_FILEOP_OPEN listeners | |
| 516 | * arg0 is pointer to vnode (vnode *) for given user path. | |
| 517 | * arg1 is pointer to path (char *) passed in to open. | |
| 518 | * arguments passed to KAUTH_FILEOP_CLOSE listeners | |
| 519 | * arg0 is pointer to vnode (vnode *) for file to be closed. | |
| 520 | * arg1 is pointer to path (char *) of file to be closed. | |
| 521 | * arg2 is close flags. | |
| d9a64523 A |
522 | * arguments passed to KAUTH_FILEOP_WILL_RENAME listeners |
| 523 | * arg0 is pointer to vnode (vnode *) of the file being renamed | |
| 524 | * arg1 is pointer to the "from" path (char *) | |
| 525 | * arg2 is pointer to the "to" path (char *) | |
| 91447636 A |
526 | * arguments passed to KAUTH_FILEOP_RENAME listeners |
| 527 | * arg0 is pointer to "from" path (char *). | |
| 528 | * arg1 is pointer to "to" path (char *). | |
| 529 | * arguments passed to KAUTH_FILEOP_EXCHANGE listeners | |
| 530 | * arg0 is pointer to file 1 path (char *). | |
| 531 | * arg1 is pointer to file 2 path (char *). | |
| 532 | * arguments passed to KAUTH_FILEOP_EXEC listeners | |
| 533 | * arg0 is pointer to vnode (vnode *) for executable. | |
| 534 | * arg1 is pointer to path (char *) to executable. | |
| 535 | */ | |
| 536 | ||
| 537 | int | |
| 538 | kauth_authorize_fileop_has_listeners(void) | |
| 539 | { | |
| 540 | /* | |
| 541 | * return 1 if we have any listeners for the fileop scope | |
| 542 | * otherwize return 0 | |
| 543 | */ | |
| 544 | if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) { | |
| 0a7de745 | 545 | return 1; |
| 91447636 | 546 | } |
| 0a7de745 | 547 | return 0; |
| 91447636 A |
548 | } |
| 549 | ||
| 550 | int | |
| 551 | kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1) | |
| 552 | { | |
| 0a7de745 A |
553 | char *namep = NULL; |
| 554 | int name_len; | |
| 555 | uintptr_t arg2 = 0; | |
| 556 | ||
| 557 | /* we do not have a primary handler for the fileop scope so bail out if | |
| 91447636 A |
558 | * there are no listeners. |
| 559 | */ | |
| 560 | if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) { | |
| 0a7de745 | 561 | return 0; |
| 91447636 A |
562 | } |
| 563 | ||
| d9a64523 A |
564 | if (action == KAUTH_FILEOP_OPEN || |
| 565 | action == KAUTH_FILEOP_CLOSE || | |
| 566 | action == KAUTH_FILEOP_EXEC || | |
| 567 | action == KAUTH_FILEOP_WILL_RENAME) { | |
| 91447636 A |
568 | /* get path to the given vnode as a convenience to our listeners. |
| 569 | */ | |
| 570 | namep = get_pathbuff(); | |
| 571 | name_len = MAXPATHLEN; | |
| 572 | if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) { | |
| 573 | release_pathbuff(namep); | |
| 0a7de745 | 574 | return 0; |
| 91447636 | 575 | } |
| d9a64523 A |
576 | if (action == KAUTH_FILEOP_CLOSE || |
| 577 | action == KAUTH_FILEOP_WILL_RENAME) { | |
| 578 | /* | |
| 579 | * - Close has some flags that come in via arg1. | |
| 580 | * - Will-rename wants to pass the vnode and | |
| 581 | * both paths to the listeners ("to" path | |
| 582 | * starts in arg1, moves to arg2). | |
| 583 | */ | |
| 584 | arg2 = arg1; | |
| 91447636 A |
585 | } |
| 586 | arg1 = (uintptr_t)namep; | |
| 0a7de745 | 587 | } |
| 91447636 | 588 | kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0); |
| 0a7de745 | 589 | |
| 91447636 A |
590 | if (namep != NULL) { |
| 591 | release_pathbuff(namep); | |
| 592 | } | |
| 0a7de745 A |
593 | |
| 594 | return 0; | |
| 91447636 A |
595 | } |
| 596 | ||
| 597 | /* | |
| 598 | * Generic authorization scope. | |
| 599 | */ | |
| 600 | ||
| 601 | int | |
| 602 | kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action) | |
| 603 | { | |
| 0a7de745 | 604 | if (credential == NULL) { |
| 91447636 | 605 | panic("auth against NULL credential"); |
| 0a7de745 | 606 | } |
| 91447636 | 607 | |
| 0a7de745 | 608 | return kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0); |
| 91447636 A |
609 | } |
| 610 | ||
| 611 | static int | |
| 612 | kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action, | |
| 0a7de745 | 613 | __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) |
| 91447636 | 614 | { |
| 0a7de745 | 615 | switch (action) { |
| 91447636 A |
616 | case KAUTH_GENERIC_ISSUSER: |
| 617 | /* XXX == 0 ? */ | |
| 0a7de745 A |
618 | return (kauth_cred_getuid(credential) == 0) ? |
| 619 | KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY; | |
| 91447636 A |
620 | } |
| 621 | ||
| 622 | /* no explicit result, so defer to others in the chain */ | |
| 0a7de745 | 623 | return KAUTH_RESULT_DEFER; |
| 91447636 A |
624 | } |
| 625 | ||
| 626 | /* | |
| 627 | * ACL evaluator. | |
| 628 | * | |
| 629 | * Determines whether the credential has the requested rights for an object secured by the supplied | |
| 630 | * ACL. | |
| 631 | * | |
| 632 | * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested | |
| 633 | * rights, or granted if all of the requested rights are satisfied by the ACEs so far. | |
| 634 | */ | |
| 635 | int | |
| 636 | kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) | |
| 637 | { | |
| 6d2010ae | 638 | int applies, error, i, gotguid; |
| 91447636 A |
639 | kauth_ace_t ace; |
| 640 | guid_t guid; | |
| 641 | uint32_t rights; | |
| 642 | int wkguid; | |
| 643 | ||
| 644 | /* always allowed to do nothing */ | |
| 645 | if (eval->ae_requested == 0) { | |
| 646 | eval->ae_result = KAUTH_RESULT_ALLOW; | |
| 0a7de745 | 647 | return 0; |
| 91447636 A |
648 | } |
| 649 | ||
| 650 | eval->ae_residual = eval->ae_requested; | |
| 2d21ac55 | 651 | eval->ae_found_deny = FALSE; |
| 91447636 A |
652 | |
| 653 | /* | |
| 654 | * Get our guid for comparison purposes. | |
| 655 | */ | |
| 656 | if ((error = kauth_cred_getguid(cred, &guid)) != 0) { | |
| 6d2010ae A |
657 | KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error); |
| 658 | error = 0; | |
| 659 | gotguid = 0; | |
| 660 | } else { | |
| 661 | gotguid = 1; | |
| 91447636 A |
662 | } |
| 663 | ||
| 664 | KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual); | |
| 665 | for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) { | |
| 91447636 A |
666 | /* |
| 667 | * Skip inherit-only entries. | |
| 668 | */ | |
| 0a7de745 | 669 | if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT) { |
| 91447636 | 670 | continue; |
| 0a7de745 | 671 | } |
| 91447636 A |
672 | |
| 673 | /* | |
| 674 | * Expand generic rights, if appropriate. | |
| 675 | */ | |
| 676 | rights = ace->ace_rights; | |
| 0a7de745 | 677 | if (rights & KAUTH_ACE_GENERIC_ALL) { |
| 91447636 | 678 | rights |= eval->ae_exp_gall; |
| 0a7de745 A |
679 | } |
| 680 | if (rights & KAUTH_ACE_GENERIC_READ) { | |
| 91447636 | 681 | rights |= eval->ae_exp_gread; |
| 0a7de745 A |
682 | } |
| 683 | if (rights & KAUTH_ACE_GENERIC_WRITE) { | |
| 91447636 | 684 | rights |= eval->ae_exp_gwrite; |
| 0a7de745 A |
685 | } |
| 686 | if (rights & KAUTH_ACE_GENERIC_EXECUTE) { | |
| 91447636 | 687 | rights |= eval->ae_exp_gexec; |
| 0a7de745 | 688 | } |
| 91447636 A |
689 | |
| 690 | /* | |
| 691 | * Determine whether this entry applies to the current request. This | |
| 692 | * saves us checking the GUID if the entry has nothing to do with what | |
| 693 | * we're currently doing. | |
| 694 | */ | |
| 0a7de745 | 695 | switch (ace->ace_flags & KAUTH_ACE_KINDMASK) { |
| 91447636 | 696 | case KAUTH_ACE_PERMIT: |
| 0a7de745 | 697 | if (!(eval->ae_residual & rights)) { |
| 91447636 | 698 | continue; |
| 0a7de745 | 699 | } |
| 91447636 A |
700 | break; |
| 701 | case KAUTH_ACE_DENY: | |
| 0a7de745 | 702 | if (!(eval->ae_requested & rights)) { |
| 91447636 | 703 | continue; |
| 0a7de745 | 704 | } |
| 2d21ac55 | 705 | eval->ae_found_deny = TRUE; |
| 91447636 A |
706 | break; |
| 707 | default: | |
| 708 | /* we don't recognise this ACE, skip it */ | |
| 709 | continue; | |
| 710 | } | |
| 0a7de745 | 711 | |
| 91447636 A |
712 | /* |
| 713 | * Verify whether this entry applies to the credential. | |
| 714 | */ | |
| 715 | wkguid = kauth_wellknown_guid(&ace->ace_applicable); | |
| 0a7de745 | 716 | switch (wkguid) { |
| 91447636 A |
717 | case KAUTH_WKG_OWNER: |
| 718 | applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER; | |
| 719 | break; | |
| 720 | case KAUTH_WKG_GROUP: | |
| 0a7de745 | 721 | if (!gotguid || (eval->ae_options & KAUTH_AEVAL_IN_GROUP_UNKNOWN)) { |
| 6d2010ae | 722 | applies = ((ace->ace_flags & KAUTH_ACE_KINDMASK) == KAUTH_ACE_DENY); |
| 0a7de745 | 723 | } else { |
| 6d2010ae | 724 | applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP; |
| 0a7de745 | 725 | } |
| 91447636 A |
726 | break; |
| 727 | /* we short-circuit these here rather than wasting time calling the group membership code */ | |
| 728 | case KAUTH_WKG_EVERYBODY: | |
| 729 | applies = 1; | |
| 730 | break; | |
| 731 | case KAUTH_WKG_NOBODY: | |
| 732 | applies = 0; | |
| 733 | break; | |
| 734 | ||
| 735 | default: | |
| 736 | /* check to see whether it's exactly us, or a group we are a member of */ | |
| 6d2010ae | 737 | applies = !gotguid ? 0 : kauth_guid_equal(&guid, &ace->ace_applicable); |
| 91447636 A |
738 | KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched", |
| 739 | K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not "); | |
| 0a7de745 | 740 | |
| 91447636 | 741 | if (!applies) { |
| 6d2010ae | 742 | error = !gotguid ? ENOENT : kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies); |
| 91447636 A |
743 | /* |
| 744 | * If we can't resolve group membership, we have to limit misbehaviour. | |
| 745 | * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid | |
| 746 | * granting excess access). If the ACE is a 'deny' ACE, assume the cred | |
| 747 | * is a member (avoid failing to deny). | |
| 748 | */ | |
| 749 | if (error != 0) { | |
| 750 | KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i); | |
| 0a7de745 | 751 | switch (ace->ace_flags & KAUTH_ACE_KINDMASK) { |
| 91447636 A |
752 | case KAUTH_ACE_PERMIT: |
| 753 | applies = 0; | |
| 754 | break; | |
| 755 | case KAUTH_ACE_DENY: | |
| 756 | applies = 1; | |
| 757 | break; | |
| 758 | } | |
| 759 | } else { | |
| 760 | KAUTH_DEBUG(" ACL - %s group member", applies ? "is" : "not"); | |
| 761 | } | |
| 762 | } else { | |
| 763 | KAUTH_DEBUG(" ACL - entry matches caller"); | |
| 764 | } | |
| 765 | } | |
| 0a7de745 | 766 | if (!applies) { |
| 91447636 | 767 | continue; |
| 0a7de745 | 768 | } |
| 91447636 A |
769 | |
| 770 | /* | |
| 771 | * Apply ACE to outstanding rights. | |
| 772 | */ | |
| 0a7de745 | 773 | switch (ace->ace_flags & KAUTH_ACE_KINDMASK) { |
| 91447636 A |
774 | case KAUTH_ACE_PERMIT: |
| 775 | /* satisfy any rights that this ACE grants */ | |
| 776 | eval->ae_residual = eval->ae_residual & ~rights; | |
| 777 | KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i, rights, eval->ae_residual); | |
| 778 | /* all rights satisfied? */ | |
| 779 | if (eval->ae_residual == 0) { | |
| 780 | eval->ae_result = KAUTH_RESULT_ALLOW; | |
| 0a7de745 | 781 | return 0; |
| 91447636 A |
782 | } |
| 783 | break; | |
| 784 | case KAUTH_ACE_DENY: | |
| 785 | /* deny the request if any of the requested rights is denied */ | |
| 786 | if (eval->ae_requested & rights) { | |
| 787 | KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights); | |
| 788 | eval->ae_result = KAUTH_RESULT_DENY; | |
| 0a7de745 | 789 | return 0; |
| 91447636 A |
790 | } |
| 791 | break; | |
| 792 | default: | |
| 793 | KAUTH_DEBUG(" ACL - unknown entry kind %d", ace->ace_flags & KAUTH_ACE_KINDMASK); | |
| 794 | break; | |
| 795 | } | |
| 796 | } | |
| 797 | /* if not permitted, defer to other modes of authorisation */ | |
| 798 | eval->ae_result = KAUTH_RESULT_DEFER; | |
| 0a7de745 | 799 | return 0; |
| 91447636 A |
800 | } |
| 801 | ||
| 802 | /* | |
| 803 | * Perform ACL inheritance and umask-ACL handling. | |
| 804 | * | |
| 805 | * Entries are inherited from the ACL on dvp. A caller-supplied | |
| 806 | * ACL is in initial, and the result is output into product. | |
| 807 | * If the process has a umask ACL and one is not supplied, we use | |
| 808 | * the umask ACL. | |
| 809 | * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file. | |
| 810 | */ | |
| 811 | int | |
| 812 | kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx) | |
| 813 | { | |
| 0a7de745 | 814 | int entries, error, index; |
| 91447636 A |
815 | unsigned int i; |
| 816 | struct vnode_attr dva; | |
| 817 | kauth_acl_t inherit, result; | |
| 818 | ||
| 819 | /* | |
| 2d21ac55 A |
820 | * Fetch the ACL from the directory. This should never fail. |
| 821 | * Note that we don't manage inheritance when the remote server is | |
| 822 | * doing authorization, since this means server enforcement of | |
| 823 | * inheritance semantics; we just want to compose the initial | |
| 824 | * ACL and any inherited ACE entries from the container object. | |
| 825 | * | |
| 826 | * XXX TODO: <rdar://3634665> wants a "umask ACL" from the process. | |
| 91447636 A |
827 | */ |
| 828 | inherit = NULL; | |
| 6d2010ae A |
829 | /* |
| 830 | * If there is no initial ACL, or there is, and the initial ACLs | |
| 831 | * flags do not request "no inheritance", then we inherit. This allows | |
| 832 | * initial object creation via open_extended() and mkdir_extended() | |
| 833 | * to reject inheritance for themselves and for inferior nodes by | |
| 834 | * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT | |
| 835 | * flag set in the flags field. | |
| 836 | */ | |
| 837 | if ((initial == NULL || !(initial->acl_flags & KAUTH_ACL_NO_INHERIT)) && | |
| 838 | (dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) { | |
| 91447636 A |
839 | VATTR_INIT(&dva); |
| 840 | VATTR_WANTED(&dva, va_acl); | |
| 841 | if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) { | |
| 842 | KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance"); | |
| 0a7de745 | 843 | return error; |
| 91447636 | 844 | } |
| 0a7de745 | 845 | if (VATTR_IS_SUPPORTED(&dva, va_acl)) { |
| 91447636 | 846 | inherit = dva.va_acl; |
| 0a7de745 | 847 | } |
| 91447636 A |
848 | } |
| 849 | ||
| 850 | /* | |
| 2d21ac55 A |
851 | * Compute the number of entries in the result ACL by scanning the |
| 852 | * input lists. | |
| 91447636 A |
853 | */ |
| 854 | entries = 0; | |
| 855 | if (inherit != NULL) { | |
| 856 | for (i = 0; i < inherit->acl_entrycount; i++) { | |
| 0a7de745 | 857 | if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) { |
| 91447636 | 858 | entries++; |
| 0a7de745 | 859 | } |
| 91447636 A |
860 | } |
| 861 | } | |
| 862 | ||
| 863 | if (initial == NULL) { | |
| 2d21ac55 A |
864 | /* |
| 865 | * XXX 3634665 TODO: if the initial ACL is not specfied by | |
| 866 | * XXX the caller, fetch the umask ACL from the process, | |
| 867 | * and use it in place of "initial". | |
| 868 | */ | |
| 91447636 A |
869 | } |
| 870 | ||
| 871 | if (initial != NULL) { | |
| 0a7de745 | 872 | if (initial->acl_entrycount != KAUTH_FILESEC_NOACL) { |
| 2d21ac55 | 873 | entries += initial->acl_entrycount; |
| 0a7de745 | 874 | } else { |
| 2d21ac55 | 875 | initial = NULL; |
| 0a7de745 | 876 | } |
| 91447636 A |
877 | } |
| 878 | ||
| 879 | /* | |
| 880 | * If there is no initial ACL, and no inheritable entries, the | |
| 2d21ac55 | 881 | * object should be created with no ACL at all. |
| 91447636 A |
882 | * Note that this differs from the case where the initial ACL |
| 883 | * is empty, in which case the object must also have an empty ACL. | |
| 884 | */ | |
| 885 | if ((entries == 0) && (initial == NULL)) { | |
| 886 | *product = NULL; | |
| 887 | error = 0; | |
| 888 | goto out; | |
| 889 | } | |
| 0a7de745 | 890 | |
| 91447636 A |
891 | /* |
| 892 | * Allocate the result buffer. | |
| 893 | */ | |
| 894 | if ((result = kauth_acl_alloc(entries)) == NULL) { | |
| 2d21ac55 | 895 | KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL", entries); |
| 91447636 A |
896 | error = ENOMEM; |
| 897 | goto out; | |
| 898 | } | |
| 899 | ||
| 900 | /* | |
| 901 | * Composition is simply: | |
| 6d2010ae A |
902 | * - initial direct ACEs |
| 903 | * - inherited ACEs from new parent | |
| 91447636 A |
904 | */ |
| 905 | index = 0; | |
| 906 | if (initial != NULL) { | |
| 6d2010ae A |
907 | for (i = 0; i < initial->acl_entrycount; i++) { |
| 908 | if (!(initial->acl_ace[i].ace_flags & KAUTH_ACE_INHERITED)) { | |
| 909 | result->acl_ace[index++] = initial->acl_ace[i]; | |
| 910 | } | |
| 911 | } | |
| 912 | KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index, initial->acl_entrycount); | |
| 91447636 A |
913 | } |
| 914 | if (inherit != NULL) { | |
| 915 | for (i = 0; i < inherit->acl_entrycount; i++) { | |
| 2d21ac55 A |
916 | /* |
| 917 | * Inherit onto this object? We inherit only if | |
| 918 | * the target object is a container object and the | |
| 919 | * KAUTH_ACE_DIRECTORY_INHERIT bit is set, OR if | |
| 920 | * if the target object is not a container, and | |
| 921 | * the KAUTH_ACE_FILE_INHERIT bit is set. | |
| 922 | */ | |
| 91447636 A |
923 | if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) { |
| 924 | result->acl_ace[index] = inherit->acl_ace[i]; | |
| 925 | result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED; | |
| b0d623f7 | 926 | result->acl_ace[index].ace_flags &= ~KAUTH_ACE_ONLY_INHERIT; |
| 2d21ac55 A |
927 | /* |
| 928 | * We do not re-inherit inheritance flags | |
| 929 | * if the ACE from the container has a | |
| 930 | * KAUTH_ACE_LIMIT_INHERIT, OR if the new | |
| 931 | * object is not itself a container (since | |
| 932 | * inheritance is always container-based). | |
| 933 | */ | |
| 934 | if ((result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT) || !isdir) { | |
| 91447636 | 935 | result->acl_ace[index].ace_flags &= |
| 2d21ac55 A |
936 | ~(KAUTH_ACE_INHERIT_CONTROL_FLAGS); |
| 937 | } | |
| 91447636 A |
938 | index++; |
| 939 | } | |
| 940 | } | |
| 941 | } | |
| 942 | result->acl_entrycount = index; | |
| 943 | *product = result; | |
| 944 | KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index); | |
| 945 | error = 0; | |
| 946 | out: | |
| 0a7de745 | 947 | if (inherit != NULL) { |
| 91447636 | 948 | kauth_acl_free(inherit); |
| 0a7de745 A |
949 | } |
| 950 | return error; | |
| 91447636 A |
951 | } |
| 952 | ||
| 953 | /* | |
| 954 | * Optimistically copy in a kauth_filesec structure | |
| 0c530ab8 | 955 | * |
| 91447636 | 956 | * Parameters: xsecurity user space kauth_filesec_t |
| 0c530ab8 A |
957 | * xsecdstpp pointer to kauth_filesec_t to be |
| 958 | * modified to contain the contain a | |
| 959 | * pointer to an allocated copy of the | |
| 960 | * user space argument | |
| 961 | * | |
| 962 | * Returns: 0 Success | |
| 963 | * ENOMEM Insufficient memory for the copy. | |
| 964 | * EINVAL The user space data was invalid, or | |
| 965 | * there were too many ACE entries. | |
| 966 | * EFAULT The user space address was invalid; | |
| 967 | * this may mean 'fsec_entrycount' in | |
| 968 | * the user copy is corrupt/incorrect. | |
| 969 | * | |
| 970 | * Implicit returns: xsecdestpp, modified (only if successful!) | |
| 971 | * | |
| 972 | * Notes: The returned kauth_filesec_t is in host byte order | |
| 973 | * | |
| 974 | * The caller is responsible for freeing the returned | |
| 975 | * kauth_filesec_t in the success case using the function | |
| 976 | * kauth_filesec_free() | |
| 4452a7af | 977 | * |
| 0c530ab8 A |
978 | * Our largest initial guess is 32; this needs to move to |
| 979 | * a manifest constant in <sys/kauth.h>. | |
| 91447636 | 980 | */ |
| 91447636 A |
981 | int |
| 982 | kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp) | |
| 983 | { | |
| 91447636 A |
984 | int error; |
| 985 | kauth_filesec_t fsec; | |
| 986 | u_int32_t count; | |
| 987 | size_t copysize; | |
| 0a7de745 | 988 | |
| 91447636 A |
989 | error = 0; |
| 990 | fsec = NULL; | |
| 991 | ||
| 992 | /* | |
| 993 | * Make a guess at the size of the filesec. We start with the base | |
| 994 | * pointer, and look at how much room is left on the page, clipped | |
| 995 | * to a sensible upper bound. If it turns out this isn't enough, | |
| 996 | * we'll size based on the actual ACL contents and come back again. | |
| 997 | * | |
| 998 | * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The | |
| 999 | * value here is fairly arbitrary. It's ok to have a zero count. | |
| d9a64523 A |
1000 | * |
| 1001 | * Because we're just using these values to make a guess about the | |
| 1002 | * number of entries, the actual address doesn't matter, only their | |
| 1003 | * relative offsets into the page. We take advantage of this to | |
| 1004 | * avoid an overflow in the rounding step (this is a user-provided | |
| 1005 | * parameter, so caution pays off). | |
| 91447636 | 1006 | */ |
| d9a64523 A |
1007 | { |
| 1008 | user_addr_t known_bound = (xsecurity & PAGE_MASK) + KAUTH_FILESEC_SIZE(0); | |
| 1009 | user_addr_t uaddr = mach_vm_round_page(known_bound); | |
| 1010 | count = (uaddr - known_bound) / sizeof(struct kauth_ace); | |
| 1011 | } | |
| 0a7de745 | 1012 | if (count > 32) { |
| 91447636 | 1013 | count = 32; |
| 0a7de745 | 1014 | } |
| 91447636 A |
1015 | restart: |
| 1016 | if ((fsec = kauth_filesec_alloc(count)) == NULL) { | |
| 1017 | error = ENOMEM; | |
| 1018 | goto out; | |
| 1019 | } | |
| 1020 | copysize = KAUTH_FILESEC_SIZE(count); | |
| 0a7de745 | 1021 | if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0) { |
| 91447636 | 1022 | goto out; |
| 0a7de745 | 1023 | } |
| 91447636 A |
1024 | |
| 1025 | /* validate the filesec header */ | |
| 1026 | if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) { | |
| 1027 | error = EINVAL; | |
| 1028 | goto out; | |
| 1029 | } | |
| 1030 | ||
| 1031 | /* | |
| 1032 | * Is there an ACL payload, and is it too big? | |
| 1033 | */ | |
| 1034 | if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) && | |
| 1035 | (fsec->fsec_entrycount > count)) { | |
| 1036 | if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) { | |
| 0c530ab8 | 1037 | /* XXX This should be E2BIG */ |
| 91447636 A |
1038 | error = EINVAL; |
| 1039 | goto out; | |
| 1040 | } | |
| 1041 | count = fsec->fsec_entrycount; | |
| 1042 | kauth_filesec_free(fsec); | |
| 1043 | goto restart; | |
| 1044 | } | |
| 0a7de745 | 1045 | |
| 91447636 A |
1046 | out: |
| 1047 | if (error) { | |
| 0a7de745 | 1048 | if (fsec) { |
| 91447636 | 1049 | kauth_filesec_free(fsec); |
| 0a7de745 | 1050 | } |
| 91447636 A |
1051 | } else { |
| 1052 | *xsecdestpp = fsec; | |
| b0d623f7 | 1053 | AUDIT_ARG(opaque, fsec, copysize); |
| 91447636 | 1054 | } |
| 0a7de745 | 1055 | return error; |
| 91447636 A |
1056 | } |
| 1057 | ||
| 1058 | /* | |
| 0c530ab8 A |
1059 | * Allocate a block of memory containing a filesec structure, immediately |
| 1060 | * followed by 'count' kauth_ace structures. | |
| 1061 | * | |
| 1062 | * Parameters: count Number of kauth_ace structures needed | |
| 1063 | * | |
| 1064 | * Returns: !NULL A pointer to the allocated block | |
| 1065 | * NULL Invalid 'count' or insufficient memory | |
| 1066 | * | |
| 1067 | * Notes: Returned memory area assumes that the structures are packed | |
| 1068 | * densely, so this function may only be used by code that also | |
| 1069 | * assumes no padding following structures. | |
| 1070 | * | |
| 1071 | * The returned structure must be freed by the caller using the | |
| 1072 | * function kauth_filesec_free(), in case we decide to use an | |
| 1073 | * allocation mechanism that is aware of the object size at some | |
| 1074 | * point, since the object size is only available by introspecting | |
| 1075 | * the object itself. | |
| 91447636 A |
1076 | */ |
| 1077 | kauth_filesec_t | |
| 1078 | kauth_filesec_alloc(int count) | |
| 1079 | { | |
| 0a7de745 A |
1080 | kauth_filesec_t fsp; |
| 1081 | ||
| 91447636 | 1082 | /* if the caller hasn't given us a valid size hint, assume the worst */ |
| 0a7de745 A |
1083 | if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) { |
| 1084 | return NULL; | |
| 1085 | } | |
| 91447636 A |
1086 | |
| 1087 | MALLOC(fsp, kauth_filesec_t, KAUTH_FILESEC_SIZE(count), M_KAUTH, M_WAITOK); | |
| 1088 | if (fsp != NULL) { | |
| 1089 | fsp->fsec_magic = KAUTH_FILESEC_MAGIC; | |
| 1090 | fsp->fsec_owner = kauth_null_guid; | |
| 1091 | fsp->fsec_group = kauth_null_guid; | |
| 1092 | fsp->fsec_entrycount = KAUTH_FILESEC_NOACL; | |
| 1093 | fsp->fsec_flags = 0; | |
| 1094 | } | |
| 0a7de745 A |
1095 | return fsp; |
| 1096 | } | |
| 91447636 | 1097 | |
| 0c530ab8 A |
1098 | /* |
| 1099 | * Free a kauth_filesec_t that was previous allocated, either by a direct | |
| 1100 | * call to kauth_filesec_alloc() or by calling a function that calls it. | |
| 1101 | * | |
| 1102 | * Parameters: fsp kauth_filesec_t to free | |
| 1103 | * | |
| 1104 | * Returns: (void) | |
| 1105 | * | |
| 1106 | * Notes: The kauth_filesec_t to be freed is assumed to be in host | |
| 1107 | * byte order so that this function can introspect it in the | |
| 1108 | * future to determine its size, if necesssary. | |
| 1109 | */ | |
| 91447636 A |
1110 | void |
| 1111 | kauth_filesec_free(kauth_filesec_t fsp) | |
| 1112 | { | |
| 1113 | #ifdef KAUTH_DEBUG_ENABLE | |
| 0a7de745 | 1114 | if (fsp == KAUTH_FILESEC_NONE) { |
| 91447636 | 1115 | panic("freeing KAUTH_FILESEC_NONE"); |
| 0a7de745 A |
1116 | } |
| 1117 | if (fsp == KAUTH_FILESEC_WANTED) { | |
| 91447636 | 1118 | panic("freeing KAUTH_FILESEC_WANTED"); |
| 0a7de745 | 1119 | } |
| 91447636 A |
1120 | #endif |
| 1121 | FREE(fsp, M_KAUTH); | |
| 1122 | } | |
| 1123 | ||
| 0c530ab8 | 1124 | /* |
| 0a7de745 | 1125 | * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the |
| 0c530ab8 A |
1126 | * ACL interior to 'fsec' instead. If the endianness doesn't change, then |
| 1127 | * this function will have no effect. | |
| 1128 | * | |
| 1129 | * Parameters: kendian The endianness to set; this is either | |
| 1130 | * KAUTH_ENDIAN_HOST or KAUTH_ENDIAN_DISK. | |
| 1131 | * fsec The filesec to convert. | |
| 1132 | * acl The ACL to convert (optional) | |
| 1133 | * | |
| 1134 | * Returns: (void) | |
| 1135 | * | |
| 1136 | * Notes: We use ntohl() because it has a transitive property on Intel | |
| 1137 | * machines and no effect on PPC mancines. This guarantees us | |
| 1138 | * that the swapping only occurs if the endiannes is wrong. | |
| 1139 | */ | |
| 1140 | void | |
| 1141 | kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl) | |
| 1142 | { | |
| 0a7de745 A |
1143 | uint32_t compare_magic = KAUTH_FILESEC_MAGIC; |
| 1144 | uint32_t invert_magic = ntohl(KAUTH_FILESEC_MAGIC); | |
| 1145 | uint32_t compare_acl_entrycount; | |
| 1146 | uint32_t i; | |
| 0c530ab8 | 1147 | |
| 0a7de745 | 1148 | if (compare_magic == invert_magic) { |
| 0c530ab8 | 1149 | return; |
| 0a7de745 | 1150 | } |
| 0c530ab8 A |
1151 | |
| 1152 | /* If no ACL, use ACL interior to 'fsec' instead */ | |
| 0a7de745 | 1153 | if (acl == NULL) { |
| 0c530ab8 | 1154 | acl = &fsec->fsec_acl; |
| 0a7de745 | 1155 | } |
| 0c530ab8 A |
1156 | |
| 1157 | compare_acl_entrycount = acl->acl_entrycount; | |
| 1158 | ||
| 1159 | /* | |
| 1160 | * Only convert what needs to be converted, and only if the arguments | |
| 1161 | * are valid. The following switch and tests effectively reject | |
| 1162 | * conversions on invalid magic numbers as a desirable side effect. | |
| 1163 | */ | |
| 0a7de745 A |
1164 | switch (kendian) { |
| 1165 | case KAUTH_ENDIAN_HOST: /* not in host, convert to host */ | |
| 1166 | if (fsec->fsec_magic != invert_magic) { | |
| 0c530ab8 | 1167 | return; |
| 0a7de745 | 1168 | } |
| 0c530ab8 A |
1169 | /* acl_entrycount is byteswapped */ |
| 1170 | compare_acl_entrycount = ntohl(acl->acl_entrycount); | |
| 1171 | break; | |
| 0a7de745 A |
1172 | case KAUTH_ENDIAN_DISK: /* not in disk, convert to disk */ |
| 1173 | if (fsec->fsec_magic != compare_magic) { | |
| 0c530ab8 | 1174 | return; |
| 0a7de745 | 1175 | } |
| 0c530ab8 | 1176 | break; |
| 0a7de745 | 1177 | default: /* bad argument */ |
| 0c530ab8 A |
1178 | return; |
| 1179 | } | |
| 0a7de745 | 1180 | |
| 0c530ab8 A |
1181 | /* We are go for conversion */ |
| 1182 | fsec->fsec_magic = ntohl(fsec->fsec_magic); | |
| 1183 | acl->acl_entrycount = ntohl(acl->acl_entrycount); | |
| 1184 | if (compare_acl_entrycount != KAUTH_FILESEC_NOACL) { | |
| 1185 | acl->acl_flags = ntohl(acl->acl_flags); | |
| 1186 | ||
| 1187 | /* swap ACE rights and flags */ | |
| 1188 | for (i = 0; i < compare_acl_entrycount; i++) { | |
| 1189 | acl->acl_ace[i].ace_flags = ntohl(acl->acl_ace[i].ace_flags); | |
| 1190 | acl->acl_ace[i].ace_rights = ntohl(acl->acl_ace[i].ace_rights); | |
| 1191 | } | |
| 1192 | } | |
| 0a7de745 | 1193 | } |
| 0c530ab8 | 1194 | |
| 91447636 A |
1195 | |
| 1196 | /* | |
| 1197 | * Allocate an ACL buffer. | |
| 1198 | */ | |
| 1199 | kauth_acl_t | |
| 1200 | kauth_acl_alloc(int count) | |
| 1201 | { | |
| 0a7de745 A |
1202 | kauth_acl_t aclp; |
| 1203 | ||
| 91447636 | 1204 | /* if the caller hasn't given us a valid size hint, assume the worst */ |
| 0a7de745 A |
1205 | if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) { |
| 1206 | return NULL; | |
| 1207 | } | |
| 91447636 A |
1208 | |
| 1209 | MALLOC(aclp, kauth_acl_t, KAUTH_ACL_SIZE(count), M_KAUTH, M_WAITOK); | |
| 1210 | if (aclp != NULL) { | |
| 1211 | aclp->acl_entrycount = 0; | |
| 1212 | aclp->acl_flags = 0; | |
| 1213 | } | |
| 0a7de745 A |
1214 | return aclp; |
| 1215 | } | |
| 91447636 A |
1216 | |
| 1217 | void | |
| 1218 | kauth_acl_free(kauth_acl_t aclp) | |
| 1219 | { | |
| 1220 | FREE(aclp, M_KAUTH); | |
| 1221 | } | |
| 1222 | ||
| 1223 | ||
| 1224 | /* | |
| 1225 | * WARNING - caller must hold KAUTH_SCOPELOCK | |
| 1226 | */ | |
| 0a7de745 A |
1227 | static int |
| 1228 | kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp) | |
| 91447636 | 1229 | { |
| 0a7de745 | 1230 | int i; |
| 91447636 A |
1231 | |
| 1232 | for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { | |
| 1233 | if (sp->ks_listeners[i].kll_listenerp == NULL) { | |
| 1234 | sp->ks_listeners[i].kll_callback = klp->kl_callback; | |
| 1235 | sp->ks_listeners[i].kll_idata = klp->kl_idata; | |
| 1236 | sp->ks_listeners[i].kll_listenerp = klp; | |
| 1237 | sp->ks_flags |= KS_F_HAS_LISTENERS; | |
| 0a7de745 | 1238 | return 0; |
| 91447636 A |
1239 | } |
| 1240 | } | |
| 0a7de745 | 1241 | return ENOSPC; |
| 91447636 | 1242 | } |