]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_authorization.c
projects / apple / xnu.git / blob
? search:


73b6accc671127a4672b6e3f4f31567d2b175ce2
[apple/xnu.git] / bsd / kern / kern_authorization.c
1 /*
2 * Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_OSREFERENCE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the
10 * License may not be used to create, or enable the creation or
11 * redistribution of, unlawful or unlicensed copies of an Apple operating
12 * system, or to circumvent, violate, or enable the circumvention or
13 * violation of, any terms of an Apple operating system software license
14 * agreement.
15 *
16 * Please obtain a copy of the License at
17 * http://www.opensource.apple.com/apsl/ and read it before using this
18 * file.
19 *
20 * The Original Code and all software distributed under the License are
21 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
22 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
23 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
24 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
25 * Please see the License for the specific language governing rights and
26 * limitations under the License.
27 *
28 * @APPLE_LICENSE_OSREFERENCE_HEADER_END@
29 */
30
31 /*
32 * Centralized authorisation framework.
33 */
34
35 #include <sys/appleapiopts.h>
36 #include <sys/param.h> /* XXX trim includes */
37 #include <sys/acct.h>
38 #include <sys/systm.h>
39 #include <sys/ucred.h>
40 #include <sys/proc_internal.h>
41 #include <sys/timeb.h>
42 #include <sys/times.h>
43 #include <sys/malloc.h>
44 #include <sys/vnode_internal.h>
45 #include <sys/kauth.h>
46 #include <sys/stat.h>
47
48 #include <bsm/audit_kernel.h>
49
50 #include <sys/mount.h>
51 #include <sys/sysproto.h>
52 #include <mach/message.h>
53 #include <mach/host_security.h>
54
55 #include <kern/locks.h>
56
57
58 /*
59 * Authorization scopes.
60 */
61
62 lck_grp_t *kauth_lck_grp;
63 static lck_mtx_t *kauth_scope_mtx;
64 #define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx);
65 #define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx);
66
67 /*
68 * We support listeners for scopes that have not been registered yet.
69 * If a listener comes in for a scope that is not active we hang the listener
70 * off our kauth_dangling_listeners list and once the scope becomes active we
71 * remove it from kauth_dangling_listeners and add it to the active scope.
72 */
73 struct kauth_listener {
74 TAILQ_ENTRY(kauth_listener) kl_link;
75 const char * kl_identifier;
76 kauth_scope_callback_t kl_callback;
77 void * kl_idata;
78 };
79
80 /* XXX - kauth_todo - there is a race if a scope listener is removed while we
81 * we are in the kauth_authorize_action code path. We intentionally do not take
82 * a scope lock in order to get the best possible performance. we will fix this
83 * post Tiger.
84 * Until the race is fixed our kext clients are responsible for all active
85 * requests that may be in their callback code or on the way to their callback
86 * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata.
87 * We keep copies of these in our kauth_local_listener in an attempt to limit
88 * our expose to unlisten race.
89 */
90 struct kauth_local_listener {
91 kauth_listener_t kll_listenerp;
92 kauth_scope_callback_t kll_callback;
93 void * kll_idata;
94 };
95 typedef struct kauth_local_listener *kauth_local_listener_t;
96
97 static TAILQ_HEAD(,kauth_listener) kauth_dangling_listeners;
98
99 /*
100 * Scope listeners need to be reworked to be dynamic.
101 * We intentionally used a static table to avoid locking issues with linked
102 * lists. The listeners may be called quite often.
103 * XXX - kauth_todo
104 */
105 #define KAUTH_SCOPE_MAX_LISTENERS 15
106
107 struct kauth_scope {
108 TAILQ_ENTRY(kauth_scope) ks_link;
109 volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS];
110 const char * ks_identifier;
111 kauth_scope_callback_t ks_callback;
112 void * ks_idata;
113 u_int ks_flags;
114 };
115
116 /* values for kauth_scope.ks_flags */
117 #define KS_F_HAS_LISTENERS (1 << 0)
118
119 static TAILQ_HEAD(,kauth_scope) kauth_scopes;
120
121 static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp);
122 static void kauth_scope_init(void);
123 static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata);
124 static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata);
125 #if 0
126 static int kauth_scope_valid(kauth_scope_t scope);
127 #endif
128
129 kauth_scope_t kauth_scope_process;
130 static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
131 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3);
132 kauth_scope_t kauth_scope_generic;
133 static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
134 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
135 kauth_scope_t kauth_scope_fileop;
136
137 extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int);
138 extern char * get_pathbuff(void);
139 extern void release_pathbuff(char *path);
140
141 /*
142 * Initialization.
143 */
144 void
145 kauth_init(void)
146 {
147 lck_grp_attr_t *grp_attributes;
148
149 TAILQ_INIT(&kauth_scopes);
150 TAILQ_INIT(&kauth_dangling_listeners);
151
152 /* set up our lock group */
153 grp_attributes = lck_grp_attr_alloc_init();
154 kauth_lck_grp = lck_grp_alloc_init("kauth", grp_attributes);
155 lck_grp_attr_free(grp_attributes);
156
157 /* bring up kauth subsystem components */
158 kauth_cred_init();
159 kauth_identity_init();
160 kauth_groups_init();
161 kauth_scope_init();
162 kauth_resolver_init();
163
164 /* can't alloc locks after this */
165 lck_grp_free(kauth_lck_grp);
166 kauth_lck_grp = NULL;
167 }
168
169 static void
170 kauth_scope_init(void)
171 {
172 kauth_scope_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0 /*LCK_ATTR_NULL*/);
173 kauth_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS, kauth_authorize_process_callback, NULL);
174 kauth_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC, kauth_authorize_generic_callback, NULL);
175 kauth_scope_fileop = kauth_register_scope(KAUTH_SCOPE_FILEOP, NULL, NULL);
176 }
177
178 /*
179 * Scope registration.
180 */
181
182 static kauth_scope_t
183 kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
184 {
185 kauth_scope_t sp;
186
187 /*
188 * Allocate and populate the scope structure.
189 */
190 MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK);
191 if (sp == NULL)
192 return(NULL);
193 bzero(&sp->ks_listeners, sizeof(sp->ks_listeners));
194 sp->ks_flags = 0;
195 sp->ks_identifier = identifier;
196 sp->ks_idata = idata;
197 sp->ks_callback = callback;
198 return(sp);
199 }
200
201 static kauth_listener_t
202 kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata)
203 {
204 kauth_listener_t lsp;
205
206 /*
207 * Allocate and populate the listener structure.
208 */
209 MALLOC(lsp, kauth_listener_t, sizeof(*lsp), M_KAUTH, M_WAITOK);
210 if (lsp == NULL)
211 return(NULL);
212 lsp->kl_identifier = identifier;
213 lsp->kl_idata = idata;
214 lsp->kl_callback = callback;
215 return(lsp);
216 }
217
218 kauth_scope_t
219 kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
220 {
221 kauth_scope_t sp, tsp;
222 kauth_listener_t klp;
223
224 if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL)
225 return(NULL);
226
227 /*
228 * Lock the list and insert.
229 */
230 KAUTH_SCOPELOCK();
231 TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) {
232 /* duplicate! */
233 if (strcmp(tsp->ks_identifier, identifier) == 0) {
234 KAUTH_SCOPEUNLOCK();
235 FREE(sp, M_KAUTH);
236 return(NULL);
237 }
238 }
239 TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link);
240
241 /*
242 * Look for listeners waiting for this scope, move them to the active scope
243 * listener table.
244 * Note that we have to restart the scan every time we remove an entry
245 * from the list, since we can't remove the current item from the list.
246 */
247 restart:
248 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
249 if (strcmp(klp->kl_identifier, sp->ks_identifier) == 0) {
250 /* found a match on the dangling listener list. add it to the
251 * the active scope.
252 */
253 if (kauth_add_callback_to_scope(sp, klp) == 0) {
254 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
255 }
256 else {
257 #if 0
258 printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier);
259 #endif
260 break;
261 }
262 goto restart;
263 }
264 }
265
266 KAUTH_SCOPEUNLOCK();
267 return(sp);
268 }
269
270
271
272 void
273 kauth_deregister_scope(kauth_scope_t scope)
274 {
275 int i;
276
277 KAUTH_SCOPELOCK();
278
279 TAILQ_REMOVE(&kauth_scopes, scope, ks_link);
280
281 /* relocate listeners back to the waiting list */
282 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
283 if (scope->ks_listeners[i].kll_listenerp != NULL) {
284 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link);
285 scope->ks_listeners[i].kll_listenerp = NULL;
286 /*
287 * XXX - kauth_todo - WARNING, do not clear kll_callback or
288 * kll_idata here. they are part of our scope unlisten race hack
289 */
290 }
291 }
292 KAUTH_SCOPEUNLOCK();
293 FREE(scope, M_KAUTH);
294
295 return;
296 }
297
298 kauth_listener_t
299 kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
300 {
301 kauth_listener_t klp;
302 kauth_scope_t sp;
303
304 if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL)
305 return(NULL);
306
307 /*
308 * Lock the scope list and check to see whether this scope already exists.
309 */
310 KAUTH_SCOPELOCK();
311 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
312 if (strcmp(sp->ks_identifier, identifier) == 0) {
313 /* scope exists, add it to scope listener table */
314 if (kauth_add_callback_to_scope(sp, klp) == 0) {
315 KAUTH_SCOPEUNLOCK();
316 return(klp);
317 }
318 /* table already full */
319 KAUTH_SCOPEUNLOCK();
320 FREE(klp, M_KAUTH);
321 return(NULL);
322 }
323 }
324
325 /* scope doesn't exist, put on waiting list. */
326 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link);
327
328 KAUTH_SCOPEUNLOCK();
329
330 return(klp);
331 }
332
333 void
334 kauth_unlisten_scope(kauth_listener_t listener)
335 {
336 kauth_scope_t sp;
337 kauth_listener_t klp;
338 int i, listener_count, do_free;
339
340 KAUTH_SCOPELOCK();
341
342 /* search the active scope for this listener */
343 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
344 do_free = 0;
345 if ((sp->ks_flags & KS_F_HAS_LISTENERS) != 0) {
346 listener_count = 0;
347 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
348 if (sp->ks_listeners[i].kll_listenerp == listener) {
349 sp->ks_listeners[i].kll_listenerp = NULL;
350 do_free = 1;
351 /*
352 * XXX - kauth_todo - WARNING, do not clear kll_callback or
353 * kll_idata here. they are part of our scope unlisten race hack
354 */
355 }
356 else if (sp->ks_listeners[i].kll_listenerp != NULL) {
357 listener_count++;
358 }
359 }
360 if (do_free) {
361 if (listener_count == 0) {
362 sp->ks_flags &= ~KS_F_HAS_LISTENERS;
363 }
364 KAUTH_SCOPEUNLOCK();
365 FREE(listener, M_KAUTH);
366 return;
367 }
368 }
369 }
370
371 /* if not active, check the dangling list */
372 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
373 if (klp == listener) {
374 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
375 KAUTH_SCOPEUNLOCK();
376 FREE(listener, M_KAUTH);
377 return;
378 }
379 }
380
381 KAUTH_SCOPEUNLOCK();
382 return;
383 }
384
385 /*
386 * Authorization requests.
387 */
388 int
389 kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action,
390 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
391 {
392 int result, ret, i;
393
394 /* ask the scope */
395 if (scope->ks_callback != NULL)
396 result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3);
397 else
398 result = KAUTH_RESULT_DEFER;
399
400 /* check with listeners */
401 if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) {
402 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
403 /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger.
404 * Until the race is fixed our kext clients are responsible for all active requests that may
405 * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata.
406 * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to
407 * unlisten race.
408 */
409 if (scope->ks_listeners[i].kll_listenerp == NULL ||
410 scope->ks_listeners[i].kll_callback == NULL)
411 continue;
412
413 ret = scope->ks_listeners[i].kll_callback(
414 credential, scope->ks_listeners[i].kll_idata,
415 action, arg0, arg1, arg2, arg3);
416 if ((ret == KAUTH_RESULT_DENY) ||
417 (result == KAUTH_RESULT_DEFER))
418 result = ret;
419 }
420 }
421
422 /* we need an explicit allow, or the auth fails */
423 /* XXX need a mechanism for auth failure to be signalled vs. denial */
424 return(result == KAUTH_RESULT_ALLOW ? 0 : EPERM);
425 }
426
427 /*
428 * Default authorization handlers.
429 */
430 int
431 kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action,
432 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
433 {
434
435 return(KAUTH_RESULT_ALLOW);
436 }
437
438 #if 0
439 /*
440 * Debugging support.
441 */
442 static int
443 kauth_scope_valid(kauth_scope_t scope)
444 {
445 kauth_scope_t sp;
446
447 KAUTH_SCOPELOCK();
448 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
449 if (sp == scope)
450 break;
451 }
452 KAUTH_SCOPEUNLOCK();
453 return((sp == NULL) ? 0 : 1);
454 }
455 #endif
456
457 /*
458 * Process authorization scope.
459 */
460
461 int
462 kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
463 {
464 return(kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3));
465 }
466
467 static int
468 kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
469 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
470 {
471 switch(action) {
472 case KAUTH_PROCESS_CANSIGNAL:
473 panic("KAUTH_PROCESS_CANSIGNAL not implemented");
474 /* XXX credential wrong here */
475 /* arg0 - process to signal
476 * arg1 - signal to send the process
477 */
478 if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1))
479 return(KAUTH_RESULT_ALLOW);
480 break;
481 case KAUTH_PROCESS_CANTRACE:
482 /* current_proc() - process that will do the tracing
483 * arg0 - process to be traced
484 * arg1 - pointer to int - reason (errno) for denial
485 */
486 if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1))
487 return(KAUTH_RESULT_ALLOW);
488 break;
489 }
490
491 /* no explicit result, so defer to others in the chain */
492 return(KAUTH_RESULT_DEFER);
493 }
494
495 /*
496 * File system operation authorization scope. This is really only a notification
497 * of the file system operation, not an authorization check. Thus the result is
498 * not relevant.
499 * arguments passed to KAUTH_FILEOP_OPEN listeners
500 * arg0 is pointer to vnode (vnode *) for given user path.
501 * arg1 is pointer to path (char *) passed in to open.
502 * arguments passed to KAUTH_FILEOP_CLOSE listeners
503 * arg0 is pointer to vnode (vnode *) for file to be closed.
504 * arg1 is pointer to path (char *) of file to be closed.
505 * arg2 is close flags.
506 * arguments passed to KAUTH_FILEOP_RENAME listeners
507 * arg0 is pointer to "from" path (char *).
508 * arg1 is pointer to "to" path (char *).
509 * arguments passed to KAUTH_FILEOP_EXCHANGE listeners
510 * arg0 is pointer to file 1 path (char *).
511 * arg1 is pointer to file 2 path (char *).
512 * arguments passed to KAUTH_FILEOP_EXEC listeners
513 * arg0 is pointer to vnode (vnode *) for executable.
514 * arg1 is pointer to path (char *) to executable.
515 */
516
517 int
518 kauth_authorize_fileop_has_listeners(void)
519 {
520 /*
521 * return 1 if we have any listeners for the fileop scope
522 * otherwize return 0
523 */
524 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) {
525 return(1);
526 }
527 return (0);
528 }
529
530 int
531 kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1)
532 {
533 char *namep = NULL;
534 int name_len;
535 uintptr_t arg2 = 0;
536
537 /* we do not have a primary handler for the fileop scope so bail out if
538 * there are no listeners.
539 */
540 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) {
541 return(0);
542 }
543
544 if (action == KAUTH_FILEOP_OPEN || action == KAUTH_FILEOP_CLOSE || action == KAUTH_FILEOP_EXEC) {
545 /* get path to the given vnode as a convenience to our listeners.
546 */
547 namep = get_pathbuff();
548 name_len = MAXPATHLEN;
549 if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) {
550 release_pathbuff(namep);
551 return(0);
552 }
553 if (action == KAUTH_FILEOP_CLOSE) {
554 arg2 = arg1; /* close has some flags that come in via arg1 */
555 }
556 arg1 = (uintptr_t)namep;
557 }
558 kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0);
559
560 if (namep != NULL) {
561 release_pathbuff(namep);
562 }
563
564 return(0);
565 }
566
567 /*
568 * Generic authorization scope.
569 */
570
571 int
572 kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action)
573 {
574 if (credential == NULL)
575 panic("auth against NULL credential");
576
577 return(kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0));
578
579 }
580
581 static int
582 kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
583 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
584 {
585 switch(action) {
586 case KAUTH_GENERIC_ISSUSER:
587 /* XXX == 0 ? */
588 return((kauth_cred_getuid(credential) == 0) ?
589 KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY);
590 break;
591 }
592
593 /* no explicit result, so defer to others in the chain */
594 return(KAUTH_RESULT_DEFER);
595 }
596
597 /*
598 * ACL evaluator.
599 *
600 * Determines whether the credential has the requested rights for an object secured by the supplied
601 * ACL.
602 *
603 * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested
604 * rights, or granted if all of the requested rights are satisfied by the ACEs so far.
605 */
606 int
607 kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval)
608 {
609 int applies, error, i;
610 kauth_ace_t ace;
611 guid_t guid;
612 uint32_t rights;
613 int wkguid;
614
615 /* always allowed to do nothing */
616 if (eval->ae_requested == 0) {
617 eval->ae_result = KAUTH_RESULT_ALLOW;
618 return(0);
619 }
620
621 eval->ae_residual = eval->ae_requested;
622
623 /*
624 * Get our guid for comparison purposes.
625 */
626 if ((error = kauth_cred_getguid(cred, &guid)) != 0) {
627 eval->ae_result = KAUTH_RESULT_DENY;
628 KAUTH_DEBUG(" ACL - can't get credential GUID (%d), ACL denied", error);
629 return(error);
630 }
631
632 KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual);
633 for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) {
634
635 /*
636 * Skip inherit-only entries.
637 */
638 if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT)
639 continue;
640
641 /*
642 * Expand generic rights, if appropriate.
643 */
644 rights = ace->ace_rights;
645 if (rights & KAUTH_ACE_GENERIC_ALL)
646 rights |= eval->ae_exp_gall;
647 if (rights & KAUTH_ACE_GENERIC_READ)
648 rights |= eval->ae_exp_gread;
649 if (rights & KAUTH_ACE_GENERIC_WRITE)
650 rights |= eval->ae_exp_gwrite;
651 if (rights & KAUTH_ACE_GENERIC_EXECUTE)
652 rights |= eval->ae_exp_gexec;
653
654 /*
655 * Determine whether this entry applies to the current request. This
656 * saves us checking the GUID if the entry has nothing to do with what
657 * we're currently doing.
658 */
659 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
660 case KAUTH_ACE_PERMIT:
661 if (!(eval->ae_residual & rights))
662 continue;
663 break;
664 case KAUTH_ACE_DENY:
665 if (!(eval->ae_requested & rights))
666 continue;
667 break;
668 default:
669 /* we don't recognise this ACE, skip it */
670 continue;
671 }
672
673 /*
674 * Verify whether this entry applies to the credential.
675 */
676 wkguid = kauth_wellknown_guid(&ace->ace_applicable);
677 switch(wkguid) {
678 case KAUTH_WKG_OWNER:
679 applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER;
680 break;
681 case KAUTH_WKG_GROUP:
682 applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP;
683 break;
684 /* we short-circuit these here rather than wasting time calling the group membership code */
685 case KAUTH_WKG_EVERYBODY:
686 applies = 1;
687 break;
688 case KAUTH_WKG_NOBODY:
689 applies = 0;
690 break;
691
692 default:
693 /* check to see whether it's exactly us, or a group we are a member of */
694 applies = kauth_guid_equal(&guid, &ace->ace_applicable);
695 KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched",
696 K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not ");
697
698 if (!applies) {
699 error = kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies);
700 /*
701 * If we can't resolve group membership, we have to limit misbehaviour.
702 * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid
703 * granting excess access). If the ACE is a 'deny' ACE, assume the cred
704 * is a member (avoid failing to deny).
705 */
706 if (error != 0) {
707 KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i);
708 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
709 case KAUTH_ACE_PERMIT:
710 applies = 0;
711 break;
712 case KAUTH_ACE_DENY:
713 applies = 1;
714 break;
715 }
716 } else {
717 KAUTH_DEBUG(" ACL - %s group member", applies ? "is" : "not");
718 }
719 } else {
720 KAUTH_DEBUG(" ACL - entry matches caller");
721 }
722 }
723 if (!applies)
724 continue;
725
726 /*
727 * Apply ACE to outstanding rights.
728 */
729 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
730 case KAUTH_ACE_PERMIT:
731 /* satisfy any rights that this ACE grants */
732 eval->ae_residual = eval->ae_residual & ~rights;
733 KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i, rights, eval->ae_residual);
734 /* all rights satisfied? */
735 if (eval->ae_residual == 0) {
736 eval->ae_result = KAUTH_RESULT_ALLOW;
737 return(0);
738 }
739 break;
740 case KAUTH_ACE_DENY:
741 /* deny the request if any of the requested rights is denied */
742 if (eval->ae_requested & rights) {
743 KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights);
744 eval->ae_result = KAUTH_RESULT_DENY;
745 return(0);
746 }
747 break;
748 default:
749 KAUTH_DEBUG(" ACL - unknown entry kind %d", ace->ace_flags & KAUTH_ACE_KINDMASK);
750 break;
751 }
752 }
753 /* if not permitted, defer to other modes of authorisation */
754 eval->ae_result = KAUTH_RESULT_DEFER;
755 return(0);
756 }
757
758 /*
759 * Perform ACL inheritance and umask-ACL handling.
760 *
761 * Entries are inherited from the ACL on dvp. A caller-supplied
762 * ACL is in initial, and the result is output into product.
763 * If the process has a umask ACL and one is not supplied, we use
764 * the umask ACL.
765 * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file.
766 */
767 int
768 kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx)
769 {
770 int entries, error, index;
771 unsigned int i;
772 struct vnode_attr dva;
773 kauth_acl_t inherit, result;
774
775 /*
776 * Fetch the ACL from the directory. This should never fail. Note that we don't
777 * manage inheritance when the remote server is doing authorization; we just
778 * want to compose the umask-ACL and any initial ACL.
779 */
780 inherit = NULL;
781 if ((dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) {
782 VATTR_INIT(&dva);
783 VATTR_WANTED(&dva, va_acl);
784 if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) {
785 KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance");
786 return(error);
787 }
788 if (VATTR_IS_SUPPORTED(&dva, va_acl))
789 inherit = dva.va_acl;
790 }
791
792 /*
793 * Compute the number of entries in the result ACL by scanning the input lists.
794 */
795 entries = 0;
796 if (inherit != NULL) {
797 for (i = 0; i < inherit->acl_entrycount; i++) {
798 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT))
799 entries++;
800 }
801 }
802
803 if (initial == NULL) {
804 /* XXX 3634665 TODO: fetch umask ACL from the process, set in initial */
805 }
806
807 if (initial != NULL) {
808 entries += initial->acl_entrycount;
809 }
810
811 /*
812 * If there is no initial ACL, and no inheritable entries, the
813 * object should have no ACL at all.
814 * Note that this differs from the case where the initial ACL
815 * is empty, in which case the object must also have an empty ACL.
816 */
817 if ((entries == 0) && (initial == NULL)) {
818 *product = NULL;
819 error = 0;
820 goto out;
821 }
822
823 /*
824 * Allocate the result buffer.
825 */
826 if ((result = kauth_acl_alloc(entries)) == NULL) {
827 KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL");
828 error = ENOMEM;
829 goto out;
830 }
831
832 /*
833 * Composition is simply:
834 * - initial
835 * - inherited
836 */
837 index = 0;
838 if (initial != NULL) {
839 for (i = 0; i < initial->acl_entrycount; i++)
840 result->acl_ace[index++] = initial->acl_ace[i];
841 KAUTH_DEBUG(" INHERIT - applied %d initial entries", index);
842 }
843 if (inherit != NULL) {
844 for (i = 0; i < inherit->acl_entrycount; i++) {
845 /* inherit onto this object? */
846 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
847 result->acl_ace[index] = inherit->acl_ace[i];
848 result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED;
849 /* don't re-inherit? */
850 if (result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT)
851 result->acl_ace[index].ace_flags &=
852 ~(KAUTH_ACE_DIRECTORY_INHERIT | KAUTH_ACE_FILE_INHERIT | KAUTH_ACE_LIMIT_INHERIT);
853 index++;
854 }
855 }
856 }
857 result->acl_entrycount = index;
858 *product = result;
859 KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index);
860 error = 0;
861 out:
862 if (inherit != NULL)
863 kauth_acl_free(inherit);
864 return(error);
865 }
866
867 /*
868 * Optimistically copy in a kauth_filesec structure
869 * Parameters: xsecurity user space kauth_filesec_t
870 * xsecdstpp pointer to kauth_filesec_t
871 *
872 * Returns: 0 on success, EINVAL or EFAULT depending on failure mode.
873 * Modifies: xsecdestpp, which contains a pointer to an allocated
874 * and copied-in kauth_filesec_t
875 */
876
877 int
878 kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp)
879 {
880 user_addr_t uaddr, known_bound;
881 int error;
882 kauth_filesec_t fsec;
883 u_int32_t count;
884 size_t copysize;
885
886 error = 0;
887 fsec = NULL;
888
889 /*
890 * Make a guess at the size of the filesec. We start with the base
891 * pointer, and look at how much room is left on the page, clipped
892 * to a sensible upper bound. If it turns out this isn't enough,
893 * we'll size based on the actual ACL contents and come back again.
894 *
895 * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The
896 * value here is fairly arbitrary. It's ok to have a zero count.
897 */
898 known_bound = xsecurity + sizeof(struct kauth_filesec);
899 uaddr = mach_vm_round_page(known_bound);
900 count = (uaddr - known_bound) / sizeof(struct kauth_ace);
901 if (count > 32)
902 count = 32;
903 restart:
904 if ((fsec = kauth_filesec_alloc(count)) == NULL) {
905 error = ENOMEM;
906 goto out;
907 }
908 copysize = KAUTH_FILESEC_SIZE(count);
909 if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0)
910 goto out;
911
912 /* validate the filesec header */
913 if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) {
914 error = EINVAL;
915 goto out;
916 }
917
918 /*
919 * Is there an ACL payload, and is it too big?
920 */
921 if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) &&
922 (fsec->fsec_entrycount > count)) {
923 if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) {
924 error = EINVAL;
925 goto out;
926 }
927 count = fsec->fsec_entrycount;
928 kauth_filesec_free(fsec);
929 goto restart;
930 }
931
932 out:
933 if (error) {
934 if (fsec)
935 kauth_filesec_free(fsec);
936 } else {
937 *xsecdestpp = fsec;
938 }
939 return(error);
940 }
941
942 /*
943 * Allocate a filesec structure.
944 */
945 kauth_filesec_t
946 kauth_filesec_alloc(int count)
947 {
948 kauth_filesec_t fsp;
949
950 /* if the caller hasn't given us a valid size hint, assume the worst */
951 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
952 return(NULL);
953
954 MALLOC(fsp, kauth_filesec_t, KAUTH_FILESEC_SIZE(count), M_KAUTH, M_WAITOK);
955 if (fsp != NULL) {
956 fsp->fsec_magic = KAUTH_FILESEC_MAGIC;
957 fsp->fsec_owner = kauth_null_guid;
958 fsp->fsec_group = kauth_null_guid;
959 fsp->fsec_entrycount = KAUTH_FILESEC_NOACL;
960 fsp->fsec_flags = 0;
961 }
962 return(fsp);
963 }
964
965 void
966 kauth_filesec_free(kauth_filesec_t fsp)
967 {
968 #ifdef KAUTH_DEBUG_ENABLE
969 if (fsp == KAUTH_FILESEC_NONE)
970 panic("freeing KAUTH_FILESEC_NONE");
971 if (fsp == KAUTH_FILESEC_WANTED)
972 panic("freeing KAUTH_FILESEC_WANTED");
973 #endif
974 FREE(fsp, M_KAUTH);
975 }
976
977
978 /*
979 * Allocate an ACL buffer.
980 */
981 kauth_acl_t
982 kauth_acl_alloc(int count)
983 {
984 kauth_acl_t aclp;
985
986 /* if the caller hasn't given us a valid size hint, assume the worst */
987 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
988 return(NULL);
989
990 MALLOC(aclp, kauth_acl_t, KAUTH_ACL_SIZE(count), M_KAUTH, M_WAITOK);
991 if (aclp != NULL) {
992 aclp->acl_entrycount = 0;
993 aclp->acl_flags = 0;
994 }
995 return(aclp);
996 }
997
998 void
999 kauth_acl_free(kauth_acl_t aclp)
1000 {
1001 FREE(aclp, M_KAUTH);
1002 }
1003
1004
1005 /*
1006 * WARNING - caller must hold KAUTH_SCOPELOCK
1007 */
1008 static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp)
1009 {
1010 int i;
1011
1012 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
1013 if (sp->ks_listeners[i].kll_listenerp == NULL) {
1014 sp->ks_listeners[i].kll_callback = klp->kl_callback;
1015 sp->ks_listeners[i].kll_idata = klp->kl_idata;
1016 sp->ks_listeners[i].kll_listenerp = klp;
1017 sp->ks_flags |= KS_F_HAS_LISTENERS;
1018 return(0);
1019 }
1020 }
1021 return(ENOSPC);
1022 }
mirror of XNU