]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (c) 2000-2012 Apple Inc. All rights reserved. | |
3 | * | |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ | |
5 | * | |
6 | * This file contains Original Code and/or Modifications of Original Code | |
7 | * as defined in and that are subject to the Apple Public Source License | |
8 | * Version 2.0 (the 'License'). You may not use this file except in | |
9 | * compliance with the License. The rights granted to you under the License | |
10 | * may not be used to create, or enable the creation or redistribution of, | |
11 | * unlawful or unlicensed copies of an Apple operating system, or to | |
12 | * circumvent, violate, or enable the circumvention or violation of, any | |
13 | * terms of an Apple operating system software license agreement. | |
14 | * | |
15 | * Please obtain a copy of the License at | |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. | |
17 | * | |
18 | * The Original Code and all software distributed under the License are | |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
23 | * Please see the License for the specific language governing rights and | |
24 | * limitations under the License. | |
25 | * | |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ | |
27 | */ | |
28 | ||
29 | #include <sys/types.h> | |
30 | #include <sys/param.h> | |
31 | #include <sys/systm.h> | |
32 | #include <sys/kernel.h> | |
33 | #include <sys/proc_internal.h> | |
34 | #include <sys/sysctl.h> | |
35 | #include <sys/signal.h> | |
36 | #include <sys/signalvar.h> | |
37 | #include <sys/codesign.h> | |
38 | ||
39 | #include <sys/fcntl.h> | |
40 | #include <sys/file.h> | |
41 | #include <sys/file_internal.h> | |
42 | #include <sys/kauth.h> | |
43 | #include <sys/mount.h> | |
44 | #include <sys/msg.h> | |
45 | #include <sys/proc.h> | |
46 | #include <sys/socketvar.h> | |
47 | #include <sys/vnode.h> | |
48 | #include <sys/vnode_internal.h> | |
49 | ||
50 | #include <sys/ubc.h> | |
51 | #include <sys/ubc_internal.h> | |
52 | ||
53 | #include <security/mac.h> | |
54 | #include <security/mac_policy.h> | |
55 | #include <security/mac_framework.h> | |
56 | ||
57 | #include <mach/mach_types.h> | |
58 | #include <mach/vm_map.h> | |
59 | #include <mach/mach_vm.h> | |
60 | ||
61 | #include <kern/kern_types.h> | |
62 | #include <kern/task.h> | |
63 | ||
64 | #include <vm/vm_map.h> | |
65 | #include <vm/vm_kern.h> | |
66 | ||
67 | ||
68 | #include <kern/assert.h> | |
69 | ||
70 | #include <pexpert/pexpert.h> | |
71 | ||
72 | #include <mach/shared_region.h> | |
73 | ||
74 | #include <libkern/section_keywords.h> | |
75 | ||
76 | unsigned long cs_procs_killed = 0; | |
77 | unsigned long cs_procs_invalidated = 0; | |
78 | ||
79 | int cs_force_kill = 0; | |
80 | int cs_force_hard = 0; | |
81 | int cs_debug = 0; | |
82 | // If set, AMFI will error out early on unsigned code, before evaluation the normal policy. | |
83 | int cs_debug_fail_on_unsigned_code = 0; | |
84 | // If the previous mode is enabled, we count the resulting failures here. | |
85 | unsigned int cs_debug_unsigned_exec_failures = 0; | |
86 | unsigned int cs_debug_unsigned_mmap_failures = 0; | |
87 | ||
88 | #if SECURE_KERNEL | |
89 | /* | |
90 | Here we split cs_enforcement_enable into cs_system_enforcement_enable and cs_process_enforcement_enable | |
91 | ||
92 | cs_system_enforcement_enable governs whether or not system level code signing enforcement mechanisms | |
93 | are applied on the system. Today, the only such mechanism is code signing enforcement of the dyld shared | |
94 | cache. | |
95 | ||
96 | cs_process_enforcement_enable governs whether code signing enforcement mechanisms are applied to all | |
97 | processes or only those that opt into such enforcement. | |
98 | ||
99 | (On iOS and related, both of these are set by default. On macOS, only cs_system_enforcement_enable | |
100 | is set by default. Processes can then be opted into code signing enforcement on a case by case basis.) | |
101 | */ | |
102 | const int cs_system_enforcement_enable = 1; | |
103 | const int cs_process_enforcement_enable = 1; | |
104 | const int cs_library_val_enable = 1; | |
105 | #else /* !SECURE_KERNEL */ | |
106 | int cs_enforcement_panic=0; | |
107 | int cs_relax_platform_task_ports = 0; | |
108 | ||
109 | #if CONFIG_ENFORCE_SIGNED_CODE | |
110 | #define DEFAULT_CS_SYSTEM_ENFORCEMENT_ENABLE 1 | |
111 | #define DEFAULT_CS_PROCESS_ENFORCEMENT_ENABLE 1 | |
112 | #else | |
113 | #define DEFAULT_CS_SYSTEM_ENFORCEMENT_ENABLE 1 | |
114 | #define DEFAULT_CS_PROCESS_ENFORCEMENT_ENABLE 0 | |
115 | #endif | |
116 | SECURITY_READ_ONLY_LATE(int) cs_system_enforcement_enable = DEFAULT_CS_SYSTEM_ENFORCEMENT_ENABLE; | |
117 | SECURITY_READ_ONLY_LATE(int) cs_process_enforcement_enable = DEFAULT_CS_PROCESS_ENFORCEMENT_ENABLE; | |
118 | ||
119 | #if CONFIG_ENFORCE_LIBRARY_VALIDATION | |
120 | #define DEFAULT_CS_LIBRARY_VA_ENABLE 1 | |
121 | #else | |
122 | #define DEFAULT_CS_LIBRARY_VA_ENABLE 0 | |
123 | #endif | |
124 | SECURITY_READ_ONLY_LATE(int) cs_library_val_enable = DEFAULT_CS_LIBRARY_VA_ENABLE; | |
125 | ||
126 | #endif /* !SECURE_KERNEL */ | |
127 | int cs_all_vnodes = 0; | |
128 | ||
129 | static lck_grp_t *cs_lockgrp; | |
130 | ||
131 | SYSCTL_INT(_vm, OID_AUTO, cs_force_kill, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_force_kill, 0, ""); | |
132 | SYSCTL_INT(_vm, OID_AUTO, cs_force_hard, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_force_hard, 0, ""); | |
133 | SYSCTL_INT(_vm, OID_AUTO, cs_debug, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_debug, 0, ""); | |
134 | SYSCTL_INT(_vm, OID_AUTO, cs_debug_fail_on_unsigned_code, CTLFLAG_RW | CTLFLAG_LOCKED, | |
135 | &cs_debug_fail_on_unsigned_code, 0, ""); | |
136 | SYSCTL_UINT(_vm, OID_AUTO, cs_debug_unsigned_exec_failures, CTLFLAG_RD | CTLFLAG_LOCKED, | |
137 | &cs_debug_unsigned_exec_failures, 0, ""); | |
138 | SYSCTL_UINT(_vm, OID_AUTO, cs_debug_unsigned_mmap_failures, CTLFLAG_RD | CTLFLAG_LOCKED, | |
139 | &cs_debug_unsigned_mmap_failures, 0, ""); | |
140 | ||
141 | SYSCTL_INT(_vm, OID_AUTO, cs_all_vnodes, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_all_vnodes, 0, ""); | |
142 | ||
143 | #if !SECURE_KERNEL | |
144 | SYSCTL_INT(_vm, OID_AUTO, cs_system_enforcement, CTLFLAG_RD | CTLFLAG_LOCKED, &cs_system_enforcement_enable, 0, ""); | |
145 | SYSCTL_INT(_vm, OID_AUTO, cs_process_enforcement, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_process_enforcement_enable, 0, ""); | |
146 | SYSCTL_INT(_vm, OID_AUTO, cs_enforcement_panic, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_enforcement_panic, 0, ""); | |
147 | ||
148 | #if !CONFIG_ENFORCE_LIBRARY_VALIDATION | |
149 | SYSCTL_INT(_vm, OID_AUTO, cs_library_validation, CTLFLAG_RD | CTLFLAG_LOCKED, &cs_library_val_enable, 0, ""); | |
150 | #endif | |
151 | #endif /* !SECURE_KERNEL */ | |
152 | ||
153 | int panic_on_cs_killed = 0; | |
154 | ||
155 | void | |
156 | cs_init(void) | |
157 | { | |
158 | #if MACH_ASSERT | |
159 | #if PLATFORM_WatchOS || __x86_64__ | |
160 | panic_on_cs_killed = 1; | |
161 | #endif /* watchos || x86_64 */ | |
162 | #endif /* MACH_ASSERT */ | |
163 | PE_parse_boot_argn("panic_on_cs_killed", &panic_on_cs_killed, | |
164 | sizeof (panic_on_cs_killed)); | |
165 | #if !SECURE_KERNEL | |
166 | int disable_cs_enforcement = 0; | |
167 | PE_parse_boot_argn("cs_enforcement_disable", &disable_cs_enforcement, | |
168 | sizeof (disable_cs_enforcement)); | |
169 | if (disable_cs_enforcement && PE_i_can_has_debugger(NULL) != 0) { | |
170 | cs_system_enforcement_enable = 0; | |
171 | cs_process_enforcement_enable = 0; | |
172 | } else { | |
173 | int panic = 0; | |
174 | PE_parse_boot_argn("cs_enforcement_panic", &panic, sizeof(panic)); | |
175 | cs_enforcement_panic = (panic != 0); | |
176 | } | |
177 | ||
178 | PE_parse_boot_argn("cs_relax_platform_task_ports", | |
179 | &cs_relax_platform_task_ports, | |
180 | sizeof(cs_relax_platform_task_ports)); | |
181 | ||
182 | PE_parse_boot_argn("cs_debug", &cs_debug, sizeof (cs_debug)); | |
183 | ||
184 | #if !CONFIG_ENFORCE_LIBRARY_VALIDATION | |
185 | PE_parse_boot_argn("cs_library_val_enable", &cs_library_val_enable, | |
186 | sizeof (cs_library_val_enable)); | |
187 | #endif | |
188 | #endif /* !SECURE_KERNEL */ | |
189 | ||
190 | lck_grp_attr_t *attr = lck_grp_attr_alloc_init(); | |
191 | cs_lockgrp = lck_grp_alloc_init("KERNCS", attr); | |
192 | lck_grp_attr_free(attr); | |
193 | } | |
194 | ||
195 | int | |
196 | cs_allow_invalid(struct proc *p) | |
197 | { | |
198 | #if MACH_ASSERT | |
199 | lck_mtx_assert(&p->p_mlock, LCK_MTX_ASSERT_NOTOWNED); | |
200 | #endif | |
201 | #if CONFIG_MACF | |
202 | /* There needs to be a MAC policy to implement this hook, or else the | |
203 | * kill bits will be cleared here every time. If we have | |
204 | * CONFIG_ENFORCE_SIGNED_CODE, we can assume there is a policy | |
205 | * implementing the hook. | |
206 | */ | |
207 | if( 0 != mac_proc_check_run_cs_invalid(p)) { | |
208 | if(cs_debug) printf("CODE SIGNING: cs_allow_invalid() " | |
209 | "not allowed: pid %d\n", | |
210 | p->p_pid); | |
211 | return 0; | |
212 | } | |
213 | if(cs_debug) printf("CODE SIGNING: cs_allow_invalid() " | |
214 | "allowed: pid %d\n", | |
215 | p->p_pid); | |
216 | proc_lock(p); | |
217 | p->p_csflags &= ~(CS_KILL | CS_HARD); | |
218 | if (p->p_csflags & CS_VALID) | |
219 | { | |
220 | p->p_csflags |= CS_DEBUGGED; | |
221 | } | |
222 | ||
223 | proc_unlock(p); | |
224 | ||
225 | vm_map_switch_protect(get_task_map(p->task), FALSE); | |
226 | #endif | |
227 | return (p->p_csflags & (CS_KILL | CS_HARD)) == 0; | |
228 | } | |
229 | ||
230 | int | |
231 | cs_invalid_page(addr64_t vaddr, boolean_t *cs_killed) | |
232 | { | |
233 | struct proc *p; | |
234 | int send_kill = 0, retval = 0, verbose = cs_debug; | |
235 | uint32_t csflags; | |
236 | ||
237 | p = current_proc(); | |
238 | ||
239 | if (verbose) | |
240 | printf("CODE SIGNING: cs_invalid_page(0x%llx): p=%d[%s]\n", | |
241 | vaddr, p->p_pid, p->p_comm); | |
242 | ||
243 | proc_lock(p); | |
244 | ||
245 | /* XXX for testing */ | |
246 | if (cs_force_kill) | |
247 | p->p_csflags |= CS_KILL; | |
248 | if (cs_force_hard) | |
249 | p->p_csflags |= CS_HARD; | |
250 | ||
251 | /* CS_KILL triggers a kill signal, and no you can't have the page. Nothing else. */ | |
252 | if (p->p_csflags & CS_KILL) { | |
253 | p->p_csflags |= CS_KILLED; | |
254 | cs_procs_killed++; | |
255 | send_kill = 1; | |
256 | retval = 1; | |
257 | } | |
258 | ||
259 | /* CS_HARD means fail the mapping operation so the process stays valid. */ | |
260 | if (p->p_csflags & CS_HARD) { | |
261 | retval = 1; | |
262 | } else { | |
263 | if (p->p_csflags & CS_VALID) { | |
264 | p->p_csflags &= ~CS_VALID; | |
265 | cs_procs_invalidated++; | |
266 | verbose = 1; | |
267 | } | |
268 | } | |
269 | csflags = p->p_csflags; | |
270 | proc_unlock(p); | |
271 | ||
272 | if (verbose) | |
273 | printf("CODE SIGNING: cs_invalid_page(0x%llx): " | |
274 | "p=%d[%s] final status 0x%x, %s page%s\n", | |
275 | vaddr, p->p_pid, p->p_comm, p->p_csflags, | |
276 | retval ? "denying" : "allowing (remove VALID)", | |
277 | send_kill ? " sending SIGKILL" : ""); | |
278 | ||
279 | if (send_kill) { | |
280 | /* We will set the exit reason for the thread later */ | |
281 | threadsignal(current_thread(), SIGKILL, EXC_BAD_ACCESS, FALSE); | |
282 | if (cs_killed) { | |
283 | *cs_killed = TRUE; | |
284 | } | |
285 | } else if (cs_killed) { | |
286 | *cs_killed = FALSE; | |
287 | } | |
288 | ||
289 | ||
290 | return retval; | |
291 | } | |
292 | ||
293 | /* | |
294 | * Assumes p (if passed in) is locked with proc_lock(). | |
295 | */ | |
296 | ||
297 | int | |
298 | cs_process_enforcement(struct proc *p) | |
299 | { | |
300 | ||
301 | if (cs_process_enforcement_enable) | |
302 | return 1; | |
303 | ||
304 | if (p == NULL) | |
305 | p = current_proc(); | |
306 | ||
307 | if (p != NULL && (p->p_csflags & CS_ENFORCEMENT)) | |
308 | return 1; | |
309 | ||
310 | return 0; | |
311 | } | |
312 | ||
313 | int | |
314 | cs_process_global_enforcement(void) | |
315 | { | |
316 | return cs_process_enforcement_enable ? 1 : 0; | |
317 | } | |
318 | ||
319 | int | |
320 | cs_system_enforcement(void) | |
321 | { | |
322 | return cs_system_enforcement_enable ? 1 : 0; | |
323 | } | |
324 | ||
325 | /* | |
326 | * Returns whether a given process is still valid. | |
327 | */ | |
328 | int | |
329 | cs_valid(struct proc *p) | |
330 | { | |
331 | ||
332 | if (p == NULL) | |
333 | p = current_proc(); | |
334 | ||
335 | if (p != NULL && (p->p_csflags & CS_VALID)) | |
336 | return 1; | |
337 | ||
338 | return 0; | |
339 | } | |
340 | ||
341 | /* | |
342 | * Library validation functions | |
343 | */ | |
344 | int | |
345 | cs_require_lv(struct proc *p) | |
346 | { | |
347 | ||
348 | if (cs_library_val_enable) | |
349 | return 1; | |
350 | ||
351 | if (p == NULL) | |
352 | p = current_proc(); | |
353 | ||
354 | if (p != NULL && (p->p_csflags & CS_REQUIRE_LV)) | |
355 | return 1; | |
356 | ||
357 | return 0; | |
358 | } | |
359 | ||
360 | int | |
361 | csproc_forced_lv(struct proc* p) | |
362 | { | |
363 | if (p == NULL) { | |
364 | p = current_proc(); | |
365 | } | |
366 | if (p != NULL && (p->p_csflags & CS_FORCED_LV)) { | |
367 | return 1; | |
368 | } | |
369 | return 0; | |
370 | } | |
371 | ||
372 | /* | |
373 | * <rdar://problem/24634089> added to allow system level library | |
374 | * validation check at mac_cred_label_update_execve time | |
375 | */ | |
376 | int | |
377 | cs_system_require_lv(void) | |
378 | { | |
379 | return cs_library_val_enable ? 1 : 0; | |
380 | } | |
381 | ||
382 | /* | |
383 | * Function: csblob_get_base_offset | |
384 | * | |
385 | * Description: This function returns the base offset into the (possibly universal) binary | |
386 | * for a given blob. | |
387 | */ | |
388 | ||
389 | off_t | |
390 | csblob_get_base_offset(struct cs_blob *blob) | |
391 | { | |
392 | return blob->csb_base_offset; | |
393 | } | |
394 | ||
395 | /* | |
396 | * Function: csblob_get_size | |
397 | * | |
398 | * Description: This function returns the size of a given blob. | |
399 | */ | |
400 | ||
401 | vm_size_t | |
402 | csblob_get_size(struct cs_blob *blob) | |
403 | { | |
404 | return blob->csb_mem_size; | |
405 | } | |
406 | ||
407 | /* | |
408 | * Function: csblob_get_addr | |
409 | * | |
410 | * Description: This function returns the address of a given blob. | |
411 | */ | |
412 | ||
413 | vm_address_t | |
414 | csblob_get_addr(struct cs_blob *blob) | |
415 | { | |
416 | return blob->csb_mem_kaddr; | |
417 | } | |
418 | ||
419 | /* | |
420 | * Function: csblob_get_platform_binary | |
421 | * | |
422 | * Description: This function returns true if the binary is | |
423 | * in the trust cache. | |
424 | */ | |
425 | ||
426 | int | |
427 | csblob_get_platform_binary(struct cs_blob *blob) | |
428 | { | |
429 | if (blob && blob->csb_platform_binary) | |
430 | return 1; | |
431 | return 0; | |
432 | } | |
433 | ||
434 | /* | |
435 | * Function: csblob_get_flags | |
436 | * | |
437 | * Description: This function returns the flags for a given blob | |
438 | */ | |
439 | ||
440 | unsigned int | |
441 | csblob_get_flags(struct cs_blob *blob) | |
442 | { | |
443 | return blob->csb_flags; | |
444 | } | |
445 | ||
446 | /* | |
447 | * Function: csblob_get_hashtype | |
448 | * | |
449 | * Description: This function returns the hash type for a given blob | |
450 | */ | |
451 | ||
452 | uint8_t | |
453 | csblob_get_hashtype(struct cs_blob const * const blob) | |
454 | { | |
455 | return blob->csb_hashtype != NULL ? cs_hash_type(blob->csb_hashtype) : 0; | |
456 | } | |
457 | ||
458 | /* | |
459 | * Function: csproc_get_blob | |
460 | * | |
461 | * Description: This function returns the cs_blob | |
462 | * for the process p | |
463 | */ | |
464 | struct cs_blob * | |
465 | csproc_get_blob(struct proc *p) | |
466 | { | |
467 | if (NULL == p) | |
468 | return NULL; | |
469 | ||
470 | if (NULL == p->p_textvp) | |
471 | return NULL; | |
472 | ||
473 | if ((p->p_csflags & CS_SIGNED) == 0) { | |
474 | return NULL; | |
475 | } | |
476 | ||
477 | return ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff); | |
478 | } | |
479 | ||
480 | /* | |
481 | * Function: csvnode_get_blob | |
482 | * | |
483 | * Description: This function returns the cs_blob | |
484 | * for the vnode vp | |
485 | */ | |
486 | struct cs_blob * | |
487 | csvnode_get_blob(struct vnode *vp, off_t offset) | |
488 | { | |
489 | return ubc_cs_blob_get(vp, -1, offset); | |
490 | } | |
491 | ||
492 | /* | |
493 | * Function: csblob_get_teamid | |
494 | * | |
495 | * Description: This function returns a pointer to the | |
496 | * team id of csblob | |
497 | */ | |
498 | const char * | |
499 | csblob_get_teamid(struct cs_blob *csblob) | |
500 | { | |
501 | return csblob->csb_teamid; | |
502 | } | |
503 | ||
504 | /* | |
505 | * Function: csblob_get_identity | |
506 | * | |
507 | * Description: This function returns a pointer to the | |
508 | * identity string | |
509 | */ | |
510 | const char * | |
511 | csblob_get_identity(struct cs_blob *csblob) | |
512 | { | |
513 | const CS_CodeDirectory *cd; | |
514 | ||
515 | cd = (const CS_CodeDirectory *)csblob_find_blob(csblob, CSSLOT_CODEDIRECTORY, CSMAGIC_CODEDIRECTORY); | |
516 | if (cd == NULL) | |
517 | return NULL; | |
518 | ||
519 | if (cd->identOffset == 0) | |
520 | return NULL; | |
521 | ||
522 | return ((const char *)cd) + ntohl(cd->identOffset); | |
523 | } | |
524 | ||
525 | /* | |
526 | * Function: csblob_get_cdhash | |
527 | * | |
528 | * Description: This function returns a pointer to the | |
529 | * cdhash of csblob (20 byte array) | |
530 | */ | |
531 | const uint8_t * | |
532 | csblob_get_cdhash(struct cs_blob *csblob) | |
533 | { | |
534 | return csblob->csb_cdhash; | |
535 | } | |
536 | ||
537 | /* | |
538 | * Function: csblob_get_signer_type | |
539 | * | |
540 | * Description: This function returns the signer type | |
541 | * as an integer | |
542 | */ | |
543 | unsigned int | |
544 | csblob_get_signer_type(struct cs_blob *csblob) | |
545 | { | |
546 | return csblob->csb_signer_type; | |
547 | } | |
548 | ||
549 | void * | |
550 | csblob_entitlements_dictionary_copy(struct cs_blob *csblob) | |
551 | { | |
552 | if (!csblob->csb_entitlements) return NULL; | |
553 | osobject_retain(csblob->csb_entitlements); | |
554 | return csblob->csb_entitlements; | |
555 | } | |
556 | ||
557 | void | |
558 | csblob_entitlements_dictionary_set(struct cs_blob *csblob, void * entitlements) | |
559 | { | |
560 | assert(csblob->csb_entitlements == NULL); | |
561 | if (entitlements) osobject_retain(entitlements); | |
562 | csblob->csb_entitlements = entitlements; | |
563 | } | |
564 | ||
565 | /* | |
566 | * Function: csproc_get_teamid | |
567 | * | |
568 | * Description: This function returns a pointer to the | |
569 | * team id of the process p | |
570 | */ | |
571 | const char * | |
572 | csproc_get_teamid(struct proc *p) | |
573 | { | |
574 | struct cs_blob *csblob; | |
575 | ||
576 | csblob = csproc_get_blob(p); | |
577 | if (csblob == NULL) | |
578 | return NULL; | |
579 | ||
580 | return csblob_get_teamid(csblob); | |
581 | } | |
582 | ||
583 | /* | |
584 | * Function: csproc_get_signer_type | |
585 | * | |
586 | * Description: This function returns the signer type | |
587 | * of the process p | |
588 | */ | |
589 | unsigned int | |
590 | csproc_get_signer_type(struct proc *p) | |
591 | { | |
592 | struct cs_blob *csblob; | |
593 | ||
594 | csblob = csproc_get_blob(p); | |
595 | if (csblob == NULL) | |
596 | return CS_SIGNER_TYPE_UNKNOWN; | |
597 | ||
598 | return csblob_get_signer_type(csblob); | |
599 | } | |
600 | ||
601 | /* | |
602 | * Function: csvnode_get_teamid | |
603 | * | |
604 | * Description: This function returns a pointer to the | |
605 | * team id of the binary at the given offset in vnode vp | |
606 | */ | |
607 | const char * | |
608 | csvnode_get_teamid(struct vnode *vp, off_t offset) | |
609 | { | |
610 | struct cs_blob *csblob; | |
611 | ||
612 | if (vp == NULL) | |
613 | return NULL; | |
614 | ||
615 | csblob = ubc_cs_blob_get(vp, -1, offset); | |
616 | if (csblob == NULL) | |
617 | return NULL; | |
618 | ||
619 | return csblob_get_teamid(csblob); | |
620 | } | |
621 | ||
622 | /* | |
623 | * Function: csproc_get_platform_binary | |
624 | * | |
625 | * Description: This function returns the value | |
626 | * of the platform_binary field for proc p | |
627 | */ | |
628 | int | |
629 | csproc_get_platform_binary(struct proc *p) | |
630 | { | |
631 | struct cs_blob *csblob; | |
632 | ||
633 | csblob = csproc_get_blob(p); | |
634 | ||
635 | /* If there is no csblob this returns 0 because | |
636 | it is true that it is not a platform binary */ | |
637 | return (csblob == NULL) ? 0 : csblob->csb_platform_binary; | |
638 | } | |
639 | ||
640 | int | |
641 | csproc_get_platform_path(struct proc *p) | |
642 | { | |
643 | struct cs_blob *csblob; | |
644 | ||
645 | csblob = csproc_get_blob(p); | |
646 | ||
647 | return (csblob == NULL) ? 0 : csblob->csb_platform_path; | |
648 | } | |
649 | ||
650 | #if DEVELOPMENT || DEBUG | |
651 | void | |
652 | csproc_clear_platform_binary(struct proc *p) | |
653 | { | |
654 | struct cs_blob *csblob = csproc_get_blob(p); | |
655 | ||
656 | if (csblob == NULL) { | |
657 | return; | |
658 | } | |
659 | ||
660 | if (cs_debug) { | |
661 | printf("clearing platform binary on proc/task: pid = %d\n", p->p_pid); | |
662 | } | |
663 | ||
664 | csblob->csb_platform_binary = 0; | |
665 | csblob->csb_platform_path = 0; | |
666 | task_set_platform_binary(proc_task(p), FALSE); | |
667 | } | |
668 | #endif | |
669 | ||
670 | void | |
671 | csproc_disable_enforcement(struct proc* __unused p) | |
672 | { | |
673 | #if !CONFIG_ENFORCE_SIGNED_CODE | |
674 | if (p != NULL) { | |
675 | proc_lock(p); | |
676 | p->p_csflags &= (~CS_ENFORCEMENT); | |
677 | proc_unlock(p); | |
678 | } | |
679 | #endif | |
680 | } | |
681 | ||
682 | /* Function: csproc_mark_invalid_allowed | |
683 | * | |
684 | * Description: Mark the process as being allowed to go invalid. Called as part of | |
685 | * task_for_pid and ptrace policy. Note CS_INVALID_ALLOWED only matters for | |
686 | * processes that have been opted into CS_ENFORCEMENT. | |
687 | */ | |
688 | void | |
689 | csproc_mark_invalid_allowed(struct proc* __unused p) | |
690 | { | |
691 | #if !CONFIG_ENFORCE_SIGNED_CODE | |
692 | if (p != NULL) { | |
693 | proc_lock(p); | |
694 | p->p_csflags |= CS_INVALID_ALLOWED; | |
695 | proc_unlock(p); | |
696 | } | |
697 | #endif | |
698 | } | |
699 | ||
700 | /* | |
701 | * Function: csproc_check_invalid_allowed | |
702 | * | |
703 | * Description: Returns 1 if the process has been marked as allowed to go invalid | |
704 | * because it gave its task port to an allowed process. | |
705 | */ | |
706 | int | |
707 | csproc_check_invalid_allowed(struct proc* __unused p) | |
708 | { | |
709 | #if !CONFIG_ENFORCE_SIGNED_CODE | |
710 | if (p == NULL) { | |
711 | p = current_proc(); | |
712 | } | |
713 | ||
714 | if (p != NULL && (p->p_csflags & CS_INVALID_ALLOWED)) | |
715 | return 1; | |
716 | #endif | |
717 | return 0; | |
718 | } | |
719 | ||
720 | /* | |
721 | * Function: csproc_get_prod_signed | |
722 | * | |
723 | * Description: Returns 1 if process is not signed with a developer identity. | |
724 | * Note the inverted meaning from the cs_flag to make the error case safer. | |
725 | * Will go away with rdar://problem/28322552. | |
726 | */ | |
727 | int | |
728 | csproc_get_prod_signed(struct proc *p) | |
729 | { | |
730 | return ((p->p_csflags & CS_DEV_CODE) == 0); | |
731 | } | |
732 | ||
733 | ||
734 | /* | |
735 | * Function: csfg_get_platform_binary | |
736 | * | |
737 | * Description: This function returns the | |
738 | * platform binary field for the | |
739 | * fileglob fg | |
740 | */ | |
741 | int | |
742 | csfg_get_platform_binary(struct fileglob *fg) | |
743 | { | |
744 | int platform_binary = 0; | |
745 | struct ubc_info *uip; | |
746 | vnode_t vp; | |
747 | ||
748 | if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) | |
749 | return 0; | |
750 | ||
751 | vp = (struct vnode *)fg->fg_data; | |
752 | if (vp == NULL) | |
753 | return 0; | |
754 | ||
755 | vnode_lock(vp); | |
756 | if (!UBCINFOEXISTS(vp)) | |
757 | goto out; | |
758 | ||
759 | uip = vp->v_ubcinfo; | |
760 | if (uip == NULL) | |
761 | goto out; | |
762 | ||
763 | if (uip->cs_blobs == NULL) | |
764 | goto out; | |
765 | ||
766 | /* It is OK to extract the teamid from the first blob | |
767 | because all blobs of a vnode must have the same teamid */ | |
768 | platform_binary = uip->cs_blobs->csb_platform_binary; | |
769 | out: | |
770 | vnode_unlock(vp); | |
771 | ||
772 | return platform_binary; | |
773 | } | |
774 | ||
775 | uint8_t * | |
776 | csfg_get_cdhash(struct fileglob *fg, uint64_t offset, size_t *cdhash_size) | |
777 | { | |
778 | vnode_t vp; | |
779 | ||
780 | if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) | |
781 | return NULL; | |
782 | ||
783 | vp = (struct vnode *)fg->fg_data; | |
784 | if (vp == NULL) | |
785 | return NULL; | |
786 | ||
787 | struct cs_blob *csblob = NULL; | |
788 | if ((csblob = ubc_cs_blob_get(vp, -1, offset)) == NULL) | |
789 | return NULL; | |
790 | ||
791 | if (cdhash_size) | |
792 | *cdhash_size = CS_CDHASH_LEN; | |
793 | ||
794 | return csblob->csb_cdhash; | |
795 | } | |
796 | ||
797 | /* | |
798 | * Function: csfg_get_signer_type | |
799 | * | |
800 | * Description: This returns the signer type | |
801 | * for the fileglob fg | |
802 | */ | |
803 | unsigned int | |
804 | csfg_get_signer_type(struct fileglob *fg) | |
805 | { | |
806 | struct ubc_info *uip; | |
807 | unsigned int signer_type = CS_SIGNER_TYPE_UNKNOWN; | |
808 | vnode_t vp; | |
809 | ||
810 | if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) | |
811 | return CS_SIGNER_TYPE_UNKNOWN; | |
812 | ||
813 | vp = (struct vnode *)fg->fg_data; | |
814 | if (vp == NULL) | |
815 | return CS_SIGNER_TYPE_UNKNOWN; | |
816 | ||
817 | vnode_lock(vp); | |
818 | if (!UBCINFOEXISTS(vp)) | |
819 | goto out; | |
820 | ||
821 | uip = vp->v_ubcinfo; | |
822 | if (uip == NULL) | |
823 | goto out; | |
824 | ||
825 | if (uip->cs_blobs == NULL) | |
826 | goto out; | |
827 | ||
828 | /* It is OK to extract the signer type from the first blob, | |
829 | because all blobs of a vnode must have the same signer type. */ | |
830 | signer_type = uip->cs_blobs->csb_signer_type; | |
831 | out: | |
832 | vnode_unlock(vp); | |
833 | ||
834 | return signer_type; | |
835 | } | |
836 | ||
837 | /* | |
838 | * Function: csfg_get_teamid | |
839 | * | |
840 | * Description: This returns a pointer to | |
841 | * the teamid for the fileglob fg | |
842 | */ | |
843 | const char * | |
844 | csfg_get_teamid(struct fileglob *fg) | |
845 | { | |
846 | struct ubc_info *uip; | |
847 | const char *str = NULL; | |
848 | vnode_t vp; | |
849 | ||
850 | if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) | |
851 | return NULL; | |
852 | ||
853 | vp = (struct vnode *)fg->fg_data; | |
854 | if (vp == NULL) | |
855 | return NULL; | |
856 | ||
857 | vnode_lock(vp); | |
858 | if (!UBCINFOEXISTS(vp)) | |
859 | goto out; | |
860 | ||
861 | uip = vp->v_ubcinfo; | |
862 | if (uip == NULL) | |
863 | goto out; | |
864 | ||
865 | if (uip->cs_blobs == NULL) | |
866 | goto out; | |
867 | ||
868 | /* It is OK to extract the teamid from the first blob | |
869 | because all blobs of a vnode must have the same teamid */ | |
870 | str = uip->cs_blobs->csb_teamid; | |
871 | out: | |
872 | vnode_unlock(vp); | |
873 | ||
874 | return str; | |
875 | } | |
876 | ||
877 | /* | |
878 | * Function: csfg_get_prod_signed | |
879 | * | |
880 | * Description: Returns 1 if code is not signed with a developer identity. | |
881 | * Note the inverted meaning from the cs_flag to make the error case safer. | |
882 | * Will go away with rdar://problem/28322552. | |
883 | */ | |
884 | int | |
885 | csfg_get_prod_signed(struct fileglob *fg) | |
886 | { | |
887 | struct ubc_info *uip; | |
888 | vnode_t vp; | |
889 | int prod_signed = 0; | |
890 | ||
891 | if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) | |
892 | return 0; | |
893 | ||
894 | vp = (struct vnode *)fg->fg_data; | |
895 | if (vp == NULL) | |
896 | return 0; | |
897 | ||
898 | vnode_lock(vp); | |
899 | if (!UBCINFOEXISTS(vp)) | |
900 | goto out; | |
901 | ||
902 | uip = vp->v_ubcinfo; | |
903 | if (uip == NULL) | |
904 | goto out; | |
905 | ||
906 | if (uip->cs_blobs == NULL) | |
907 | goto out; | |
908 | ||
909 | /* It is OK to extract the flag from the first blob | |
910 | because all blobs of a vnode must have the same cs_flags */ | |
911 | prod_signed = (uip->cs_blobs->csb_flags & CS_DEV_CODE) == 0; | |
912 | out: | |
913 | vnode_unlock(vp); | |
914 | ||
915 | return prod_signed; | |
916 | } | |
917 | ||
918 | /* | |
919 | * Function: csfg_get_identity | |
920 | * | |
921 | * Description: This function returns the codesign identity | |
922 | * for the fileglob | |
923 | */ | |
924 | const char * | |
925 | csfg_get_identity(struct fileglob *fg, off_t offset) | |
926 | { | |
927 | vnode_t vp; | |
928 | struct cs_blob *csblob = NULL; | |
929 | ||
930 | if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) | |
931 | return NULL; | |
932 | ||
933 | vp = (struct vnode *)fg->fg_data; | |
934 | if (vp == NULL) | |
935 | return NULL; | |
936 | ||
937 | csblob = ubc_cs_blob_get(vp, -1, offset); | |
938 | if (csblob == NULL) | |
939 | return NULL; | |
940 | ||
941 | return csblob_get_identity(csblob); | |
942 | } | |
943 | ||
944 | /* | |
945 | * Function: csfg_get_platform_identifier | |
946 | * | |
947 | * Description: This function returns the codesign platform | |
948 | * identifier for the fileglob. Assumes the fileproc | |
949 | * is being held busy to keep the fileglob consistent. | |
950 | */ | |
951 | uint8_t | |
952 | csfg_get_platform_identifier(struct fileglob *fg, off_t offset) | |
953 | { | |
954 | vnode_t vp; | |
955 | ||
956 | if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) | |
957 | return 0; | |
958 | ||
959 | vp = (struct vnode *)fg->fg_data; | |
960 | if (vp == NULL) | |
961 | return 0; | |
962 | ||
963 | return csvnode_get_platform_identifier(vp, offset); | |
964 | } | |
965 | ||
966 | /* | |
967 | * Function: csvnode_get_platform_identifier | |
968 | * | |
969 | * Description: This function returns the codesign platform | |
970 | * identifier for the vnode. Assumes a vnode reference | |
971 | * is held. | |
972 | */ | |
973 | uint8_t | |
974 | csvnode_get_platform_identifier(struct vnode *vp, off_t offset) | |
975 | { | |
976 | struct cs_blob *csblob; | |
977 | const CS_CodeDirectory *code_dir; | |
978 | ||
979 | csblob = ubc_cs_blob_get(vp, -1, offset); | |
980 | if (csblob == NULL) | |
981 | return 0; | |
982 | ||
983 | code_dir = csblob->csb_cd; | |
984 | if (code_dir == NULL || ntohl(code_dir->length) < 8) | |
985 | return 0; | |
986 | ||
987 | return code_dir->platform; | |
988 | } | |
989 | ||
990 | /* | |
991 | * Function: csproc_get_platform_identifier | |
992 | * | |
993 | * Description: This function returns the codesign platform | |
994 | * identifier for the proc. Assumes proc will remain | |
995 | * valid through call. | |
996 | */ | |
997 | uint8_t | |
998 | csproc_get_platform_identifier(struct proc *p) | |
999 | { | |
1000 | if (NULL == p->p_textvp) | |
1001 | return 0; | |
1002 | ||
1003 | return csvnode_get_platform_identifier(p->p_textvp, p->p_textoff); | |
1004 | } | |
1005 | ||
1006 | uint32_t | |
1007 | cs_entitlement_flags(struct proc *p) | |
1008 | { | |
1009 | return (p->p_csflags & CS_ENTITLEMENT_FLAGS); | |
1010 | } | |
1011 | ||
1012 | int | |
1013 | cs_restricted(struct proc *p) | |
1014 | { | |
1015 | return (p->p_csflags & CS_RESTRICT) ? 1 : 0; | |
1016 | } | |
1017 | ||
1018 | int | |
1019 | csproc_hardened_runtime(struct proc* p) | |
1020 | { | |
1021 | return (p->p_csflags & CS_RUNTIME) ? 1 : 0; | |
1022 | } | |
1023 | ||
1024 | /* | |
1025 | * Function: csfg_get_path | |
1026 | * | |
1027 | * Description: This populates the buffer passed in | |
1028 | * with the path of the vnode | |
1029 | * When calling this, the fileglob | |
1030 | * cannot go away. The caller must have a | |
1031 | * a reference on the fileglob or fileproc | |
1032 | */ | |
1033 | int | |
1034 | csfg_get_path(struct fileglob *fg, char *path, int *len) | |
1035 | { | |
1036 | vnode_t vp = NULL; | |
1037 | ||
1038 | if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) | |
1039 | return -1; | |
1040 | ||
1041 | vp = (struct vnode *)fg->fg_data; | |
1042 | ||
1043 | /* vn_getpath returns 0 for success, | |
1044 | or an error code */ | |
1045 | return vn_getpath(vp, path, len); | |
1046 | } | |
1047 | ||
1048 | /* Retrieve the entitlements blob for a process. | |
1049 | * Returns: | |
1050 | * EINVAL no text vnode associated with the process | |
1051 | * EBADEXEC invalid code signing data | |
1052 | * 0 no error occurred | |
1053 | * | |
1054 | * On success, out_start and out_length will point to the | |
1055 | * entitlements blob if found; or will be set to NULL/zero | |
1056 | * if there were no entitlements. | |
1057 | */ | |
1058 | ||
1059 | int | |
1060 | cs_entitlements_blob_get(proc_t p, void **out_start, size_t *out_length) | |
1061 | { | |
1062 | struct cs_blob *csblob; | |
1063 | ||
1064 | *out_start = NULL; | |
1065 | *out_length = 0; | |
1066 | ||
1067 | if ((p->p_csflags & CS_SIGNED) == 0) { | |
1068 | return 0; | |
1069 | } | |
1070 | ||
1071 | if (NULL == p->p_textvp) | |
1072 | return EINVAL; | |
1073 | ||
1074 | if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL) | |
1075 | return 0; | |
1076 | ||
1077 | return csblob_get_entitlements(csblob, out_start, out_length); | |
1078 | } | |
1079 | ||
1080 | /* Retrieve the codesign identity for a process. | |
1081 | * Returns: | |
1082 | * NULL an error occured | |
1083 | * string the cs_identity | |
1084 | */ | |
1085 | ||
1086 | const char * | |
1087 | cs_identity_get(proc_t p) | |
1088 | { | |
1089 | struct cs_blob *csblob; | |
1090 | ||
1091 | if ((p->p_csflags & CS_SIGNED) == 0) { | |
1092 | return NULL; | |
1093 | } | |
1094 | ||
1095 | if (NULL == p->p_textvp) | |
1096 | return NULL; | |
1097 | ||
1098 | if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL) | |
1099 | return NULL; | |
1100 | ||
1101 | return csblob_get_identity(csblob); | |
1102 | } | |
1103 | ||
1104 | /* | |
1105 | * DO NOT USE THIS FUNCTION! | |
1106 | * Use the properly guarded csproc_get_blob instead. | |
1107 | * | |
1108 | * This is currently here to allow detached signatures to work | |
1109 | * properly. The only user of this function is also checking | |
1110 | * for CS_VALID. | |
1111 | */ | |
1112 | ||
1113 | int | |
1114 | cs_blob_get(proc_t p, void **out_start, size_t *out_length) | |
1115 | { | |
1116 | struct cs_blob *csblob; | |
1117 | ||
1118 | *out_start = NULL; | |
1119 | *out_length = 0; | |
1120 | ||
1121 | if (NULL == p->p_textvp) | |
1122 | return EINVAL; | |
1123 | ||
1124 | if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL) | |
1125 | return 0; | |
1126 | ||
1127 | *out_start = (void *)csblob->csb_mem_kaddr; | |
1128 | *out_length = csblob->csb_mem_size; | |
1129 | ||
1130 | return 0; | |
1131 | } | |
1132 | ||
1133 | /* | |
1134 | * return cshash of a process, cdhash is of size CS_CDHASH_LEN | |
1135 | */ | |
1136 | ||
1137 | uint8_t * | |
1138 | cs_get_cdhash(struct proc *p) | |
1139 | { | |
1140 | struct cs_blob *csblob; | |
1141 | ||
1142 | if ((p->p_csflags & CS_SIGNED) == 0) { | |
1143 | return NULL; | |
1144 | } | |
1145 | ||
1146 | if (NULL == p->p_textvp) | |
1147 | return NULL; | |
1148 | ||
1149 | if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL) | |
1150 | return NULL; | |
1151 | ||
1152 | return csblob->csb_cdhash; | |
1153 | } |