]> git.saurik.com Git - apple/xnu.git/blob - bsd/net/necp.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-4903.241.1.tar.gz
[apple/xnu.git] / bsd / net / necp.c
1 /*
2 * Copyright (c) 2013-2018 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <string.h>
30 #include <sys/systm.h>
31 #include <sys/types.h>
32 #include <sys/queue.h>
33 #include <sys/malloc.h>
34 #include <libkern/OSMalloc.h>
35 #include <sys/kernel.h>
36 #include <sys/kern_control.h>
37 #include <sys/mbuf.h>
38 #include <sys/kpi_mbuf.h>
39 #include <sys/proc_uuid_policy.h>
40 #include <net/if.h>
41 #include <sys/domain.h>
42 #include <sys/protosw.h>
43 #include <sys/socket.h>
44 #include <sys/socketvar.h>
45 #include <sys/coalition.h>
46 #include <netinet/ip.h>
47 #include <netinet/ip6.h>
48 #include <netinet/tcp.h>
49 #include <netinet/tcp_var.h>
50 #include <netinet/tcp_cache.h>
51 #include <netinet/udp.h>
52 #include <netinet/in_pcb.h>
53 #include <netinet/in_tclass.h>
54 #include <netinet6/esp.h>
55 #include <net/flowhash.h>
56 #include <net/if_var.h>
57 #include <sys/kauth.h>
58 #include <sys/sysctl.h>
59 #include <sys/sysproto.h>
60 #include <sys/priv.h>
61 #include <sys/kern_event.h>
62 #include <sys/file_internal.h>
63 #include <IOKit/IOBSD.h>
64 #include <net/network_agent.h>
65 #include <net/necp.h>
66
67 /*
68 * NECP - Network Extension Control Policy database
69 * ------------------------------------------------
70 * The goal of this module is to allow clients connecting via a
71 * kernel control socket to create high-level policy sessions, which
72 * are ingested into low-level kernel policies that control and tag
73 * traffic at the application, socket, and IP layers.
74 *
75 * ------------------------------------------------
76 * Sessions
77 * ------------------------------------------------
78 * Each session owns a list of session policies, each of which can
79 * specify any combination of conditions and a single result. Each
80 * session also has a priority level (such as High, Default, or Low)
81 * which is requested by the client. Based on the requested level,
82 * a session order value is assigned to the session, which will be used
83 * to sort kernel policies generated by the session. The session client
84 * can specify the sub-order for each policy it creates which will be
85 * used to further sort the kernel policies.
86 *
87 * Kernel Control Socket --> 1 necp_session --> list of necp_session_policy structs
88 *
89 * ------------------------------------------------
90 * Kernel Policies
91 * ------------------------------------------------
92 * Whenever a session send the Apply command, its policies are ingested
93 * and generate kernel policies. There are two phases of kernel policy
94 * ingestion.
95 *
96 * 1. The session policy is parsed to create kernel policies at the socket
97 * and IP layers, when applicable. For example, a policy that requires
98 * all traffic from App1 to Pass will generate a socket kernel policy to
99 * match App1 and mark packets with ID1, and also an IP policy to match
100 * ID1 and let the packet pass. This is handled in necp_apply_policy. The
101 * resulting kernel policies are added to the global socket and IP layer
102 * policy lists.
103 * necp_session_policy --> necp_kernel_socket_policy and necp_kernel_ip_output_policy
104 * || ||
105 * \/ \/
106 * necp_kernel_socket_policies necp_kernel_ip_output_policies
107 *
108 * 2. Once the global lists of kernel policies have been filled out, each
109 * list is traversed to create optimized sub-lists ("Maps") which are used during
110 * data-path evaluation. IP policies are sent into necp_kernel_ip_output_policies_map,
111 * which hashes incoming packets based on marked socket-layer policies, and removes
112 * duplicate or overlapping policies. Socket policies are sent into two maps,
113 * necp_kernel_socket_policies_map and necp_kernel_socket_policies_app_layer_map.
114 * The app layer map is used for policy checks coming in from user space, and is one
115 * list with duplicate and overlapping policies removed. The socket map hashes based
116 * on app UUID, and removes duplicate and overlapping policies.
117 * necp_kernel_socket_policy --> necp_kernel_socket_policies_app_layer_map
118 * |-> necp_kernel_socket_policies_map
119 *
120 * necp_kernel_ip_output_policies --> necp_kernel_ip_output_policies_map
121 *
122 * ------------------------------------------------
123 * Drop All Level
124 * ------------------------------------------------
125 * The Drop All Level is a sysctl that controls the level at which policies are allowed
126 * to override a global drop rule. If the value is 0, no drop rule is applied. If the value
127 * is 1, all traffic is dropped. If the value is greater than 1, all kernel policies created
128 * by a session with a priority level better than (numerically less than) the
129 * Drop All Level will allow matching traffic to not be dropped. The Drop All Level is
130 * dynamically interpreted into necp_drop_all_order, which specifies the equivalent assigned
131 * session orders to be dropped.
132 */
133
134 u_int32_t necp_drop_all_order = 0;
135 u_int32_t necp_drop_all_level = 0;
136
137 u_int32_t necp_pass_loopback = 1; // 0=Off, 1=On
138 u_int32_t necp_pass_keepalives = 1; // 0=Off, 1=On
139
140 u_int32_t necp_debug = 0; // 0=None, 1=Basic, 2=EveryMatch
141
142 u_int32_t necp_session_count = 0;
143
144 #define LIST_INSERT_SORTED_ASCENDING(head, elm, field, sortfield, tmpelm) do { \
145 if (LIST_EMPTY((head)) || (LIST_FIRST(head)->sortfield >= (elm)->sortfield)) { \
146 LIST_INSERT_HEAD((head), elm, field); \
147 } else { \
148 LIST_FOREACH(tmpelm, head, field) { \
149 if (LIST_NEXT(tmpelm, field) == NULL || LIST_NEXT(tmpelm, field)->sortfield >= (elm)->sortfield) { \
150 LIST_INSERT_AFTER(tmpelm, elm, field); \
151 break; \
152 } \
153 } \
154 } \
155 } while (0)
156
157 #define LIST_INSERT_SORTED_TWICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, tmpelm) do { \
158 if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield))) { \
159 LIST_INSERT_HEAD((head), elm, field); \
160 } else { \
161 LIST_FOREACH(tmpelm, head, field) { \
162 if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield))) { \
163 LIST_INSERT_AFTER(tmpelm, elm, field); \
164 break; \
165 } \
166 } \
167 } \
168 } while (0)
169
170 #define LIST_INSERT_SORTED_THRICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, thirdsortfield, tmpelm) do { \
171 if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield == (elm)->secondsortfield) && (LIST_FIRST(head)->thirdsortfield >= (elm)->thirdsortfield))) { \
172 LIST_INSERT_HEAD((head), elm, field); \
173 } else { \
174 LIST_FOREACH(tmpelm, head, field) { \
175 if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield == (elm)->secondsortfield) && (LIST_NEXT(tmpelm, field)->thirdsortfield >= (elm)->thirdsortfield))) { \
176 LIST_INSERT_AFTER(tmpelm, elm, field); \
177 break; \
178 } \
179 } \
180 } \
181 } while (0)
182
183 #define IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(x) ((x) == NECP_ROUTE_RULE_DENY_INTERFACE || (x) == NECP_ROUTE_RULE_ALLOW_INTERFACE)
184
185 #define NECP_KERNEL_CONDITION_ALL_INTERFACES 0x000001
186 #define NECP_KERNEL_CONDITION_BOUND_INTERFACE 0x000002
187 #define NECP_KERNEL_CONDITION_PROTOCOL 0x000004
188 #define NECP_KERNEL_CONDITION_LOCAL_START 0x000008
189 #define NECP_KERNEL_CONDITION_LOCAL_END 0x000010
190 #define NECP_KERNEL_CONDITION_LOCAL_PREFIX 0x000020
191 #define NECP_KERNEL_CONDITION_REMOTE_START 0x000040
192 #define NECP_KERNEL_CONDITION_REMOTE_END 0x000080
193 #define NECP_KERNEL_CONDITION_REMOTE_PREFIX 0x000100
194 #define NECP_KERNEL_CONDITION_APP_ID 0x000200
195 #define NECP_KERNEL_CONDITION_REAL_APP_ID 0x000400
196 #define NECP_KERNEL_CONDITION_DOMAIN 0x000800
197 #define NECP_KERNEL_CONDITION_ACCOUNT_ID 0x001000
198 #define NECP_KERNEL_CONDITION_POLICY_ID 0x002000
199 #define NECP_KERNEL_CONDITION_PID 0x004000
200 #define NECP_KERNEL_CONDITION_UID 0x008000
201 #define NECP_KERNEL_CONDITION_LAST_INTERFACE 0x010000 // Only set from packets looping between interfaces
202 #define NECP_KERNEL_CONDITION_TRAFFIC_CLASS 0x020000
203 #define NECP_KERNEL_CONDITION_ENTITLEMENT 0x040000
204 #define NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT 0x080000
205 #define NECP_KERNEL_CONDITION_AGENT_TYPE 0x100000
206
207 #define NECP_MAX_POLICY_RESULT_SIZE 512
208 #define NECP_MAX_ROUTE_RULES_ARRAY_SIZE 1024
209 #define NECP_MAX_CONDITIONS_ARRAY_SIZE 4096
210 #define NECP_MAX_POLICY_LIST_COUNT 1024
211
212 // Cap the policy size at the max result + conditions size, with room for extra TLVs
213 #define NECP_MAX_POLICY_SIZE (1024 + NECP_MAX_POLICY_RESULT_SIZE + NECP_MAX_CONDITIONS_ARRAY_SIZE)
214
215 struct necp_service_registration {
216 LIST_ENTRY(necp_service_registration) session_chain;
217 LIST_ENTRY(necp_service_registration) kernel_chain;
218 u_int32_t service_id;
219 };
220
221 struct necp_session {
222 u_int8_t necp_fd_type;
223 u_int32_t control_unit;
224 u_int32_t session_priority; // Descriptive priority rating
225 u_int32_t session_order;
226
227 necp_policy_id last_policy_id;
228
229 decl_lck_mtx_data(, lock);
230
231 bool proc_locked; // Messages must come from proc_uuid
232 uuid_t proc_uuid;
233 int proc_pid;
234
235 bool dirty;
236 LIST_HEAD(_policies, necp_session_policy) policies;
237
238 LIST_HEAD(_services, necp_service_registration) services;
239
240 TAILQ_ENTRY(necp_session) chain;
241 };
242
243 #define NECP_SESSION_LOCK(_s) lck_mtx_lock(&_s->lock)
244 #define NECP_SESSION_UNLOCK(_s) lck_mtx_unlock(&_s->lock)
245
246 static TAILQ_HEAD(_necp_session_list, necp_session) necp_session_list;
247
248 struct necp_socket_info {
249 pid_t pid;
250 uid_t uid;
251 union necp_sockaddr_union local_addr;
252 union necp_sockaddr_union remote_addr;
253 u_int32_t bound_interface_index;
254 u_int32_t traffic_class;
255 u_int16_t protocol;
256 u_int32_t application_id;
257 u_int32_t real_application_id;
258 u_int32_t account_id;
259 char *domain;
260 errno_t cred_result;
261 };
262
263 static kern_ctl_ref necp_kctlref;
264 static u_int32_t necp_family;
265 static OSMallocTag necp_malloc_tag;
266 static lck_grp_attr_t *necp_kernel_policy_grp_attr = NULL;
267 static lck_attr_t *necp_kernel_policy_mtx_attr = NULL;
268 static lck_grp_t *necp_kernel_policy_mtx_grp = NULL;
269 decl_lck_rw_data(static, necp_kernel_policy_lock);
270
271 static lck_grp_attr_t *necp_route_rule_grp_attr = NULL;
272 static lck_attr_t *necp_route_rule_mtx_attr = NULL;
273 static lck_grp_t *necp_route_rule_mtx_grp = NULL;
274 decl_lck_rw_data(static, necp_route_rule_lock);
275
276 /*
277 * On modification, invalidate cached lookups by bumping the generation count.
278 * Other calls will need to take the slowpath of taking
279 * the subsystem lock.
280 */
281 static volatile int32_t necp_kernel_socket_policies_gencount;
282 #define BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT() do { \
283 if (OSIncrementAtomic(&necp_kernel_socket_policies_gencount) == (INT32_MAX - 1)) { \
284 necp_kernel_socket_policies_gencount = 1; \
285 } \
286 } while (0)
287
288 static u_int32_t necp_kernel_application_policies_condition_mask;
289 static size_t necp_kernel_application_policies_count;
290 static u_int32_t necp_kernel_socket_policies_condition_mask;
291 static size_t necp_kernel_socket_policies_count;
292 static size_t necp_kernel_socket_policies_non_app_count;
293 static LIST_HEAD(_necpkernelsocketconnectpolicies, necp_kernel_socket_policy) necp_kernel_socket_policies;
294 #define NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS 5
295 #define NECP_SOCKET_MAP_APP_ID_TO_BUCKET(appid) (appid ? (appid%(NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS - 1) + 1) : 0)
296 static struct necp_kernel_socket_policy **necp_kernel_socket_policies_map[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
297 static struct necp_kernel_socket_policy **necp_kernel_socket_policies_app_layer_map;
298 /*
299 * A note on policy 'maps': these are used for boosting efficiency when matching policies. For each dimension of the map,
300 * such as an ID, the 0 bucket is reserved for sockets/packets that do not have this parameter, while the other
301 * buckets lead to an array of policy pointers that form the list applicable when the (parameter%(NUM_BUCKETS - 1) + 1) == bucket_index.
302 *
303 * For example, a packet with policy ID of 7, when there are 4 ID buckets, will map to bucket (7%3 + 1) = 2.
304 */
305
306 static u_int32_t necp_kernel_ip_output_policies_condition_mask;
307 static size_t necp_kernel_ip_output_policies_count;
308 static size_t necp_kernel_ip_output_policies_non_id_count;
309 static LIST_HEAD(_necpkernelipoutputpolicies, necp_kernel_ip_output_policy) necp_kernel_ip_output_policies;
310 #define NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS 5
311 #define NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(id) (id ? (id%(NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS - 1) + 1) : 0)
312 static struct necp_kernel_ip_output_policy **necp_kernel_ip_output_policies_map[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
313
314 static struct necp_session *necp_create_session(void);
315 static void necp_delete_session(struct necp_session *session);
316
317 static necp_policy_id necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_t packet,
318 u_int8_t *tlv_buffer, size_t tlv_buffer_length, int offset, int *error);
319 static void necp_handle_policy_get(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
320 static void necp_handle_policy_delete(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
321 static void necp_handle_policy_apply_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
322 static void necp_handle_policy_list_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
323 static void necp_handle_policy_delete_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
324 static int necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet,
325 user_addr_t out_buffer, size_t out_buffer_length, int offset);
326 static void necp_handle_set_session_priority(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
327 static void necp_handle_lock_session_to_proc(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
328 static void necp_handle_register_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
329 static void necp_handle_unregister_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
330
331 #define MAX_RESULT_STRING_LEN 64
332 static inline const char * necp_get_result_description(char *result_string, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
333
334 static struct necp_session_policy *necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8_t *conditions_array, u_int32_t conditions_array_size, u_int8_t *route_rules_array, u_int32_t route_rules_array_size, u_int8_t *result, u_int32_t result_size);
335 static struct necp_session_policy *necp_policy_find(struct necp_session *session, necp_policy_id policy_id);
336 static bool necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_policy *policy);
337 static bool necp_policy_mark_all_for_deletion(struct necp_session *session);
338 static bool necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy);
339 static void necp_policy_apply_all(struct necp_session *session);
340
341 static necp_kernel_policy_id necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
342 static bool necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id);
343 static bool necp_kernel_socket_policies_reprocess(void);
344 static bool necp_kernel_socket_policies_update_uuid_table(void);
345 static inline struct necp_kernel_socket_policy *necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, proc_t proc, necp_kernel_policy_id *skip_policy_id);
346
347 static necp_kernel_policy_id necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
348 static bool necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id);
349 static bool necp_kernel_ip_output_policies_reprocess(void);
350
351 static bool necp_is_addr_in_range(struct sockaddr *addr, struct sockaddr *range_start, struct sockaddr *range_end);
352 static bool necp_is_range_in_range(struct sockaddr *inner_range_start, struct sockaddr *inner_range_end, struct sockaddr *range_start, struct sockaddr *range_end);
353 static bool necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix);
354 static int necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port);
355 static bool necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits);
356 static bool necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet);
357 static bool necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet);
358
359 struct necp_uuid_id_mapping {
360 LIST_ENTRY(necp_uuid_id_mapping) chain;
361 uuid_t uuid;
362 u_int32_t id;
363 u_int32_t refcount;
364 u_int32_t table_refcount; // Add to UUID policy table count
365 };
366 static size_t necp_num_uuid_app_id_mappings;
367 static bool necp_uuid_app_id_mappings_dirty;
368 #define NECP_UUID_APP_ID_HASH_SIZE 64
369 static u_long necp_uuid_app_id_hash_mask;
370 static u_long necp_uuid_app_id_hash_num_buckets;
371 static LIST_HEAD(necp_uuid_id_mapping_head, necp_uuid_id_mapping) *necp_uuid_app_id_hashtbl, necp_uuid_service_id_list; // App map is real hash table, service map is just mapping
372 #define APPUUIDHASH(uuid) (&necp_uuid_app_id_hashtbl[uuid[0] & necp_uuid_app_id_hash_mask]) // Assume first byte of UUIDs are evenly distributed
373 static u_int32_t necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_policy_table);
374 static bool necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_policy_table);
375 static struct necp_uuid_id_mapping *necp_uuid_lookup_uuid_with_app_id_locked(u_int32_t local_id);
376
377 static struct necp_uuid_id_mapping *necp_uuid_lookup_service_id_locked(uuid_t uuid);
378 static struct necp_uuid_id_mapping *necp_uuid_lookup_uuid_with_service_id_locked(u_int32_t local_id);
379 static u_int32_t necp_create_uuid_service_id_mapping(uuid_t uuid);
380 static bool necp_remove_uuid_service_id_mapping(uuid_t uuid);
381
382 struct necp_string_id_mapping {
383 LIST_ENTRY(necp_string_id_mapping) chain;
384 char *string;
385 necp_app_id id;
386 u_int32_t refcount;
387 };
388 static LIST_HEAD(necp_string_id_mapping_list, necp_string_id_mapping) necp_account_id_list;
389 static u_int32_t necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
390 static bool necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
391 static struct necp_string_id_mapping *necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_int32_t local_id);
392
393 static struct necp_kernel_socket_policy *necp_kernel_socket_policy_find(necp_kernel_policy_id policy_id);
394 static struct necp_kernel_ip_output_policy *necp_kernel_ip_output_policy_find(necp_kernel_policy_id policy_id);
395
396 static LIST_HEAD(_necp_kernel_service_list, necp_service_registration) necp_registered_service_list;
397
398 static char *necp_create_trimmed_domain(char *string, size_t length);
399 static inline int necp_count_dots(char *string, size_t length);
400
401 static char *necp_copy_string(char *string, size_t length);
402 static bool necp_update_qos_marking(struct ifnet *ifp, u_int32_t route_rule_id);
403
404 #define ROUTE_RULE_IS_AGGREGATE(ruleid) (ruleid > UINT16_MAX)
405
406 #define MAX_ROUTE_RULE_INTERFACES 10
407 struct necp_route_rule {
408 LIST_ENTRY(necp_route_rule) chain;
409 u_int32_t id;
410 u_int32_t default_action;
411 u_int8_t cellular_action;
412 u_int8_t wifi_action;
413 u_int8_t wired_action;
414 u_int8_t expensive_action;
415 u_int exception_if_indices[MAX_ROUTE_RULE_INTERFACES];
416 u_int8_t exception_if_actions[MAX_ROUTE_RULE_INTERFACES];
417 u_int32_t refcount;
418 };
419 static LIST_HEAD(necp_route_rule_list, necp_route_rule) necp_route_rules;
420 static u_int32_t necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_array, u_int32_t route_rules_array_size);
421 static bool necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_id);
422 static bool necp_route_is_allowed(struct rtentry *route, ifnet_t interface, u_int32_t route_rule_id, u_int32_t *interface_type_denied);
423 static struct necp_route_rule *necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route_rule_id);
424 static inline void necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info);
425
426 #define MAX_AGGREGATE_ROUTE_RULES 16
427 struct necp_aggregate_route_rule {
428 LIST_ENTRY(necp_aggregate_route_rule) chain;
429 u_int32_t id;
430 u_int32_t rule_ids[MAX_AGGREGATE_ROUTE_RULES];
431 };
432 static LIST_HEAD(necp_aggregate_route_rule_list, necp_aggregate_route_rule) necp_aggregate_route_rules;
433 static u_int32_t necp_create_aggregate_route_rule(u_int32_t *rule_ids);
434
435 // Sysctl definitions
436 static int sysctl_handle_necp_level SYSCTL_HANDLER_ARGS;
437
438 SYSCTL_NODE(_net, OID_AUTO, necp, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "NECP");
439 SYSCTL_INT(_net_necp, NECPCTL_PASS_LOOPBACK, pass_loopback, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_loopback, 0, "");
440 SYSCTL_INT(_net_necp, NECPCTL_PASS_KEEPALIVES, pass_keepalives, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_keepalives, 0, "");
441 SYSCTL_INT(_net_necp, NECPCTL_DEBUG, debug, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_debug, 0, "");
442 SYSCTL_PROC(_net_necp, NECPCTL_DROP_ALL_LEVEL, drop_all_level, CTLTYPE_INT | CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_all_level, 0, &sysctl_handle_necp_level, "IU", "");
443 SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_POLICY_COUNT, socket_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_count, "");
444 SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_NON_APP_POLICY_COUNT, socket_non_app_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_non_app_count, "");
445 SYSCTL_LONG(_net_necp, NECPCTL_IP_POLICY_COUNT, ip_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_ip_output_policies_count, "");
446 SYSCTL_INT(_net_necp, NECPCTL_SESSION_COUNT, session_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_session_count, 0, "");
447
448 // Session order allocation
449 static u_int32_t
450 necp_allocate_new_session_order(u_int32_t priority, u_int32_t control_unit)
451 {
452 u_int32_t new_order = 0;
453
454 // For now, just allocate 1000 orders for each priority
455 if (priority == NECP_SESSION_PRIORITY_UNKNOWN || priority > NECP_SESSION_NUM_PRIORITIES) {
456 priority = NECP_SESSION_PRIORITY_DEFAULT;
457 }
458
459 // Use the control unit to decide the offset into the priority list
460 new_order = (control_unit) + ((priority - 1) * 1000);
461
462 return (new_order);
463 }
464
465 static inline u_int32_t
466 necp_get_first_order_for_priority(u_int32_t priority)
467 {
468 return (((priority - 1) * 1000) + 1);
469 }
470
471 // Sysctl handler
472 static int
473 sysctl_handle_necp_level SYSCTL_HANDLER_ARGS
474 {
475 #pragma unused(arg1, arg2)
476 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
477 if (necp_drop_all_level == 0) {
478 necp_drop_all_order = 0;
479 } else {
480 necp_drop_all_order = necp_get_first_order_for_priority(necp_drop_all_level);
481 }
482 return (error);
483 }
484
485 // Session fd
486
487 static int noop_read(struct fileproc *, struct uio *, int, vfs_context_t);
488 static int noop_write(struct fileproc *, struct uio *, int, vfs_context_t);
489 static int noop_ioctl(struct fileproc *, unsigned long, caddr_t,
490 vfs_context_t);
491 static int noop_select(struct fileproc *, int, void *, vfs_context_t);
492 static int necp_session_op_close(struct fileglob *, vfs_context_t);
493 static int noop_kqfilter(struct fileproc *, struct knote *,
494 struct kevent_internal_s *, vfs_context_t);
495
496 static const struct fileops necp_session_fd_ops = {
497 .fo_type = DTYPE_NETPOLICY,
498 .fo_read = noop_read,
499 .fo_write = noop_write,
500 .fo_ioctl = noop_ioctl,
501 .fo_select = noop_select,
502 .fo_close = necp_session_op_close,
503 .fo_kqfilter = noop_kqfilter,
504 .fo_drain = NULL,
505 };
506
507 static int
508 noop_read(struct fileproc *fp, struct uio *uio, int flags, vfs_context_t ctx)
509 {
510 #pragma unused(fp, uio, flags, ctx)
511 return (ENXIO);
512 }
513
514 static int
515 noop_write(struct fileproc *fp, struct uio *uio, int flags,
516 vfs_context_t ctx)
517 {
518 #pragma unused(fp, uio, flags, ctx)
519 return (ENXIO);
520 }
521
522 static int
523 noop_ioctl(struct fileproc *fp, unsigned long com, caddr_t data,
524 vfs_context_t ctx)
525 {
526 #pragma unused(fp, com, data, ctx)
527 return (ENOTTY);
528 }
529
530 static int
531 noop_select(struct fileproc *fp, int which, void *wql, vfs_context_t ctx)
532 {
533 #pragma unused(fp, which, wql, ctx)
534 return (ENXIO);
535 }
536
537 static int
538 noop_kqfilter(struct fileproc *fp, struct knote *kn,
539 struct kevent_internal_s *kev, vfs_context_t ctx)
540 {
541 #pragma unused(fp, kn, kev, ctx)
542 return (ENXIO);
543 }
544
545 int
546 necp_session_open(struct proc *p, struct necp_session_open_args *uap, int *retval)
547 {
548 #pragma unused(uap)
549 int error = 0;
550 struct necp_session *session = NULL;
551 struct fileproc *fp = NULL;
552 int fd = -1;
553
554 uid_t uid = kauth_cred_getuid(proc_ucred(p));
555 if (uid != 0 && priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0) != 0) {
556 NECPLOG0(LOG_ERR, "Process does not hold necessary entitlement to open NECP session");
557 error = EACCES;
558 goto done;
559 }
560
561 error = falloc(p, &fp, &fd, vfs_context_current());
562 if (error != 0) {
563 goto done;
564 }
565
566 session = necp_create_session();
567 if (session == NULL) {
568 error = ENOMEM;
569 goto done;
570 }
571
572 fp->f_fglob->fg_flag = 0;
573 fp->f_fglob->fg_ops = &necp_session_fd_ops;
574 fp->f_fglob->fg_data = session;
575
576 proc_fdlock(p);
577 FDFLAGS_SET(p, fd, (UF_EXCLOSE | UF_FORKCLOSE));
578 procfdtbl_releasefd(p, fd, NULL);
579 fp_drop(p, fd, fp, 1);
580 proc_fdunlock(p);
581
582 *retval = fd;
583 done:
584 if (error != 0) {
585 if (fp != NULL) {
586 fp_free(p, fd, fp);
587 fp = NULL;
588 }
589 }
590
591 return (error);
592 }
593
594 static int
595 necp_session_op_close(struct fileglob *fg, vfs_context_t ctx)
596 {
597 #pragma unused(ctx)
598 struct necp_session *session = (struct necp_session *)fg->fg_data;
599 fg->fg_data = NULL;
600
601 if (session != NULL) {
602 necp_policy_mark_all_for_deletion(session);
603 necp_policy_apply_all(session);
604 necp_delete_session(session);
605 return (0);
606 } else {
607 return (ENOENT);
608 }
609 }
610
611 static int
612 necp_session_find_from_fd(int fd, struct necp_session **session)
613 {
614 proc_t p = current_proc();
615 struct fileproc *fp = NULL;
616 int error = 0;
617
618 proc_fdlock_spin(p);
619 if ((error = fp_lookup(p, fd, &fp, 1)) != 0) {
620 goto done;
621 }
622 if (fp->f_fglob->fg_ops->fo_type != DTYPE_NETPOLICY) {
623 fp_drop(p, fd, fp, 1);
624 error = ENODEV;
625 goto done;
626 }
627 *session = (struct necp_session *)fp->f_fglob->fg_data;
628
629 if ((*session)->necp_fd_type != necp_fd_type_session) {
630 // Not a client fd, ignore
631 error = EINVAL;
632 goto done;
633 }
634
635 done:
636 proc_fdunlock(p);
637 return (error);
638 }
639
640 static int
641 necp_session_add_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
642 {
643 int error = 0;
644 u_int8_t *tlv_buffer = NULL;
645
646 if (uap->in_buffer_length == 0 || uap->in_buffer_length > NECP_MAX_POLICY_SIZE || uap->in_buffer == 0) {
647 NECPLOG(LOG_ERR, "necp_session_add_policy invalid input (%zu)", uap->in_buffer_length);
648 error = EINVAL;
649 goto done;
650 }
651
652 if (uap->out_buffer_length < sizeof(necp_policy_id) || uap->out_buffer == 0) {
653 NECPLOG(LOG_ERR, "necp_session_add_policy invalid output buffer (%zu)", uap->out_buffer_length);
654 error = EINVAL;
655 goto done;
656 }
657
658 if ((tlv_buffer = _MALLOC(uap->in_buffer_length, M_NECP, M_WAITOK | M_ZERO)) == NULL) {
659 error = ENOMEM;
660 goto done;
661 }
662
663 error = copyin(uap->in_buffer, tlv_buffer, uap->in_buffer_length);
664 if (error != 0) {
665 NECPLOG(LOG_ERR, "necp_session_add_policy tlv copyin error (%d)", error);
666 goto done;
667 }
668
669 necp_policy_id new_policy_id = necp_handle_policy_add(session, 0, NULL, tlv_buffer, uap->in_buffer_length, 0, &error);
670 if (error != 0) {
671 NECPLOG(LOG_ERR, "necp_session_add_policy failed to add policy (%d)", error);
672 goto done;
673 }
674
675 error = copyout(&new_policy_id, uap->out_buffer, sizeof(new_policy_id));
676 if (error != 0) {
677 NECPLOG(LOG_ERR, "necp_session_add_policy policy_id copyout error (%d)", error);
678 goto done;
679 }
680
681 done:
682 if (tlv_buffer != NULL) {
683 FREE(tlv_buffer, M_NECP);
684 tlv_buffer = NULL;
685 }
686 *retval = error;
687
688 return (error);
689 }
690
691 static int
692 necp_session_get_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
693 {
694 int error = 0;
695 u_int8_t *response = NULL;
696
697 if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
698 NECPLOG(LOG_ERR, "necp_session_get_policy invalid input (%zu)", uap->in_buffer_length);
699 error = EINVAL;
700 goto done;
701 }
702
703 necp_policy_id policy_id = 0;
704 error = copyin(uap->in_buffer, &policy_id, sizeof(policy_id));
705 if (error != 0) {
706 NECPLOG(LOG_ERR, "necp_session_get_policy policy_id copyin error (%d)", error);
707 goto done;
708 }
709
710 struct necp_session_policy *policy = necp_policy_find(session, policy_id);
711 if (policy == NULL || policy->pending_deletion) {
712 NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
713 error = ENOENT;
714 goto done;
715 }
716
717 u_int32_t order_tlv_size = sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_order);
718 u_int32_t result_tlv_size = (policy->result_size ? (sizeof(u_int8_t) + sizeof(u_int32_t) + policy->result_size) : 0);
719 u_int32_t response_size = order_tlv_size + result_tlv_size + policy->conditions_size;
720
721 if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
722 NECPLOG(LOG_ERR, "necp_session_get_policy buffer not large enough (%u < %u)", uap->out_buffer_length, response_size);
723 error = EINVAL;
724 goto done;
725 }
726
727 if (response_size > NECP_MAX_POLICY_SIZE) {
728 NECPLOG(LOG_ERR, "necp_session_get_policy size too large to copy (%u)", response_size);
729 error = EINVAL;
730 goto done;
731 }
732
733 MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK | M_ZERO);
734 if (response == NULL) {
735 error = ENOMEM;
736 goto done;
737 }
738
739 u_int8_t *cursor = response;
740 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order, response, response_size);
741 if (result_tlv_size) {
742 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT, policy->result_size, &policy->result, response, response_size);
743 }
744 if (policy->conditions_size) {
745 memcpy(((u_int8_t *)(void *)(cursor)), policy->conditions, policy->conditions_size);
746 }
747
748 error = copyout(response, uap->out_buffer, response_size);
749 if (error != 0) {
750 NECPLOG(LOG_ERR, "necp_session_get_policy TLV copyout error (%d)", error);
751 goto done;
752 }
753
754 done:
755 if (response != NULL) {
756 FREE(response, M_NECP);
757 response = NULL;
758 }
759 *retval = error;
760
761 return (error);
762 }
763
764 static int
765 necp_session_delete_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
766 {
767 int error = 0;
768
769 if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
770 NECPLOG(LOG_ERR, "necp_session_delete_policy invalid input (%zu)", uap->in_buffer_length);
771 error = EINVAL;
772 goto done;
773 }
774
775 necp_policy_id delete_policy_id = 0;
776 error = copyin(uap->in_buffer, &delete_policy_id, sizeof(delete_policy_id));
777 if (error != 0) {
778 NECPLOG(LOG_ERR, "necp_session_delete_policy policy_id copyin error (%d)", error);
779 goto done;
780 }
781
782 struct necp_session_policy *policy = necp_policy_find(session, delete_policy_id);
783 if (policy == NULL || policy->pending_deletion) {
784 NECPLOG(LOG_ERR, "necp_session_delete_policy failed to find policy with id %u", delete_policy_id);
785 error = ENOENT;
786 goto done;
787 }
788
789 necp_policy_mark_for_deletion(session, policy);
790 done:
791 *retval = error;
792 return (error);
793 }
794
795 static int
796 necp_session_apply_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
797 {
798 #pragma unused(uap)
799 necp_policy_apply_all(session);
800 *retval = 0;
801 return (0);
802 }
803
804 static int
805 necp_session_list_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
806 {
807 u_int32_t tlv_size = (sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_id));
808 u_int32_t response_size = 0;
809 u_int8_t *response = NULL;
810 int num_policies = 0;
811 int cur_policy_index = 0;
812 int error = 0;
813 struct necp_session_policy *policy;
814
815 LIST_FOREACH(policy, &session->policies, chain) {
816 if (!policy->pending_deletion) {
817 num_policies++;
818 }
819 }
820
821 if (num_policies > NECP_MAX_POLICY_LIST_COUNT) {
822 NECPLOG(LOG_ERR, "necp_session_list_all size too large to copy (%u policies)", num_policies);
823 error = EINVAL;
824 goto done;
825 }
826
827 response_size = num_policies * tlv_size;
828 if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
829 NECPLOG(LOG_ERR, "necp_session_list_all buffer not large enough (%u < %u)", uap->out_buffer_length, response_size);
830 error = EINVAL;
831 goto done;
832 }
833
834 // Create a response with one Policy ID TLV for each policy
835 MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK | M_ZERO);
836 if (response == NULL) {
837 error = ENOMEM;
838 goto done;
839 }
840
841 u_int8_t *cursor = response;
842 LIST_FOREACH(policy, &session->policies, chain) {
843 if (!policy->pending_deletion && cur_policy_index < num_policies) {
844 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(u_int32_t), &policy->local_id, response, response_size);
845 cur_policy_index++;
846 }
847 }
848
849 error = copyout(response, uap->out_buffer, response_size);
850 if (error != 0) {
851 NECPLOG(LOG_ERR, "necp_session_list_all TLV copyout error (%d)", error);
852 goto done;
853 }
854
855 done:
856 if (response != NULL) {
857 FREE(response, M_NECP);
858 response = NULL;
859 }
860 *retval = error;
861
862 return (error);
863 }
864
865
866 static int
867 necp_session_delete_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
868 {
869 #pragma unused(uap)
870 necp_policy_mark_all_for_deletion(session);
871 *retval = 0;
872 return (0);
873 }
874
875 static int
876 necp_session_set_session_priority(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
877 {
878 int error = 0;
879 struct necp_session_policy *policy = NULL;
880 struct necp_session_policy *temp_policy = NULL;
881
882 if (uap->in_buffer_length < sizeof(necp_session_priority) || uap->in_buffer == 0) {
883 NECPLOG(LOG_ERR, "necp_session_set_session_priority invalid input (%zu)", uap->in_buffer_length);
884 error = EINVAL;
885 goto done;
886 }
887
888 necp_session_priority requested_session_priority = 0;
889 error = copyin(uap->in_buffer, &requested_session_priority, sizeof(requested_session_priority));
890 if (error != 0) {
891 NECPLOG(LOG_ERR, "necp_session_set_session_priority priority copyin error (%d)", error);
892 goto done;
893 }
894
895 // Enforce special session priorities with entitlements
896 if (requested_session_priority == NECP_SESSION_PRIORITY_CONTROL ||
897 requested_session_priority == NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL) {
898 errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
899 if (cred_result != 0) {
900 NECPLOG(LOG_ERR, "Session does not hold necessary entitlement to claim priority level %d", requested_session_priority);
901 error = EPERM;
902 goto done;
903 }
904 }
905
906 if (session->session_priority != requested_session_priority) {
907 session->session_priority = requested_session_priority;
908 session->session_order = necp_allocate_new_session_order(session->session_priority, session->control_unit);
909 session->dirty = TRUE;
910
911 // Mark all policies as needing updates
912 LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
913 policy->pending_update = TRUE;
914 }
915 }
916
917 done:
918 *retval = error;
919 return (error);
920 }
921
922 static int
923 necp_session_lock_to_process(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
924 {
925 #pragma unused(uap)
926 session->proc_locked = TRUE;
927 *retval = 0;
928 return (0);
929 }
930
931 static int
932 necp_session_register_service(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
933 {
934 int error = 0;
935 struct necp_service_registration *new_service = NULL;
936
937 if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
938 NECPLOG(LOG_ERR, "necp_session_register_service invalid input (%zu)", uap->in_buffer_length);
939 error = EINVAL;
940 goto done;
941 }
942
943 uuid_t service_uuid;
944 error = copyin(uap->in_buffer, service_uuid, sizeof(service_uuid));
945 if (error != 0) {
946 NECPLOG(LOG_ERR, "necp_session_register_service uuid copyin error (%d)", error);
947 goto done;
948 }
949
950 MALLOC(new_service, struct necp_service_registration *, sizeof(*new_service), M_NECP, M_WAITOK | M_ZERO);
951 if (new_service == NULL) {
952 NECPLOG0(LOG_ERR, "Failed to allocate service registration");
953 error = ENOMEM;
954 goto done;
955 }
956
957 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
958 new_service->service_id = necp_create_uuid_service_id_mapping(service_uuid);
959 LIST_INSERT_HEAD(&session->services, new_service, session_chain);
960 LIST_INSERT_HEAD(&necp_registered_service_list, new_service, kernel_chain);
961 lck_rw_done(&necp_kernel_policy_lock);
962
963 done:
964 *retval = error;
965 return (error);
966 }
967
968 static int
969 necp_session_unregister_service(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
970 {
971 int error = 0;
972 struct necp_service_registration *service = NULL;
973 struct necp_service_registration *temp_service = NULL;
974 struct necp_uuid_id_mapping *mapping = NULL;
975
976 if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
977 NECPLOG(LOG_ERR, "necp_session_unregister_service invalid input (%zu)", uap->in_buffer_length);
978 error = EINVAL;
979 goto done;
980 }
981
982 uuid_t service_uuid;
983 error = copyin(uap->in_buffer, service_uuid, sizeof(service_uuid));
984 if (error != 0) {
985 NECPLOG(LOG_ERR, "necp_session_unregister_service uuid copyin error (%d)", error);
986 goto done;
987 }
988
989 // Remove all matching services for this session
990 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
991 mapping = necp_uuid_lookup_service_id_locked(service_uuid);
992 if (mapping != NULL) {
993 LIST_FOREACH_SAFE(service, &session->services, session_chain, temp_service) {
994 if (service->service_id == mapping->id) {
995 LIST_REMOVE(service, session_chain);
996 LIST_REMOVE(service, kernel_chain);
997 FREE(service, M_NECP);
998 }
999 }
1000 necp_remove_uuid_service_id_mapping(service_uuid);
1001 }
1002 lck_rw_done(&necp_kernel_policy_lock);
1003
1004 done:
1005 *retval = error;
1006 return (error);
1007 }
1008
1009 static int
1010 necp_session_dump_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
1011 {
1012 int error = 0;
1013
1014 if (uap->out_buffer_length == 0 || uap->out_buffer == 0) {
1015 NECPLOG(LOG_ERR, "necp_session_dump_all invalid output buffer (%zu)", uap->out_buffer_length);
1016 error = EINVAL;
1017 goto done;
1018 }
1019
1020 error = necp_handle_policy_dump_all(session, 0, NULL, uap->out_buffer, uap->out_buffer_length, 0);
1021 done:
1022 *retval = error;
1023 return (error);
1024 }
1025
1026 int
1027 necp_session_action(struct proc *p, struct necp_session_action_args *uap, int *retval)
1028 {
1029 #pragma unused(p)
1030 int error = 0;
1031 int return_value = 0;
1032 struct necp_session *session = NULL;
1033 error = necp_session_find_from_fd(uap->necp_fd, &session);
1034 if (error != 0) {
1035 NECPLOG(LOG_ERR, "necp_session_action find fd error (%d)", error);
1036 return (error);
1037 }
1038
1039 NECP_SESSION_LOCK(session);
1040
1041 if (session->proc_locked) {
1042 // Verify that the calling process is allowed to do actions
1043 uuid_t proc_uuid;
1044 proc_getexecutableuuid(current_proc(), proc_uuid, sizeof(proc_uuid));
1045 if (uuid_compare(proc_uuid, session->proc_uuid) != 0) {
1046 error = EPERM;
1047 goto done;
1048 }
1049 } else {
1050 // If not locked, update the proc_uuid and proc_pid of the session
1051 proc_getexecutableuuid(current_proc(), session->proc_uuid, sizeof(session->proc_uuid));
1052 session->proc_pid = proc_pid(current_proc());
1053 }
1054
1055 u_int32_t action = uap->action;
1056 switch (action) {
1057 case NECP_SESSION_ACTION_POLICY_ADD: {
1058 return_value = necp_session_add_policy(session, uap, retval);
1059 break;
1060 }
1061 case NECP_SESSION_ACTION_POLICY_GET: {
1062 return_value = necp_session_get_policy(session, uap, retval);
1063 break;
1064 }
1065 case NECP_SESSION_ACTION_POLICY_DELETE: {
1066 return_value = necp_session_delete_policy(session, uap, retval);
1067 break;
1068 }
1069 case NECP_SESSION_ACTION_POLICY_APPLY_ALL: {
1070 return_value = necp_session_apply_all(session, uap, retval);
1071 break;
1072 }
1073 case NECP_SESSION_ACTION_POLICY_LIST_ALL: {
1074 return_value = necp_session_list_all(session, uap, retval);
1075 break;
1076 }
1077 case NECP_SESSION_ACTION_POLICY_DELETE_ALL: {
1078 return_value = necp_session_delete_all(session, uap, retval);
1079 break;
1080 }
1081 case NECP_SESSION_ACTION_SET_SESSION_PRIORITY: {
1082 return_value = necp_session_set_session_priority(session, uap, retval);
1083 break;
1084 }
1085 case NECP_SESSION_ACTION_LOCK_SESSION_TO_PROC: {
1086 return_value = necp_session_lock_to_process(session, uap, retval);
1087 break;
1088 }
1089 case NECP_SESSION_ACTION_REGISTER_SERVICE: {
1090 return_value = necp_session_register_service(session, uap, retval);
1091 break;
1092 }
1093 case NECP_SESSION_ACTION_UNREGISTER_SERVICE: {
1094 return_value = necp_session_unregister_service(session, uap, retval);
1095 break;
1096 }
1097 case NECP_SESSION_ACTION_POLICY_DUMP_ALL: {
1098 return_value = necp_session_dump_all(session, uap, retval);
1099 break;
1100 }
1101 default: {
1102 NECPLOG(LOG_ERR, "necp_session_action unknown action (%u)", action);
1103 return_value = EINVAL;
1104 break;
1105 }
1106 }
1107
1108 done:
1109 NECP_SESSION_UNLOCK(session);
1110 file_drop(uap->necp_fd);
1111
1112 return (return_value);
1113 }
1114
1115 // Kernel Control functions
1116 static errno_t necp_register_control(void);
1117 static errno_t necp_ctl_connect(kern_ctl_ref kctlref, struct sockaddr_ctl *sac, void **unitinfo);
1118 static errno_t necp_ctl_disconnect(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo);
1119 static errno_t necp_ctl_send(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, mbuf_t m, int flags);
1120 static void necp_ctl_rcvd(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int flags);
1121 static errno_t necp_ctl_getopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t *len);
1122 static errno_t necp_ctl_setopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t len);
1123
1124 static bool necp_send_ctl_data(struct necp_session *session, u_int8_t *buffer, size_t buffer_size);
1125
1126 errno_t
1127 necp_init(void)
1128 {
1129 errno_t result = 0;
1130
1131 result = necp_register_control();
1132 if (result != 0) {
1133 goto done;
1134 }
1135
1136 necp_kernel_policy_grp_attr = lck_grp_attr_alloc_init();
1137 if (necp_kernel_policy_grp_attr == NULL) {
1138 NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
1139 result = ENOMEM;
1140 goto done;
1141 }
1142
1143 necp_kernel_policy_mtx_grp = lck_grp_alloc_init(NECP_CONTROL_NAME, necp_kernel_policy_grp_attr);
1144 if (necp_kernel_policy_mtx_grp == NULL) {
1145 NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
1146 result = ENOMEM;
1147 goto done;
1148 }
1149
1150 necp_kernel_policy_mtx_attr = lck_attr_alloc_init();
1151 if (necp_kernel_policy_mtx_attr == NULL) {
1152 NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
1153 result = ENOMEM;
1154 goto done;
1155 }
1156
1157 lck_rw_init(&necp_kernel_policy_lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
1158
1159 necp_route_rule_grp_attr = lck_grp_attr_alloc_init();
1160 if (necp_route_rule_grp_attr == NULL) {
1161 NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
1162 result = ENOMEM;
1163 goto done;
1164 }
1165
1166 necp_route_rule_mtx_grp = lck_grp_alloc_init("necp_route_rule", necp_route_rule_grp_attr);
1167 if (necp_route_rule_mtx_grp == NULL) {
1168 NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
1169 result = ENOMEM;
1170 goto done;
1171 }
1172
1173 necp_route_rule_mtx_attr = lck_attr_alloc_init();
1174 if (necp_route_rule_mtx_attr == NULL) {
1175 NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
1176 result = ENOMEM;
1177 goto done;
1178 }
1179
1180 lck_rw_init(&necp_route_rule_lock, necp_route_rule_mtx_grp, necp_route_rule_mtx_attr);
1181
1182 necp_client_init();
1183
1184 TAILQ_INIT(&necp_session_list);
1185
1186 LIST_INIT(&necp_kernel_socket_policies);
1187 LIST_INIT(&necp_kernel_ip_output_policies);
1188
1189 LIST_INIT(&necp_account_id_list);
1190
1191 LIST_INIT(&necp_uuid_service_id_list);
1192
1193 LIST_INIT(&necp_registered_service_list);
1194
1195 LIST_INIT(&necp_route_rules);
1196 LIST_INIT(&necp_aggregate_route_rules);
1197
1198 necp_uuid_app_id_hashtbl = hashinit(NECP_UUID_APP_ID_HASH_SIZE, M_NECP, &necp_uuid_app_id_hash_mask);
1199 necp_uuid_app_id_hash_num_buckets = necp_uuid_app_id_hash_mask + 1;
1200 necp_num_uuid_app_id_mappings = 0;
1201 necp_uuid_app_id_mappings_dirty = FALSE;
1202
1203 necp_kernel_application_policies_condition_mask = 0;
1204 necp_kernel_socket_policies_condition_mask = 0;
1205 necp_kernel_ip_output_policies_condition_mask = 0;
1206
1207 necp_kernel_application_policies_count = 0;
1208 necp_kernel_socket_policies_count = 0;
1209 necp_kernel_socket_policies_non_app_count = 0;
1210 necp_kernel_ip_output_policies_count = 0;
1211 necp_kernel_ip_output_policies_non_id_count = 0;
1212
1213 necp_kernel_socket_policies_gencount = 1;
1214
1215 memset(&necp_kernel_socket_policies_map, 0, sizeof(necp_kernel_socket_policies_map));
1216 memset(&necp_kernel_ip_output_policies_map, 0, sizeof(necp_kernel_ip_output_policies_map));
1217 necp_kernel_socket_policies_app_layer_map = NULL;
1218
1219 done:
1220 if (result != 0) {
1221 if (necp_kernel_policy_mtx_attr != NULL) {
1222 lck_attr_free(necp_kernel_policy_mtx_attr);
1223 necp_kernel_policy_mtx_attr = NULL;
1224 }
1225 if (necp_kernel_policy_mtx_grp != NULL) {
1226 lck_grp_free(necp_kernel_policy_mtx_grp);
1227 necp_kernel_policy_mtx_grp = NULL;
1228 }
1229 if (necp_kernel_policy_grp_attr != NULL) {
1230 lck_grp_attr_free(necp_kernel_policy_grp_attr);
1231 necp_kernel_policy_grp_attr = NULL;
1232 }
1233 if (necp_route_rule_mtx_attr != NULL) {
1234 lck_attr_free(necp_route_rule_mtx_attr);
1235 necp_route_rule_mtx_attr = NULL;
1236 }
1237 if (necp_route_rule_mtx_grp != NULL) {
1238 lck_grp_free(necp_route_rule_mtx_grp);
1239 necp_route_rule_mtx_grp = NULL;
1240 }
1241 if (necp_route_rule_grp_attr != NULL) {
1242 lck_grp_attr_free(necp_route_rule_grp_attr);
1243 necp_route_rule_grp_attr = NULL;
1244 }
1245 if (necp_kctlref != NULL) {
1246 ctl_deregister(necp_kctlref);
1247 necp_kctlref = NULL;
1248 }
1249 }
1250 return (result);
1251 }
1252
1253 static errno_t
1254 necp_register_control(void)
1255 {
1256 struct kern_ctl_reg kern_ctl;
1257 errno_t result = 0;
1258
1259 // Create a tag to allocate memory
1260 necp_malloc_tag = OSMalloc_Tagalloc(NECP_CONTROL_NAME, OSMT_DEFAULT);
1261
1262 // Find a unique value for our interface family
1263 result = mbuf_tag_id_find(NECP_CONTROL_NAME, &necp_family);
1264 if (result != 0) {
1265 NECPLOG(LOG_ERR, "mbuf_tag_id_find_internal failed: %d", result);
1266 return (result);
1267 }
1268
1269 bzero(&kern_ctl, sizeof(kern_ctl));
1270 strlcpy(kern_ctl.ctl_name, NECP_CONTROL_NAME, sizeof(kern_ctl.ctl_name));
1271 kern_ctl.ctl_name[sizeof(kern_ctl.ctl_name) - 1] = 0;
1272 kern_ctl.ctl_flags = CTL_FLAG_PRIVILEGED; // Require root
1273 kern_ctl.ctl_sendsize = 64 * 1024;
1274 kern_ctl.ctl_recvsize = 64 * 1024;
1275 kern_ctl.ctl_connect = necp_ctl_connect;
1276 kern_ctl.ctl_disconnect = necp_ctl_disconnect;
1277 kern_ctl.ctl_send = necp_ctl_send;
1278 kern_ctl.ctl_rcvd = necp_ctl_rcvd;
1279 kern_ctl.ctl_setopt = necp_ctl_setopt;
1280 kern_ctl.ctl_getopt = necp_ctl_getopt;
1281
1282 result = ctl_register(&kern_ctl, &necp_kctlref);
1283 if (result != 0) {
1284 NECPLOG(LOG_ERR, "ctl_register failed: %d", result);
1285 return (result);
1286 }
1287
1288 return (0);
1289 }
1290
1291 static void
1292 necp_post_change_event(struct kev_necp_policies_changed_data *necp_event_data)
1293 {
1294 struct kev_msg ev_msg;
1295 memset(&ev_msg, 0, sizeof(ev_msg));
1296
1297 ev_msg.vendor_code = KEV_VENDOR_APPLE;
1298 ev_msg.kev_class = KEV_NETWORK_CLASS;
1299 ev_msg.kev_subclass = KEV_NECP_SUBCLASS;
1300 ev_msg.event_code = KEV_NECP_POLICIES_CHANGED;
1301
1302 ev_msg.dv[0].data_ptr = necp_event_data;
1303 ev_msg.dv[0].data_length = sizeof(necp_event_data->changed_count);
1304 ev_msg.dv[1].data_length = 0;
1305
1306 kev_post_msg(&ev_msg);
1307 }
1308
1309 static errno_t
1310 necp_ctl_connect(kern_ctl_ref kctlref, struct sockaddr_ctl *sac, void **unitinfo)
1311 {
1312 #pragma unused(kctlref, sac)
1313 *unitinfo = necp_create_session();
1314 if (*unitinfo == NULL) {
1315 // Could not allocate session
1316 return (ENOBUFS);
1317 }
1318
1319 return (0);
1320 }
1321
1322 static errno_t
1323 necp_ctl_disconnect(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo)
1324 {
1325 #pragma unused(kctlref, unit)
1326 struct necp_session *session = (struct necp_session *)unitinfo;
1327 if (session != NULL) {
1328 necp_policy_mark_all_for_deletion(session);
1329 necp_policy_apply_all(session);
1330 necp_delete_session((struct necp_session *)unitinfo);
1331 }
1332
1333 return (0);
1334 }
1335
1336
1337 // Message handling
1338 static int
1339 necp_packet_find_tlv(mbuf_t packet, int offset, u_int8_t type, int *err, int next)
1340 {
1341 size_t cursor = offset;
1342 int error = 0;
1343 u_int32_t curr_length;
1344 u_int8_t curr_type;
1345
1346 *err = 0;
1347
1348 do {
1349 if (!next) {
1350 error = mbuf_copydata(packet, cursor, sizeof(curr_type), &curr_type);
1351 if (error) {
1352 *err = ENOENT;
1353 return (-1);
1354 }
1355 } else {
1356 next = 0;
1357 curr_type = NECP_TLV_NIL;
1358 }
1359
1360 if (curr_type != type) {
1361 cursor += sizeof(curr_type);
1362 error = mbuf_copydata(packet, cursor, sizeof(curr_length), &curr_length);
1363 if (error) {
1364 *err = error;
1365 return (-1);
1366 }
1367 cursor += (sizeof(curr_length) + curr_length);
1368 }
1369 } while (curr_type != type);
1370
1371 return (cursor);
1372 }
1373
1374 static int
1375 necp_packet_get_tlv_at_offset(mbuf_t packet, int tlv_offset, u_int32_t buff_len, void *buff, u_int32_t *value_size)
1376 {
1377 int error = 0;
1378 u_int32_t length;
1379
1380 if (tlv_offset < 0) {
1381 return (EINVAL);
1382 }
1383
1384 error = mbuf_copydata(packet, tlv_offset + sizeof(u_int8_t), sizeof(length), &length);
1385 if (error) {
1386 return (error);
1387 }
1388
1389 u_int32_t total_len = m_length2(packet, NULL);
1390 if (total_len < (tlv_offset + sizeof(u_int8_t) + sizeof(length) + length)) {
1391 NECPLOG(LOG_ERR, "Got a bad TLV, length (%u) + offset (%d) < total length (%u)",
1392 length, (tlv_offset + sizeof(u_int8_t) + sizeof(length)), total_len);
1393 return (EINVAL);
1394 }
1395
1396 if (value_size != NULL) {
1397 *value_size = length;
1398 }
1399
1400 if (buff != NULL && buff_len > 0) {
1401 u_int32_t to_copy = (length < buff_len) ? length : buff_len;
1402 error = mbuf_copydata(packet, tlv_offset + sizeof(u_int8_t) + sizeof(length), to_copy, buff);
1403 if (error) {
1404 return (error);
1405 }
1406 }
1407
1408 return (0);
1409 }
1410
1411 static u_int8_t *
1412 necp_buffer_write_packet_header(u_int8_t *buffer, u_int8_t packet_type, u_int8_t flags, u_int32_t message_id)
1413 {
1414 ((struct necp_packet_header *)(void *)buffer)->packet_type = packet_type;
1415 ((struct necp_packet_header *)(void *)buffer)->flags = flags;
1416 ((struct necp_packet_header *)(void *)buffer)->message_id = message_id;
1417 return (buffer + sizeof(struct necp_packet_header));
1418 }
1419
1420 static inline bool
1421 necp_buffer_write_tlv_validate(u_int8_t *cursor, u_int8_t type, u_int32_t length,
1422 u_int8_t *buffer, u_int32_t buffer_length)
1423 {
1424 if (cursor < buffer || (uintptr_t)(cursor - buffer) > buffer_length) {
1425 NECPLOG0(LOG_ERR, "Cannot write TLV in buffer (invalid cursor)");
1426 return (false);
1427 }
1428 u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
1429 if (next_tlv <= buffer || // make sure the next TLV start doesn't overflow
1430 (uintptr_t)(next_tlv - buffer) > buffer_length) { // make sure the next TLV has enough room in buffer
1431 NECPLOG(LOG_ERR, "Cannot write TLV in buffer (TLV length %u, buffer length %u)",
1432 length, buffer_length);
1433 return (false);
1434 }
1435 return (true);
1436 }
1437
1438 u_int8_t *
1439 necp_buffer_write_tlv_if_different(u_int8_t *cursor, u_int8_t type,
1440 u_int32_t length, const void *value, bool *updated,
1441 u_int8_t *buffer, u_int32_t buffer_length)
1442 {
1443 if (!necp_buffer_write_tlv_validate(cursor, type, length, buffer, buffer_length)) {
1444 return (NULL);
1445 }
1446 u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
1447 if (*updated || *(u_int8_t *)(cursor) != type) {
1448 *(u_int8_t *)(cursor) = type;
1449 *updated = TRUE;
1450 }
1451 if (*updated || *(u_int32_t *)(void *)(cursor + sizeof(type)) != length) {
1452 *(u_int32_t *)(void *)(cursor + sizeof(type)) = length;
1453 *updated = TRUE;
1454 }
1455 if (length > 0) {
1456 if (*updated || memcmp((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length) != 0) {
1457 memcpy((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length);
1458 *updated = TRUE;
1459 }
1460 }
1461 return (next_tlv);
1462 }
1463
1464 u_int8_t *
1465 necp_buffer_write_tlv(u_int8_t *cursor, u_int8_t type,
1466 u_int32_t length, const void *value,
1467 u_int8_t *buffer, u_int32_t buffer_length)
1468 {
1469 if (!necp_buffer_write_tlv_validate(cursor, type, length, buffer, buffer_length)) {
1470 return (NULL);
1471 }
1472 u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
1473 *(u_int8_t *)(cursor) = type;
1474 *(u_int32_t *)(void *)(cursor + sizeof(type)) = length;
1475 if (length > 0) {
1476 memcpy((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length);
1477 }
1478
1479 return (next_tlv);
1480 }
1481
1482 u_int8_t
1483 necp_buffer_get_tlv_type(u_int8_t *buffer, int tlv_offset)
1484 {
1485 u_int8_t *type = NULL;
1486
1487 if (buffer == NULL) {
1488 return (0);
1489 }
1490
1491 type = (u_int8_t *)((u_int8_t *)buffer + tlv_offset);
1492 return (type ? *type : 0);
1493 }
1494
1495 u_int32_t
1496 necp_buffer_get_tlv_length(u_int8_t *buffer, int tlv_offset)
1497 {
1498 u_int32_t *length = NULL;
1499
1500 if (buffer == NULL) {
1501 return (0);
1502 }
1503
1504 length = (u_int32_t *)(void *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t));
1505 return (length ? *length : 0);
1506 }
1507
1508 u_int8_t *
1509 necp_buffer_get_tlv_value(u_int8_t *buffer, int tlv_offset, u_int32_t *value_size)
1510 {
1511 u_int8_t *value = NULL;
1512 u_int32_t length = necp_buffer_get_tlv_length(buffer, tlv_offset);
1513 if (length == 0) {
1514 return (value);
1515 }
1516
1517 if (value_size) {
1518 *value_size = length;
1519 }
1520
1521 value = (u_int8_t *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
1522 return (value);
1523 }
1524
1525 int
1526 necp_buffer_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int next)
1527 {
1528 if (offset < 0) {
1529 return (-1);
1530 }
1531 int cursor = offset;
1532 int next_cursor;
1533 u_int32_t curr_length;
1534 u_int8_t curr_type;
1535
1536 while (TRUE) {
1537 if ((((u_int32_t)cursor) + sizeof(curr_type) + sizeof(curr_length)) > buffer_length) {
1538 return (-1);
1539 }
1540 if (!next) {
1541 curr_type = necp_buffer_get_tlv_type(buffer, cursor);
1542 } else {
1543 next = 0;
1544 curr_type = NECP_TLV_NIL;
1545 }
1546 curr_length = necp_buffer_get_tlv_length(buffer, cursor);
1547 if (curr_length > buffer_length - ((u_int32_t)cursor + sizeof(curr_type) + sizeof(curr_length))) {
1548 return (-1);
1549 }
1550
1551 next_cursor = (cursor + sizeof(curr_type) + sizeof(curr_length) + curr_length);
1552 if (curr_type == type) {
1553 // check if entire TLV fits inside buffer
1554 if (((u_int32_t)next_cursor) <= buffer_length) {
1555 return (cursor);
1556 } else {
1557 return (-1);
1558 }
1559 }
1560 cursor = next_cursor;
1561 }
1562 }
1563
1564 static int
1565 necp_find_tlv(mbuf_t packet, u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int *err, int next)
1566 {
1567 int cursor = -1;
1568 if (packet != NULL) {
1569 cursor = necp_packet_find_tlv(packet, offset, type, err, next);
1570 } else if (buffer != NULL) {
1571 cursor = necp_buffer_find_tlv(buffer, buffer_length, offset, type, next);
1572 }
1573 return (cursor);
1574 }
1575
1576 static int
1577 necp_get_tlv_at_offset(mbuf_t packet, u_int8_t *buffer, u_int32_t buffer_length,
1578 int tlv_offset, u_int32_t out_buffer_length, void *out_buffer, u_int32_t *value_size)
1579 {
1580 if (packet != NULL) {
1581 // Handle mbuf parsing
1582 return necp_packet_get_tlv_at_offset(packet, tlv_offset, out_buffer_length, out_buffer, value_size);
1583 }
1584
1585 if (buffer == NULL) {
1586 NECPLOG0(LOG_ERR, "necp_get_tlv_at_offset buffer is NULL");
1587 return (EINVAL);
1588 }
1589
1590 // Handle buffer parsing
1591
1592 // Validate that buffer has enough room for any TLV
1593 if (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) > buffer_length) {
1594 NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV (%u < %u)",
1595 buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
1596 return (EINVAL);
1597 }
1598
1599 // Validate that buffer has enough room for this TLV
1600 u_int32_t tlv_length = necp_buffer_get_tlv_length(buffer, tlv_offset);
1601 if (tlv_length > buffer_length - (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t))) {
1602 NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV of length %u (%u < %u)",
1603 tlv_length, buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) + tlv_length);
1604 return (EINVAL);
1605 }
1606
1607 if (out_buffer != NULL && out_buffer_length > 0) {
1608 // Validate that out buffer is large enough for value
1609 if (out_buffer_length < tlv_length) {
1610 NECPLOG(LOG_ERR, "necp_get_tlv_at_offset out_buffer_length is too small for TLV value (%u < %u)",
1611 out_buffer_length, tlv_length);
1612 return (EINVAL);
1613 }
1614
1615 // Get value pointer
1616 u_int8_t *tlv_value = necp_buffer_get_tlv_value(buffer, tlv_offset, NULL);
1617 if (tlv_value == NULL) {
1618 NECPLOG0(LOG_ERR, "necp_get_tlv_at_offset tlv_value is NULL");
1619 return (ENOENT);
1620 }
1621
1622 // Copy value
1623 memcpy(out_buffer, tlv_value, tlv_length);
1624 }
1625
1626 // Copy out length
1627 if (value_size != NULL) {
1628 *value_size = tlv_length;
1629 }
1630
1631 return (0);
1632 }
1633
1634 static int
1635 necp_get_tlv(mbuf_t packet, u_int8_t *buffer, u_int32_t buffer_length,
1636 int offset, u_int8_t type, u_int32_t buff_len, void *buff, u_int32_t *value_size)
1637 {
1638 int error = 0;
1639
1640 int tlv_offset = necp_find_tlv(packet, buffer, buffer_length, offset, type, &error, 0);
1641 if (tlv_offset < 0) {
1642 return (error);
1643 }
1644
1645 return (necp_get_tlv_at_offset(packet, buffer, buffer_length, tlv_offset, buff_len, buff, value_size));
1646 }
1647
1648 static bool
1649 necp_send_ctl_data(struct necp_session *session, u_int8_t *buffer, size_t buffer_size)
1650 {
1651 int error;
1652
1653 if (necp_kctlref == NULL || session == NULL || buffer == NULL || buffer_size == 0) {
1654 return (FALSE);
1655 }
1656
1657 error = ctl_enqueuedata(necp_kctlref, session->control_unit, buffer, buffer_size, CTL_DATA_EOR);
1658
1659 return (error == 0);
1660 }
1661
1662 static bool
1663 necp_send_success_response(struct necp_session *session, u_int8_t packet_type, u_int32_t message_id)
1664 {
1665 bool success = TRUE;
1666 u_int8_t *response = NULL;
1667 u_int8_t *cursor = NULL;
1668 size_t response_size = sizeof(struct necp_packet_header) + sizeof(u_int8_t) + sizeof(u_int32_t);
1669 MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
1670 if (response == NULL) {
1671 return (FALSE);
1672 }
1673 cursor = response;
1674 cursor = necp_buffer_write_packet_header(cursor, packet_type, NECP_PACKET_FLAGS_RESPONSE, message_id);
1675 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_NIL, 0, NULL, response, response_size);
1676
1677 if (!(success = necp_send_ctl_data(session, (u_int8_t *)response, response_size))) {
1678 NECPLOG0(LOG_ERR, "Failed to send response");
1679 }
1680
1681 FREE(response, M_NECP);
1682 return (success);
1683 }
1684
1685 static bool
1686 necp_send_error_response(struct necp_session *session, u_int8_t packet_type, u_int32_t message_id, u_int32_t error)
1687 {
1688 bool success = TRUE;
1689 u_int8_t *response = NULL;
1690 u_int8_t *cursor = NULL;
1691 size_t response_size = sizeof(struct necp_packet_header) + sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(u_int32_t);
1692 MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
1693 if (response == NULL) {
1694 return (FALSE);
1695 }
1696 cursor = response;
1697 cursor = necp_buffer_write_packet_header(cursor, packet_type, NECP_PACKET_FLAGS_RESPONSE, message_id);
1698 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ERROR, sizeof(error), &error, response, response_size);
1699
1700 if (!(success = necp_send_ctl_data(session, (u_int8_t *)response, response_size))) {
1701 NECPLOG0(LOG_ERR, "Failed to send response");
1702 }
1703
1704 FREE(response, M_NECP);
1705 return (success);
1706 }
1707
1708 static bool
1709 necp_send_policy_id_response(struct necp_session *session, u_int8_t packet_type, u_int32_t message_id, necp_policy_id policy_id)
1710 {
1711 bool success = TRUE;
1712 u_int8_t *response = NULL;
1713 u_int8_t *cursor = NULL;
1714 size_t response_size = sizeof(struct necp_packet_header) + sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(u_int32_t);
1715 MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
1716 if (response == NULL) {
1717 return (FALSE);
1718 }
1719 cursor = response;
1720 cursor = necp_buffer_write_packet_header(cursor, packet_type, NECP_PACKET_FLAGS_RESPONSE, message_id);
1721 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(policy_id), &policy_id, response, response_size);
1722
1723 if (!(success = necp_send_ctl_data(session, (u_int8_t *)response, response_size))) {
1724 NECPLOG0(LOG_ERR, "Failed to send response");
1725 }
1726
1727 FREE(response, M_NECP);
1728 return (success);
1729 }
1730
1731 static errno_t
1732 necp_ctl_send(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, mbuf_t packet, int flags)
1733 {
1734 #pragma unused(kctlref, unit, flags)
1735 struct necp_session *session = (struct necp_session *)unitinfo;
1736 struct necp_packet_header header;
1737 int error = 0;
1738
1739 if (session == NULL) {
1740 NECPLOG0(LOG_ERR, "Got a NULL session");
1741 error = EINVAL;
1742 goto done;
1743 }
1744
1745 if (mbuf_pkthdr_len(packet) < sizeof(header)) {
1746 NECPLOG(LOG_ERR, "Got a bad packet, length (%lu) < sizeof header (%lu)", mbuf_pkthdr_len(packet), sizeof(header));
1747 error = EINVAL;
1748 goto done;
1749 }
1750
1751 error = mbuf_copydata(packet, 0, sizeof(header), &header);
1752 if (error) {
1753 NECPLOG(LOG_ERR, "mbuf_copydata failed for the header: %d", error);
1754 error = ENOBUFS;
1755 goto done;
1756 }
1757
1758 if (session->proc_locked) {
1759 // Verify that the calling process is allowed to send messages
1760 uuid_t proc_uuid;
1761 proc_getexecutableuuid(current_proc(), proc_uuid, sizeof(proc_uuid));
1762 if (uuid_compare(proc_uuid, session->proc_uuid) != 0) {
1763 necp_send_error_response(session, header.packet_type, header.message_id, NECP_ERROR_INVALID_PROCESS);
1764 goto done;
1765 }
1766 } else {
1767 // If not locked, update the proc_uuid and proc_pid of the session
1768 proc_getexecutableuuid(current_proc(), session->proc_uuid, sizeof(session->proc_uuid));
1769 session->proc_pid = proc_pid(current_proc());
1770 }
1771
1772 switch (header.packet_type) {
1773 case NECP_PACKET_TYPE_POLICY_ADD: {
1774 necp_handle_policy_add(session, header.message_id, packet, NULL, 0, sizeof(header), NULL);
1775 break;
1776 }
1777 case NECP_PACKET_TYPE_POLICY_GET: {
1778 necp_handle_policy_get(session, header.message_id, packet, sizeof(header));
1779 break;
1780 }
1781 case NECP_PACKET_TYPE_POLICY_DELETE: {
1782 necp_handle_policy_delete(session, header.message_id, packet, sizeof(header));
1783 break;
1784 }
1785 case NECP_PACKET_TYPE_POLICY_APPLY_ALL: {
1786 necp_handle_policy_apply_all(session, header.message_id, packet, sizeof(header));
1787 break;
1788 }
1789 case NECP_PACKET_TYPE_POLICY_LIST_ALL: {
1790 necp_handle_policy_list_all(session, header.message_id, packet, sizeof(header));
1791 break;
1792 }
1793 case NECP_PACKET_TYPE_POLICY_DELETE_ALL: {
1794 necp_handle_policy_delete_all(session, header.message_id, packet, sizeof(header));
1795 break;
1796 }
1797 case NECP_PACKET_TYPE_POLICY_DUMP_ALL: {
1798 necp_handle_policy_dump_all(session, header.message_id, packet, 0, 0, sizeof(header));
1799 break;
1800 }
1801 case NECP_PACKET_TYPE_SET_SESSION_PRIORITY: {
1802 necp_handle_set_session_priority(session, header.message_id, packet, sizeof(header));
1803 break;
1804 }
1805 case NECP_PACKET_TYPE_LOCK_SESSION_TO_PROC: {
1806 necp_handle_lock_session_to_proc(session, header.message_id, packet, sizeof(header));
1807 break;
1808 }
1809 case NECP_PACKET_TYPE_REGISTER_SERVICE: {
1810 necp_handle_register_service(session, header.message_id, packet, sizeof(header));
1811 break;
1812 }
1813 case NECP_PACKET_TYPE_UNREGISTER_SERVICE: {
1814 necp_handle_unregister_service(session, header.message_id, packet, sizeof(header));
1815 break;
1816 }
1817 default: {
1818 NECPLOG(LOG_ERR, "Received unknown message type %d", header.packet_type);
1819 necp_send_error_response(session, header.packet_type, header.message_id, NECP_ERROR_UNKNOWN_PACKET_TYPE);
1820 break;
1821 }
1822 }
1823
1824 done:
1825 mbuf_freem(packet);
1826 return (error);
1827 }
1828
1829 static void
1830 necp_ctl_rcvd(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int flags)
1831 {
1832 #pragma unused(kctlref, unit, unitinfo, flags)
1833 return;
1834 }
1835
1836 static errno_t
1837 necp_ctl_getopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t *len)
1838 {
1839 #pragma unused(kctlref, unit, unitinfo, opt, data, len)
1840 return (0);
1841 }
1842
1843 static errno_t
1844 necp_ctl_setopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t len)
1845 {
1846 #pragma unused(kctlref, unit, unitinfo, opt, data, len)
1847 return (0);
1848 }
1849
1850 // Session Management
1851
1852 static struct necp_session *
1853 necp_create_session(void)
1854 {
1855 struct necp_session *new_session = NULL;
1856
1857 MALLOC(new_session, struct necp_session *, sizeof(*new_session), M_NECP, M_WAITOK | M_ZERO);
1858 if (new_session == NULL) {
1859 goto done;
1860 }
1861
1862 new_session->necp_fd_type = necp_fd_type_session;
1863 new_session->session_priority = NECP_SESSION_PRIORITY_UNKNOWN;
1864 new_session->dirty = FALSE;
1865 LIST_INIT(&new_session->policies);
1866 lck_mtx_init(&new_session->lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
1867
1868 // Take the lock
1869 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
1870
1871 // Find the next available control unit
1872 u_int32_t control_unit = 1;
1873 struct necp_session *next_session = NULL;
1874 TAILQ_FOREACH(next_session, &necp_session_list, chain) {
1875 if (next_session->control_unit > control_unit) {
1876 // Found a gap, grab this control unit
1877 break;
1878 }
1879
1880 // Try the next control unit, loop around
1881 control_unit = next_session->control_unit + 1;
1882 }
1883
1884 new_session->control_unit = control_unit;
1885 new_session->session_order = necp_allocate_new_session_order(new_session->session_priority, control_unit);
1886
1887 if (next_session != NULL) {
1888 TAILQ_INSERT_BEFORE(next_session, new_session, chain);
1889 } else {
1890 TAILQ_INSERT_TAIL(&necp_session_list, new_session, chain);
1891 }
1892
1893 necp_session_count++;
1894 lck_rw_done(&necp_kernel_policy_lock);
1895
1896 if (necp_debug) {
1897 NECPLOG(LOG_DEBUG, "Created NECP session, control unit %d", control_unit);
1898 }
1899
1900 done:
1901 return (new_session);
1902 }
1903
1904 static void
1905 necp_delete_session(struct necp_session *session)
1906 {
1907 if (session != NULL) {
1908 struct necp_service_registration *service = NULL;
1909 struct necp_service_registration *temp_service = NULL;
1910 LIST_FOREACH_SAFE(service, &session->services, session_chain, temp_service) {
1911 LIST_REMOVE(service, session_chain);
1912 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
1913 LIST_REMOVE(service, kernel_chain);
1914 lck_rw_done(&necp_kernel_policy_lock);
1915 FREE(service, M_NECP);
1916 }
1917 if (necp_debug) {
1918 NECPLOG0(LOG_DEBUG, "Deleted NECP session");
1919 }
1920
1921 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
1922 TAILQ_REMOVE(&necp_session_list, session, chain);
1923 necp_session_count--;
1924 lck_rw_done(&necp_kernel_policy_lock);
1925
1926 lck_mtx_destroy(&session->lock, necp_kernel_policy_mtx_grp);
1927 FREE(session, M_NECP);
1928 }
1929 }
1930
1931 // Session Policy Management
1932
1933 static inline u_int8_t
1934 necp_policy_result_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
1935 {
1936 return ((buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0);
1937 }
1938
1939 static inline u_int32_t
1940 necp_policy_result_get_parameter_length_from_buffer(u_int8_t *buffer, u_int32_t length)
1941 {
1942 return ((buffer && length > sizeof(u_int8_t)) ? (length - sizeof(u_int8_t)) : 0);
1943 }
1944
1945 static inline u_int8_t *
1946 necp_policy_result_get_parameter_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
1947 {
1948 return ((buffer && length > sizeof(u_int8_t)) ? (buffer + sizeof(u_int8_t)) : NULL);
1949 }
1950
1951 static bool
1952 necp_policy_result_requires_route_rules(u_int8_t *buffer, u_int32_t length)
1953 {
1954 u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
1955 if (type == NECP_POLICY_RESULT_ROUTE_RULES) {
1956 return (TRUE);
1957 }
1958 return (FALSE);
1959 }
1960
1961 static inline bool
1962 necp_address_is_valid(struct sockaddr *address)
1963 {
1964 if (address->sa_family == AF_INET) {
1965 return (address->sa_len == sizeof(struct sockaddr_in));
1966 } else if (address->sa_family == AF_INET6) {
1967 return (address->sa_len == sizeof(struct sockaddr_in6));
1968 } else {
1969 return (FALSE);
1970 }
1971 }
1972
1973 static bool
1974 necp_policy_result_is_valid(u_int8_t *buffer, u_int32_t length)
1975 {
1976 bool validated = FALSE;
1977 u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
1978 u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(buffer, length);
1979 switch (type) {
1980 case NECP_POLICY_RESULT_PASS:
1981 case NECP_POLICY_RESULT_DROP:
1982 case NECP_POLICY_RESULT_ROUTE_RULES:
1983 case NECP_POLICY_RESULT_SCOPED_DIRECT: {
1984 validated = TRUE;
1985 break;
1986 }
1987 case NECP_POLICY_RESULT_SKIP:
1988 case NECP_POLICY_RESULT_SOCKET_DIVERT:
1989 case NECP_POLICY_RESULT_SOCKET_FILTER: {
1990 if (parameter_length >= sizeof(u_int32_t)) {
1991 validated = TRUE;
1992 }
1993 break;
1994 }
1995 case NECP_POLICY_RESULT_IP_TUNNEL: {
1996 if (parameter_length > sizeof(u_int32_t)) {
1997 validated = TRUE;
1998 }
1999 break;
2000 }
2001 case NECP_POLICY_RESULT_SOCKET_SCOPED: {
2002 if (parameter_length > 0) {
2003 validated = TRUE;
2004 }
2005 break;
2006 }
2007 case NECP_POLICY_RESULT_TRIGGER:
2008 case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
2009 case NECP_POLICY_RESULT_TRIGGER_SCOPED:
2010 case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED:
2011 case NECP_POLICY_RESULT_USE_NETAGENT:
2012 case NECP_POLICY_RESULT_NETAGENT_SCOPED:{
2013 if (parameter_length >= sizeof(uuid_t)) {
2014 validated = TRUE;
2015 }
2016 break;
2017 }
2018 default: {
2019 validated = FALSE;
2020 break;
2021 }
2022 }
2023
2024 if (necp_debug) {
2025 NECPLOG(LOG_DEBUG, "Policy result type %d, valid %d", type, validated);
2026 }
2027
2028 return (validated);
2029 }
2030
2031 static inline u_int8_t
2032 necp_policy_condition_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
2033 {
2034 return ((buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0);
2035 }
2036
2037 static inline u_int8_t
2038 necp_policy_condition_get_flags_from_buffer(u_int8_t *buffer, u_int32_t length)
2039 {
2040 return ((buffer && length >= (2 * sizeof(u_int8_t))) ? buffer[1] : 0);
2041 }
2042
2043 static inline u_int32_t
2044 necp_policy_condition_get_value_length_from_buffer(u_int8_t *buffer, u_int32_t length)
2045 {
2046 return ((buffer && length >= (2 * sizeof(u_int8_t))) ? (length - (2 * sizeof(u_int8_t))) : 0);
2047 }
2048
2049 static inline u_int8_t *
2050 necp_policy_condition_get_value_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
2051 {
2052 return ((buffer && length > (2 * sizeof(u_int8_t))) ? (buffer + (2 * sizeof(u_int8_t))) : NULL);
2053 }
2054
2055 static inline bool
2056 necp_policy_condition_is_default(u_int8_t *buffer, u_int32_t length)
2057 {
2058 return (necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_DEFAULT);
2059 }
2060
2061 static inline bool
2062 necp_policy_condition_is_application(u_int8_t *buffer, u_int32_t length)
2063 {
2064 return (necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_APPLICATION);
2065 }
2066
2067 static inline bool
2068 necp_policy_condition_is_real_application(u_int8_t *buffer, u_int32_t length)
2069 {
2070 return (necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_REAL_APPLICATION);
2071 }
2072
2073 static inline bool
2074 necp_policy_condition_requires_application(u_int8_t *buffer, u_int32_t length)
2075 {
2076 u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
2077 return (type == NECP_POLICY_CONDITION_REAL_APPLICATION);
2078 }
2079
2080 static inline bool
2081 necp_policy_condition_requires_real_application(u_int8_t *buffer, u_int32_t length)
2082 {
2083 u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
2084 return (type == NECP_POLICY_CONDITION_ENTITLEMENT);
2085 }
2086
2087 static bool
2088 necp_policy_condition_is_valid(u_int8_t *buffer, u_int32_t length, u_int8_t policy_result_type)
2089 {
2090 bool validated = FALSE;
2091 bool result_cannot_have_ip_layer = (policy_result_type == NECP_POLICY_RESULT_SOCKET_DIVERT ||
2092 policy_result_type == NECP_POLICY_RESULT_SOCKET_FILTER ||
2093 policy_result_type == NECP_POLICY_RESULT_TRIGGER ||
2094 policy_result_type == NECP_POLICY_RESULT_TRIGGER_IF_NEEDED ||
2095 policy_result_type == NECP_POLICY_RESULT_TRIGGER_SCOPED ||
2096 policy_result_type == NECP_POLICY_RESULT_NO_TRIGGER_SCOPED ||
2097 policy_result_type == NECP_POLICY_RESULT_SOCKET_SCOPED ||
2098 policy_result_type == NECP_POLICY_RESULT_ROUTE_RULES ||
2099 policy_result_type == NECP_POLICY_RESULT_USE_NETAGENT ||
2100 policy_result_type == NECP_POLICY_RESULT_NETAGENT_SCOPED ||
2101 policy_result_type == NECP_POLICY_RESULT_SCOPED_DIRECT) ? TRUE : FALSE;
2102 u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(buffer, length);
2103 u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(buffer, length);
2104 u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
2105 u_int8_t flags = necp_policy_condition_get_flags_from_buffer(buffer, length);
2106 switch (type) {
2107 case NECP_POLICY_CONDITION_APPLICATION:
2108 case NECP_POLICY_CONDITION_REAL_APPLICATION: {
2109 if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
2110 condition_length >= sizeof(uuid_t) &&
2111 condition_value != NULL &&
2112 !uuid_is_null(condition_value)) {
2113 validated = TRUE;
2114 }
2115 break;
2116 }
2117 case NECP_POLICY_CONDITION_DOMAIN:
2118 case NECP_POLICY_CONDITION_ACCOUNT:
2119 case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
2120 if (condition_length > 0) {
2121 validated = TRUE;
2122 }
2123 break;
2124 }
2125 case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
2126 if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
2127 validated = TRUE;
2128 }
2129 break;
2130 }
2131 case NECP_POLICY_CONDITION_DEFAULT:
2132 case NECP_POLICY_CONDITION_ALL_INTERFACES:
2133 case NECP_POLICY_CONDITION_ENTITLEMENT: {
2134 if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE)) {
2135 validated = TRUE;
2136 }
2137 break;
2138 }
2139 case NECP_POLICY_CONDITION_IP_PROTOCOL: {
2140 if (condition_length >= sizeof(u_int16_t)) {
2141 validated = TRUE;
2142 }
2143 break;
2144 }
2145 case NECP_POLICY_CONDITION_PID: {
2146 if (condition_length >= sizeof(pid_t) &&
2147 condition_value != NULL &&
2148 *((pid_t *)(void *)condition_value) != 0) {
2149 validated = TRUE;
2150 }
2151 break;
2152 }
2153 case NECP_POLICY_CONDITION_UID: {
2154 if (condition_length >= sizeof(uid_t)) {
2155 validated = TRUE;
2156 }
2157 break;
2158 }
2159 case NECP_POLICY_CONDITION_LOCAL_ADDR:
2160 case NECP_POLICY_CONDITION_REMOTE_ADDR: {
2161 if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr) &&
2162 necp_address_is_valid(&((struct necp_policy_condition_addr *)(void *)condition_value)->address.sa)) {
2163 validated = TRUE;
2164 }
2165 break;
2166 }
2167 case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE:
2168 case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE: {
2169 if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr_range) &&
2170 necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->start_address.sa) &&
2171 necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->end_address.sa)) {
2172 validated = TRUE;
2173 }
2174 break;
2175 }
2176 case NECP_POLICY_CONDITION_AGENT_TYPE: {
2177 if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
2178 condition_length >= sizeof(struct necp_policy_condition_agent_type)) {
2179 validated = TRUE;
2180 }
2181 break;
2182 }
2183 default: {
2184 validated = FALSE;
2185 break;
2186 }
2187 }
2188
2189 if (necp_debug) {
2190 NECPLOG(LOG_DEBUG, "Policy condition type %d, valid %d", type, validated);
2191 }
2192
2193 return (validated);
2194 }
2195
2196 static bool
2197 necp_policy_route_rule_is_default(u_int8_t *buffer, u_int32_t length)
2198 {
2199 return (necp_policy_condition_get_value_length_from_buffer(buffer, length) == 0 &&
2200 necp_policy_condition_get_flags_from_buffer(buffer, length) == 0);
2201 }
2202
2203 static bool
2204 necp_policy_route_rule_is_valid(u_int8_t *buffer, u_int32_t length)
2205 {
2206 bool validated = FALSE;
2207 u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
2208 switch (type) {
2209 case NECP_ROUTE_RULE_ALLOW_INTERFACE: {
2210 validated = TRUE;
2211 break;
2212 }
2213 case NECP_ROUTE_RULE_DENY_INTERFACE: {
2214 validated = TRUE;
2215 break;
2216 }
2217 case NECP_ROUTE_RULE_QOS_MARKING: {
2218 validated = TRUE;
2219 break;
2220 }
2221 case NECP_ROUTE_RULE_DENY_LQM_ABORT: {
2222 validated = TRUE;
2223 break;
2224 }
2225 default: {
2226 validated = FALSE;
2227 break;
2228 }
2229 }
2230
2231 if (necp_debug) {
2232 NECPLOG(LOG_DEBUG, "Policy route rule type %d, valid %d", type, validated);
2233 }
2234
2235 return (validated);
2236 }
2237
2238 static int
2239 necp_get_posix_error_for_necp_error(int response_error)
2240 {
2241 switch (response_error) {
2242 case NECP_ERROR_UNKNOWN_PACKET_TYPE:
2243 case NECP_ERROR_INVALID_TLV:
2244 case NECP_ERROR_POLICY_RESULT_INVALID:
2245 case NECP_ERROR_POLICY_CONDITIONS_INVALID:
2246 case NECP_ERROR_ROUTE_RULES_INVALID: {
2247 return (EINVAL);
2248 }
2249 case NECP_ERROR_POLICY_ID_NOT_FOUND: {
2250 return (ENOENT);
2251 }
2252 case NECP_ERROR_INVALID_PROCESS: {
2253 return (EPERM);
2254 }
2255 case NECP_ERROR_INTERNAL:
2256 default: {
2257 return (ENOMEM);
2258 }
2259 }
2260 }
2261
2262 static void
2263 necp_handle_set_session_priority(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
2264 {
2265 int error;
2266 struct necp_session_policy *policy = NULL;
2267 struct necp_session_policy *temp_policy = NULL;
2268 u_int32_t response_error = NECP_ERROR_INTERNAL;
2269 u_int32_t requested_session_priority = NECP_SESSION_PRIORITY_UNKNOWN;
2270
2271 // Read policy id
2272 error = necp_get_tlv(packet, NULL, 0, offset, NECP_TLV_SESSION_PRIORITY, sizeof(requested_session_priority), &requested_session_priority, NULL);
2273 if (error) {
2274 NECPLOG(LOG_ERR, "Failed to get session priority: %d", error);
2275 response_error = NECP_ERROR_INVALID_TLV;
2276 goto fail;
2277 }
2278
2279 if (session == NULL) {
2280 NECPLOG0(LOG_ERR, "Failed to find session");
2281 response_error = NECP_ERROR_INTERNAL;
2282 goto fail;
2283 }
2284
2285 // Enforce special session priorities with entitlements
2286 if (requested_session_priority == NECP_SESSION_PRIORITY_CONTROL ||
2287 requested_session_priority == NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL) {
2288 errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
2289 if (cred_result != 0) {
2290 NECPLOG(LOG_ERR, "Session does not hold necessary entitlement to claim priority level %d", requested_session_priority);
2291 goto fail;
2292 }
2293 }
2294
2295 if (session->session_priority != requested_session_priority) {
2296 session->session_priority = requested_session_priority;
2297 session->session_order = necp_allocate_new_session_order(session->session_priority, session->control_unit);
2298 session->dirty = TRUE;
2299
2300 // Mark all policies as needing updates
2301 LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
2302 policy->pending_update = TRUE;
2303 }
2304 }
2305
2306 necp_send_success_response(session, NECP_PACKET_TYPE_SET_SESSION_PRIORITY, message_id);
2307 return;
2308
2309 fail:
2310 necp_send_error_response(session, NECP_PACKET_TYPE_SET_SESSION_PRIORITY, message_id, response_error);
2311 }
2312
2313 static void
2314 necp_handle_lock_session_to_proc(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
2315 {
2316 #pragma unused(packet, offset)
2317 // proc_uuid already filled out
2318 session->proc_locked = TRUE;
2319 necp_send_success_response(session, NECP_PACKET_TYPE_LOCK_SESSION_TO_PROC, message_id);
2320 }
2321
2322 static void
2323 necp_handle_register_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
2324 {
2325 int error;
2326 struct necp_service_registration *new_service = NULL;
2327 u_int32_t response_error = NECP_ERROR_INTERNAL;
2328 uuid_t service_uuid;
2329 uuid_clear(service_uuid);
2330
2331 if (session == NULL) {
2332 NECPLOG0(LOG_ERR, "Failed to find session");
2333 response_error = NECP_ERROR_INTERNAL;
2334 goto fail;
2335 }
2336
2337 // Enforce entitlements
2338 errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
2339 if (cred_result != 0) {
2340 NECPLOG0(LOG_ERR, "Session does not hold necessary entitlement to register service");
2341 goto fail;
2342 }
2343
2344 // Read service uuid
2345 error = necp_get_tlv(packet, NULL, 0, offset, NECP_TLV_SERVICE_UUID, sizeof(uuid_t), service_uuid, NULL);
2346 if (error) {
2347 NECPLOG(LOG_ERR, "Failed to get service UUID: %d", error);
2348 response_error = NECP_ERROR_INVALID_TLV;
2349 goto fail;
2350 }
2351
2352 MALLOC(new_service, struct necp_service_registration *, sizeof(*new_service), M_NECP, M_WAITOK);
2353 if (new_service == NULL) {
2354 NECPLOG0(LOG_ERR, "Failed to allocate service registration");
2355 response_error = NECP_ERROR_INTERNAL;
2356 goto fail;
2357 }
2358
2359 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
2360 memset(new_service, 0, sizeof(*new_service));
2361 new_service->service_id = necp_create_uuid_service_id_mapping(service_uuid);
2362 LIST_INSERT_HEAD(&session->services, new_service, session_chain);
2363 LIST_INSERT_HEAD(&necp_registered_service_list, new_service, kernel_chain);
2364 lck_rw_done(&necp_kernel_policy_lock);
2365
2366 necp_send_success_response(session, NECP_PACKET_TYPE_REGISTER_SERVICE, message_id);
2367 return;
2368 fail:
2369 necp_send_error_response(session, NECP_PACKET_TYPE_REGISTER_SERVICE, message_id, response_error);
2370 }
2371
2372 static void
2373 necp_handle_unregister_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
2374 {
2375 int error;
2376 struct necp_service_registration *service = NULL;
2377 struct necp_service_registration *temp_service = NULL;
2378 u_int32_t response_error = NECP_ERROR_INTERNAL;
2379 struct necp_uuid_id_mapping *mapping = NULL;
2380 uuid_t service_uuid;
2381 uuid_clear(service_uuid);
2382
2383 if (session == NULL) {
2384 NECPLOG0(LOG_ERR, "Failed to find session");
2385 response_error = NECP_ERROR_INTERNAL;
2386 goto fail;
2387 }
2388
2389 // Read service uuid
2390 error = necp_get_tlv(packet, NULL, 0, offset, NECP_TLV_SERVICE_UUID, sizeof(uuid_t), service_uuid, NULL);
2391 if (error) {
2392 NECPLOG(LOG_ERR, "Failed to get service UUID: %d", error);
2393 response_error = NECP_ERROR_INVALID_TLV;
2394 goto fail;
2395 }
2396
2397 // Mark remove all matching services for this session
2398 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
2399 mapping = necp_uuid_lookup_service_id_locked(service_uuid);
2400 if (mapping != NULL) {
2401 LIST_FOREACH_SAFE(service, &session->services, session_chain, temp_service) {
2402 if (service->service_id == mapping->id) {
2403 LIST_REMOVE(service, session_chain);
2404 LIST_REMOVE(service, kernel_chain);
2405 FREE(service, M_NECP);
2406 }
2407 }
2408 necp_remove_uuid_service_id_mapping(service_uuid);
2409 }
2410 lck_rw_done(&necp_kernel_policy_lock);
2411
2412 necp_send_success_response(session, NECP_PACKET_TYPE_UNREGISTER_SERVICE, message_id);
2413 return;
2414 fail:
2415 necp_send_error_response(session, NECP_PACKET_TYPE_UNREGISTER_SERVICE, message_id, response_error);
2416 }
2417
2418 static necp_policy_id
2419 necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_t packet,
2420 u_int8_t *tlv_buffer, size_t tlv_buffer_length, int offset, int *return_error)
2421 {
2422 bool has_default_condition = FALSE;
2423 bool has_non_default_condition = FALSE;
2424 bool has_application_condition = FALSE;
2425 bool has_real_application_condition = FALSE;
2426 bool requires_application_condition = FALSE;
2427 bool requires_real_application_condition = FALSE;
2428 u_int8_t *conditions_array = NULL;
2429 u_int32_t conditions_array_size = 0;
2430 int conditions_array_cursor;
2431
2432 bool has_default_route_rule = FALSE;
2433 u_int8_t *route_rules_array = NULL;
2434 u_int32_t route_rules_array_size = 0;
2435 int route_rules_array_cursor;
2436
2437 int cursor;
2438 int error = 0;
2439 u_int32_t response_error = NECP_ERROR_INTERNAL;
2440
2441 necp_policy_order order = 0;
2442 struct necp_session_policy *policy = NULL;
2443 u_int8_t *policy_result = NULL;
2444 u_int32_t policy_result_size = 0;
2445
2446 // Read policy order
2447 error = necp_get_tlv(packet, tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_ORDER, sizeof(order), &order, NULL);
2448 if (error) {
2449 NECPLOG(LOG_ERR, "Failed to get policy order: %d", error);
2450 response_error = NECP_ERROR_INVALID_TLV;
2451 goto fail;
2452 }
2453
2454 // Read policy result
2455 cursor = necp_find_tlv(packet, tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_RESULT, &error, 0);
2456 error = necp_get_tlv_at_offset(packet, tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &policy_result_size);
2457 if (error || policy_result_size == 0) {
2458 NECPLOG(LOG_ERR, "Failed to get policy result length: %d", error);
2459 response_error = NECP_ERROR_INVALID_TLV;
2460 goto fail;
2461 }
2462 if (policy_result_size > NECP_MAX_POLICY_RESULT_SIZE) {
2463 NECPLOG(LOG_ERR, "Policy result length too large: %u", policy_result_size);
2464 response_error = NECP_ERROR_INVALID_TLV;
2465 goto fail;
2466 }
2467 MALLOC(policy_result, u_int8_t *, policy_result_size, M_NECP, M_WAITOK);
2468 if (policy_result == NULL) {
2469 NECPLOG(LOG_ERR, "Failed to allocate a policy result buffer (size %d)", policy_result_size);
2470 response_error = NECP_ERROR_INTERNAL;
2471 goto fail;
2472 }
2473 error = necp_get_tlv_at_offset(packet, tlv_buffer, tlv_buffer_length, cursor, policy_result_size, policy_result, NULL);
2474 if (error) {
2475 NECPLOG(LOG_ERR, "Failed to get policy result: %d", error);
2476 response_error = NECP_ERROR_POLICY_RESULT_INVALID;
2477 goto fail;
2478 }
2479 if (!necp_policy_result_is_valid(policy_result, policy_result_size)) {
2480 NECPLOG0(LOG_ERR, "Failed to validate policy result");
2481 response_error = NECP_ERROR_POLICY_RESULT_INVALID;
2482 goto fail;
2483 }
2484
2485 if (necp_policy_result_requires_route_rules(policy_result, policy_result_size)) {
2486 // Read route rules conditions
2487 for (cursor = necp_find_tlv(packet, tlv_buffer, tlv_buffer_length, offset, NECP_TLV_ROUTE_RULE, &error, 0);
2488 cursor >= 0;
2489 cursor = necp_find_tlv(packet, tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
2490 u_int32_t route_rule_size = 0;
2491 necp_get_tlv_at_offset(packet, tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &route_rule_size);
2492 if (route_rule_size > 0) {
2493 route_rules_array_size += (sizeof(u_int8_t) + sizeof(u_int32_t) + route_rule_size);
2494 }
2495 }
2496
2497 if (route_rules_array_size == 0) {
2498 NECPLOG0(LOG_ERR, "Failed to get policy route rules");
2499 response_error = NECP_ERROR_INVALID_TLV;
2500 goto fail;
2501 }
2502 if (route_rules_array_size > NECP_MAX_ROUTE_RULES_ARRAY_SIZE) {
2503 NECPLOG(LOG_ERR, "Route rules length too large: %u", route_rules_array_size);
2504 response_error = NECP_ERROR_INVALID_TLV;
2505 goto fail;
2506 }
2507 MALLOC(route_rules_array, u_int8_t *, route_rules_array_size, M_NECP, M_WAITOK);
2508 if (route_rules_array == NULL) {
2509 NECPLOG(LOG_ERR, "Failed to allocate a policy route rules array (size %d)", route_rules_array_size);
2510 response_error = NECP_ERROR_INTERNAL;
2511 goto fail;
2512 }
2513
2514 route_rules_array_cursor = 0;
2515 for (cursor = necp_find_tlv(packet, tlv_buffer, tlv_buffer_length, offset, NECP_TLV_ROUTE_RULE, &error, 0);
2516 cursor >= 0;
2517 cursor = necp_find_tlv(packet, tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
2518 u_int8_t route_rule_type = NECP_TLV_ROUTE_RULE;
2519 u_int32_t route_rule_size = 0;
2520 necp_get_tlv_at_offset(packet, tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &route_rule_size);
2521 if (route_rule_size > 0 && route_rule_size <= (route_rules_array_size - route_rules_array_cursor)) {
2522 // Add type
2523 memcpy((route_rules_array + route_rules_array_cursor), &route_rule_type, sizeof(route_rule_type));
2524 route_rules_array_cursor += sizeof(route_rule_type);
2525
2526 // Add length
2527 memcpy((route_rules_array + route_rules_array_cursor), &route_rule_size, sizeof(route_rule_size));
2528 route_rules_array_cursor += sizeof(route_rule_size);
2529
2530 // Add value
2531 necp_get_tlv_at_offset(packet, tlv_buffer, tlv_buffer_length, cursor, route_rule_size, (route_rules_array + route_rules_array_cursor), NULL);
2532
2533 if (!necp_policy_route_rule_is_valid((route_rules_array + route_rules_array_cursor), route_rule_size)) {
2534 NECPLOG0(LOG_ERR, "Failed to validate policy route rule");
2535 response_error = NECP_ERROR_ROUTE_RULES_INVALID;
2536 goto fail;
2537 }
2538
2539 if (necp_policy_route_rule_is_default((route_rules_array + route_rules_array_cursor), route_rule_size)) {
2540 if (has_default_route_rule) {
2541 NECPLOG0(LOG_ERR, "Failed to validate route rule; contained multiple default route rules");
2542 response_error = NECP_ERROR_ROUTE_RULES_INVALID;
2543 goto fail;
2544 }
2545 has_default_route_rule = TRUE;
2546 }
2547
2548 route_rules_array_cursor += route_rule_size;
2549 }
2550 }
2551 }
2552
2553 // Read policy conditions
2554 for (cursor = necp_find_tlv(packet, tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
2555 cursor >= 0;
2556 cursor = necp_find_tlv(packet, tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
2557 u_int32_t condition_size = 0;
2558 necp_get_tlv_at_offset(packet, tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &condition_size);
2559
2560 if (condition_size > 0) {
2561 conditions_array_size += (sizeof(u_int8_t) + sizeof(u_int32_t) + condition_size);
2562 }
2563 }
2564
2565 if (conditions_array_size == 0) {
2566 NECPLOG0(LOG_ERR, "Failed to get policy conditions");
2567 response_error = NECP_ERROR_INVALID_TLV;
2568 goto fail;
2569 }
2570 if (conditions_array_size > NECP_MAX_CONDITIONS_ARRAY_SIZE) {
2571 NECPLOG(LOG_ERR, "Conditions length too large: %u", conditions_array_size);
2572 response_error = NECP_ERROR_INVALID_TLV;
2573 goto fail;
2574 }
2575 MALLOC(conditions_array, u_int8_t *, conditions_array_size, M_NECP, M_WAITOK);
2576 if (conditions_array == NULL) {
2577 NECPLOG(LOG_ERR, "Failed to allocate a policy conditions array (size %d)", conditions_array_size);
2578 response_error = NECP_ERROR_INTERNAL;
2579 goto fail;
2580 }
2581
2582 conditions_array_cursor = 0;
2583 for (cursor = necp_find_tlv(packet, tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
2584 cursor >= 0;
2585 cursor = necp_find_tlv(packet, tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
2586 u_int8_t condition_type = NECP_TLV_POLICY_CONDITION;
2587 u_int32_t condition_size = 0;
2588 necp_get_tlv_at_offset(packet, tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &condition_size);
2589 if (condition_size > 0 && condition_size <= (conditions_array_size - conditions_array_cursor)) {
2590 // Add type
2591 memcpy((conditions_array + conditions_array_cursor), &condition_type, sizeof(condition_type));
2592 conditions_array_cursor += sizeof(condition_type);
2593
2594 // Add length
2595 memcpy((conditions_array + conditions_array_cursor), &condition_size, sizeof(condition_size));
2596 conditions_array_cursor += sizeof(condition_size);
2597
2598 // Add value
2599 necp_get_tlv_at_offset(packet, tlv_buffer, tlv_buffer_length, cursor, condition_size, (conditions_array + conditions_array_cursor), NULL);
2600 if (!necp_policy_condition_is_valid((conditions_array + conditions_array_cursor), condition_size, necp_policy_result_get_type_from_buffer(policy_result, policy_result_size))) {
2601 NECPLOG0(LOG_ERR, "Failed to validate policy condition");
2602 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
2603 goto fail;
2604 }
2605
2606 if (necp_policy_condition_is_default((conditions_array + conditions_array_cursor), condition_size)) {
2607 has_default_condition = TRUE;
2608 } else {
2609 has_non_default_condition = TRUE;
2610 }
2611 if (has_default_condition && has_non_default_condition) {
2612 NECPLOG0(LOG_ERR, "Failed to validate conditions; contained default and non-default conditions");
2613 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
2614 goto fail;
2615 }
2616
2617 if (necp_policy_condition_is_application((conditions_array + conditions_array_cursor), condition_size)) {
2618 has_application_condition = TRUE;
2619 }
2620
2621 if (necp_policy_condition_is_real_application((conditions_array + conditions_array_cursor), condition_size)) {
2622 has_real_application_condition = TRUE;
2623 }
2624
2625 if (necp_policy_condition_requires_application((conditions_array + conditions_array_cursor), condition_size)) {
2626 requires_application_condition = TRUE;
2627 }
2628
2629 if (necp_policy_condition_requires_real_application((conditions_array + conditions_array_cursor), condition_size)) {
2630 requires_real_application_condition = TRUE;
2631 }
2632
2633 conditions_array_cursor += condition_size;
2634 }
2635 }
2636
2637 if (requires_application_condition && !has_application_condition) {
2638 NECPLOG0(LOG_ERR, "Failed to validate conditions; did not contain application condition");
2639 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
2640 goto fail;
2641 }
2642
2643 if (requires_real_application_condition && !has_real_application_condition) {
2644 NECPLOG0(LOG_ERR, "Failed to validate conditions; did not contain real application condition");
2645 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
2646 goto fail;
2647 }
2648
2649 if ((policy = necp_policy_create(session, order, conditions_array, conditions_array_size, route_rules_array, route_rules_array_size, policy_result, policy_result_size)) == NULL) {
2650 response_error = NECP_ERROR_INTERNAL;
2651 goto fail;
2652 }
2653
2654 if (packet != NULL) {
2655 necp_send_policy_id_response(session, NECP_PACKET_TYPE_POLICY_ADD, message_id, policy->local_id);
2656 }
2657 return (policy->local_id);
2658
2659 fail:
2660 if (policy_result != NULL) {
2661 FREE(policy_result, M_NECP);
2662 }
2663 if (conditions_array != NULL) {
2664 FREE(conditions_array, M_NECP);
2665 }
2666 if (route_rules_array != NULL) {
2667 FREE(route_rules_array, M_NECP);
2668 }
2669
2670 if (packet != NULL) {
2671 necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_ADD, message_id, response_error);
2672 }
2673 if (return_error != NULL) {
2674 *return_error = necp_get_posix_error_for_necp_error(response_error);
2675 }
2676 return (0);
2677 }
2678
2679 static void
2680 necp_handle_policy_get(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
2681 {
2682 #pragma unused(offset)
2683 int error;
2684 u_int8_t *response = NULL;
2685 u_int8_t *cursor = NULL;
2686 u_int32_t response_error = NECP_ERROR_INTERNAL;
2687 necp_policy_id policy_id = 0;
2688 u_int32_t order_tlv_size = 0;
2689 u_int32_t result_tlv_size = 0;
2690 u_int32_t response_size = 0;
2691
2692 struct necp_session_policy *policy = NULL;
2693
2694 // Read policy id
2695 error = necp_get_tlv(packet, NULL, 0, offset, NECP_TLV_POLICY_ID, sizeof(policy_id), &policy_id, NULL);
2696 if (error) {
2697 NECPLOG(LOG_ERR, "Failed to get policy id: %d", error);
2698 response_error = NECP_ERROR_INVALID_TLV;
2699 goto fail;
2700 }
2701
2702 policy = necp_policy_find(session, policy_id);
2703 if (policy == NULL || policy->pending_deletion) {
2704 NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
2705 response_error = NECP_ERROR_POLICY_ID_NOT_FOUND;
2706 goto fail;
2707 }
2708
2709 order_tlv_size = sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_order);
2710 result_tlv_size = (policy->result_size ? (sizeof(u_int8_t) + sizeof(u_int32_t) + policy->result_size) : 0);
2711 response_size = sizeof(struct necp_packet_header) + order_tlv_size + result_tlv_size + policy->conditions_size;
2712 MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
2713 if (response == NULL) {
2714 necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_GET, message_id, NECP_ERROR_INTERNAL);
2715 return;
2716 }
2717
2718 cursor = response;
2719 cursor = necp_buffer_write_packet_header(cursor, NECP_PACKET_TYPE_POLICY_GET, NECP_PACKET_FLAGS_RESPONSE, message_id);
2720 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order, response, response_size);
2721
2722 if (result_tlv_size) {
2723 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT, policy->result_size, &policy->result, response, response_size);
2724 }
2725 if (policy->conditions_size) {
2726 memcpy(((u_int8_t *)(void *)(cursor)), policy->conditions, policy->conditions_size);
2727 }
2728
2729 if (!necp_send_ctl_data(session, (u_int8_t *)response, response_size)) {
2730 NECPLOG0(LOG_ERR, "Failed to send response");
2731 }
2732
2733 FREE(response, M_NECP);
2734 return;
2735
2736 fail:
2737 necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_GET, message_id, response_error);
2738 }
2739
2740 static void
2741 necp_handle_policy_delete(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
2742 {
2743 int error;
2744 u_int32_t response_error = NECP_ERROR_INTERNAL;
2745 necp_policy_id policy_id = 0;
2746
2747 struct necp_session_policy *policy = NULL;
2748
2749 // Read policy id
2750 error = necp_get_tlv(packet, NULL, 0, offset, NECP_TLV_POLICY_ID, sizeof(policy_id), &policy_id, NULL);
2751 if (error) {
2752 NECPLOG(LOG_ERR, "Failed to get policy id: %d", error);
2753 response_error = NECP_ERROR_INVALID_TLV;
2754 goto fail;
2755 }
2756
2757 policy = necp_policy_find(session, policy_id);
2758 if (policy == NULL || policy->pending_deletion) {
2759 NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
2760 response_error = NECP_ERROR_POLICY_ID_NOT_FOUND;
2761 goto fail;
2762 }
2763
2764 necp_policy_mark_for_deletion(session, policy);
2765
2766 necp_send_success_response(session, NECP_PACKET_TYPE_POLICY_DELETE, message_id);
2767 return;
2768
2769 fail:
2770 necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_DELETE, message_id, response_error);
2771 }
2772
2773 static void
2774 necp_handle_policy_apply_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
2775 {
2776 #pragma unused(packet, offset)
2777 necp_policy_apply_all(session);
2778 necp_send_success_response(session, NECP_PACKET_TYPE_POLICY_APPLY_ALL, message_id);
2779 }
2780
2781 static void
2782 necp_handle_policy_list_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
2783 {
2784 #pragma unused(packet, offset)
2785 u_int32_t tlv_size = (sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(u_int32_t));
2786 u_int32_t response_size = 0;
2787 u_int8_t *response = NULL;
2788 u_int8_t *cursor = NULL;
2789 int num_policies = 0;
2790 int cur_policy_index = 0;
2791 struct necp_session_policy *policy;
2792
2793 LIST_FOREACH(policy, &session->policies, chain) {
2794 if (!policy->pending_deletion) {
2795 num_policies++;
2796 }
2797 }
2798
2799 // Create a response with one Policy ID TLV for each policy
2800 response_size = sizeof(struct necp_packet_header) + num_policies * tlv_size;
2801 MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
2802 if (response == NULL) {
2803 necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_LIST_ALL, message_id, NECP_ERROR_INTERNAL);
2804 return;
2805 }
2806
2807 cursor = response;
2808 cursor = necp_buffer_write_packet_header(cursor, NECP_PACKET_TYPE_POLICY_LIST_ALL, NECP_PACKET_FLAGS_RESPONSE, message_id);
2809
2810 LIST_FOREACH(policy, &session->policies, chain) {
2811 if (!policy->pending_deletion && cur_policy_index < num_policies) {
2812 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(u_int32_t), &policy->local_id, response, response_size);
2813 cur_policy_index++;
2814 }
2815 }
2816
2817 if (!necp_send_ctl_data(session, (u_int8_t *)response, response_size)) {
2818 NECPLOG0(LOG_ERR, "Failed to send response");
2819 }
2820
2821 FREE(response, M_NECP);
2822 }
2823
2824 static void
2825 necp_handle_policy_delete_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
2826 {
2827 #pragma unused(packet, offset)
2828 necp_policy_mark_all_for_deletion(session);
2829 necp_send_success_response(session, NECP_PACKET_TYPE_POLICY_DELETE_ALL, message_id);
2830 }
2831
2832 static necp_policy_id
2833 necp_policy_get_new_id(struct necp_session *session)
2834 {
2835 session->last_policy_id++;
2836 if (session->last_policy_id < 1) {
2837 session->last_policy_id = 1;
2838 }
2839
2840 necp_policy_id newid = session->last_policy_id;
2841
2842 if (newid == 0) {
2843 NECPLOG0(LOG_ERR, "Allocate policy id failed.\n");
2844 return (0);
2845 }
2846
2847 return (newid);
2848 }
2849
2850 /*
2851 * For the policy dump response this is the structure:
2852 *
2853 * <NECP_PACKET_HEADER>
2854 * {
2855 * type : NECP_TLV_POLICY_DUMP
2856 * length : ...
2857 * value :
2858 * {
2859 * {
2860 * type : NECP_TLV_POLICY_ID
2861 * len : ...
2862 * value : ...
2863 * }
2864 * {
2865 * type : NECP_TLV_POLICY_ORDER
2866 * len : ...
2867 * value : ...
2868 * }
2869 * {
2870 * type : NECP_TLV_POLICY_RESULT_STRING
2871 * len : ...
2872 * value : ...
2873 * }
2874 * {
2875 * type : NECP_TLV_POLICY_OWNER
2876 * len : ...
2877 * value : ...
2878 * }
2879 * {
2880 * type : NECP_TLV_POLICY_CONDITION
2881 * len : ...
2882 * value :
2883 * {
2884 * {
2885 * type : NECP_POLICY_CONDITION_ALL_INTERFACES
2886 * len : ...
2887 * value : ...
2888 * }
2889 * {
2890 * type : NECP_POLICY_CONDITION_BOUND_INTERFACES
2891 * len : ...
2892 * value : ...
2893 * }
2894 * ...
2895 * }
2896 * }
2897 * }
2898 * }
2899 * {
2900 * type : NECP_TLV_POLICY_DUMP
2901 * length : ...
2902 * value :
2903 * {
2904 * {
2905 * type : NECP_TLV_POLICY_ID
2906 * len : ...
2907 * value : ...
2908 * }
2909 * {
2910 * type : NECP_TLV_POLICY_ORDER
2911 * len : ...
2912 * value : ...
2913 * }
2914 * {
2915 * type : NECP_TLV_POLICY_RESULT_STRING
2916 * len : ...
2917 * value : ...
2918 * }
2919 * {
2920 * type : NECP_TLV_POLICY_OWNER
2921 * len : ...
2922 * value : ...
2923 * }
2924 * {
2925 * type : NECP_TLV_POLICY_CONDITION
2926 * len : ...
2927 * value :
2928 * {
2929 * {
2930 * type : NECP_POLICY_CONDITION_ALL_INTERFACES
2931 * len : ...
2932 * value : ...
2933 * }
2934 * {
2935 * type : NECP_POLICY_CONDITION_BOUND_INTERFACES
2936 * len : ...
2937 * value : ...
2938 * }
2939 * ...
2940 * }
2941 * }
2942 * }
2943 * }
2944 * ...
2945 */
2946 static int
2947 necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet,
2948 user_addr_t out_buffer, size_t out_buffer_length, int offset)
2949 {
2950 #pragma unused(offset)
2951 struct necp_kernel_socket_policy *policy = NULL;
2952 int policy_i;
2953 int policy_count = 0;
2954 u_int8_t **tlv_buffer_pointers = NULL;
2955 u_int32_t *tlv_buffer_lengths = NULL;
2956 u_int32_t total_tlv_len = 0;
2957 u_int8_t *result_buf = NULL;
2958 u_int8_t *result_buf_cursor = result_buf;
2959 char result_string[MAX_RESULT_STRING_LEN];
2960 char proc_name_string[MAXCOMLEN + 1];
2961
2962 int error_code = 0;
2963 bool error_occured = false;
2964 u_int32_t response_error = NECP_ERROR_INTERNAL;
2965
2966 #define REPORT_ERROR(error) error_occured = true; \
2967 response_error = error; \
2968 goto done
2969
2970 #define UNLOCK_AND_REPORT_ERROR(lock, error) lck_rw_done(lock); \
2971 REPORT_ERROR(error)
2972
2973 errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
2974 if (cred_result != 0) {
2975 NECPLOG0(LOG_ERR, "Session does not hold the necessary entitlement to get Network Extension Policy information");
2976 REPORT_ERROR(NECP_ERROR_INTERNAL);
2977 }
2978
2979 // LOCK
2980 lck_rw_lock_shared(&necp_kernel_policy_lock);
2981
2982 if (necp_debug) {
2983 NECPLOG0(LOG_DEBUG, "Gathering policies");
2984 }
2985
2986 policy_count = necp_kernel_application_policies_count;
2987
2988 MALLOC(tlv_buffer_pointers, u_int8_t **, sizeof(u_int8_t *) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
2989 if (tlv_buffer_pointers == NULL) {
2990 NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_pointers (%u bytes)", sizeof(u_int8_t *) * policy_count);
2991 UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
2992 }
2993
2994 MALLOC(tlv_buffer_lengths, u_int32_t *, sizeof(u_int32_t) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
2995 if (tlv_buffer_lengths == NULL) {
2996 NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_lengths (%u bytes)", sizeof(u_int32_t) * policy_count);
2997 UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
2998 }
2999
3000 for (policy_i = 0; necp_kernel_socket_policies_app_layer_map != NULL && necp_kernel_socket_policies_app_layer_map[policy_i] != NULL; policy_i++) {
3001 policy = necp_kernel_socket_policies_app_layer_map[policy_i];
3002
3003 memset(result_string, 0, MAX_RESULT_STRING_LEN);
3004 memset(proc_name_string, 0, MAXCOMLEN + 1);
3005
3006 necp_get_result_description(result_string, policy->result, policy->result_parameter);
3007 proc_name(policy->session_pid, proc_name_string, MAXCOMLEN);
3008
3009 u_int16_t proc_name_len = strlen(proc_name_string) + 1;
3010 u_int16_t result_string_len = strlen(result_string) + 1;
3011
3012 if (necp_debug) {
3013 NECPLOG(LOG_DEBUG, "Policy: process: %s, result: %s", proc_name_string, result_string);
3014 }
3015
3016 u_int32_t total_allocated_bytes = sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->id) + // NECP_TLV_POLICY_ID
3017 sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->order) + // NECP_TLV_POLICY_ORDER
3018 sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->session_order) + // NECP_TLV_POLICY_SESSION_ORDER
3019 sizeof(u_int8_t) + sizeof(u_int32_t) + result_string_len + // NECP_TLV_POLICY_RESULT_STRING
3020 sizeof(u_int8_t) + sizeof(u_int32_t) + proc_name_len + // NECP_TLV_POLICY_OWNER
3021 sizeof(u_int8_t) + sizeof(u_int32_t); // NECP_TLV_POLICY_CONDITION
3022
3023 // We now traverse the condition_mask to see how much space we need to allocate
3024 u_int32_t condition_mask = policy->condition_mask;
3025 u_int8_t num_conditions = 0;
3026 struct necp_string_id_mapping *account_id_entry = NULL;
3027 char if_name[IFXNAMSIZ];
3028 u_int32_t condition_tlv_length = 0;
3029 memset(if_name, 0, sizeof(if_name));
3030
3031 if (condition_mask == NECP_POLICY_CONDITION_DEFAULT) {
3032 num_conditions++;
3033 } else {
3034 if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
3035 num_conditions++;
3036 }
3037 if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
3038 snprintf(if_name, IFXNAMSIZ, "%s%d", ifnet_name(policy->cond_bound_interface), ifnet_unit(policy->cond_bound_interface));
3039 condition_tlv_length += strlen(if_name) + 1;
3040 num_conditions++;
3041 }
3042 if (condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
3043 condition_tlv_length += sizeof(policy->cond_protocol);
3044 num_conditions++;
3045 }
3046 if (condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
3047 condition_tlv_length += sizeof(uuid_t);
3048 num_conditions++;
3049 }
3050 if (condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
3051 condition_tlv_length += sizeof(uuid_t);
3052 num_conditions++;
3053 }
3054 if (condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
3055 u_int32_t domain_len = strlen(policy->cond_domain) + 1;
3056 condition_tlv_length += domain_len;
3057 num_conditions++;
3058 }
3059 if (condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
3060 account_id_entry = necp_lookup_string_with_id_locked(&necp_account_id_list, policy->cond_account_id);
3061 u_int32_t account_id_len = 0;
3062 if (account_id_entry) {
3063 account_id_len = account_id_entry->string ? strlen(account_id_entry->string) + 1 : 0;
3064 }
3065 condition_tlv_length += account_id_len;
3066 num_conditions++;
3067 }
3068 if (condition_mask & NECP_KERNEL_CONDITION_PID) {
3069 condition_tlv_length += sizeof(pid_t);
3070 num_conditions++;
3071 }
3072 if (condition_mask & NECP_KERNEL_CONDITION_UID) {
3073 condition_tlv_length += sizeof(uid_t);
3074 num_conditions++;
3075 }
3076 if (condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
3077 condition_tlv_length += sizeof(struct necp_policy_condition_tc_range);
3078 num_conditions++;
3079 }
3080 if (condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
3081 num_conditions++;
3082 }
3083 if (condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
3084 u_int32_t entitlement_len = strlen(policy->cond_custom_entitlement) + 1;
3085 condition_tlv_length += entitlement_len;
3086 num_conditions++;
3087 }
3088 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
3089 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
3090 condition_tlv_length += sizeof(struct necp_policy_condition_addr_range);
3091 } else {
3092 condition_tlv_length += sizeof(struct necp_policy_condition_addr);
3093 }
3094 num_conditions++;
3095 }
3096 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
3097 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
3098 condition_tlv_length += sizeof(struct necp_policy_condition_addr_range);
3099 } else {
3100 condition_tlv_length += sizeof(struct necp_policy_condition_addr);
3101 }
3102 num_conditions++;
3103 }
3104 if (condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
3105 condition_tlv_length += sizeof(struct necp_policy_condition_agent_type);
3106 num_conditions++;
3107 }
3108 }
3109
3110 condition_tlv_length += num_conditions * (sizeof(u_int8_t) + sizeof(u_int32_t)); // These are for the condition TLVs. The space for "value" is already accounted for above.
3111 total_allocated_bytes += condition_tlv_length;
3112
3113 u_int8_t *tlv_buffer;
3114 MALLOC(tlv_buffer, u_int8_t *, total_allocated_bytes, M_NECP, M_NOWAIT | M_ZERO);
3115 if (tlv_buffer == NULL) {
3116 NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer (%u bytes)", total_allocated_bytes);
3117 continue;
3118 }
3119
3120 u_int8_t *cursor = tlv_buffer;
3121 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(policy->id), &policy->id, tlv_buffer, total_allocated_bytes);
3122 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order, tlv_buffer, total_allocated_bytes);
3123 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_SESSION_ORDER, sizeof(policy->session_order), &policy->session_order, tlv_buffer, total_allocated_bytes);
3124 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT_STRING, result_string_len, result_string, tlv_buffer, total_allocated_bytes);
3125 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_OWNER, proc_name_len, proc_name_string, tlv_buffer, total_allocated_bytes);
3126
3127 #define N_QUICK 256
3128 u_int8_t q_cond_buf[N_QUICK]; // Minor optimization
3129
3130 u_int8_t *cond_buf; // To be used for condition TLVs
3131 if (condition_tlv_length <= N_QUICK) {
3132 cond_buf = q_cond_buf;
3133 } else {
3134 MALLOC(cond_buf, u_int8_t *, condition_tlv_length, M_NECP, M_NOWAIT);
3135 if (cond_buf == NULL) {
3136 NECPLOG(LOG_DEBUG, "Failed to allocate cond_buffer (%u bytes)", condition_tlv_length);
3137 FREE(tlv_buffer, M_NECP);
3138 continue;
3139 }
3140 }
3141
3142 memset(cond_buf, 0, condition_tlv_length);
3143 u_int8_t *cond_buf_cursor = cond_buf;
3144 if (condition_mask == NECP_POLICY_CONDITION_DEFAULT) {
3145 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DEFAULT, 0, "", cond_buf, condition_tlv_length);
3146 } else {
3147 if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
3148 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ALL_INTERFACES, 0, "", cond_buf, condition_tlv_length);
3149 }
3150 if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
3151 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_BOUND_INTERFACE, strlen(if_name) + 1,
3152 if_name, cond_buf, condition_tlv_length);
3153 }
3154 if (condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
3155 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_IP_PROTOCOL, sizeof(policy->cond_protocol), &policy->cond_protocol,
3156 cond_buf, condition_tlv_length);
3157 }
3158 if (condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
3159 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_app_id);
3160 if (entry != NULL) {
3161 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_APPLICATION, sizeof(entry->uuid), entry->uuid,
3162 cond_buf, condition_tlv_length);
3163 }
3164 }
3165 if (condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
3166 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_real_app_id);
3167 if (entry != NULL) {
3168 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REAL_APPLICATION, sizeof(entry->uuid), entry->uuid,
3169 cond_buf, condition_tlv_length);
3170 }
3171 }
3172 if (condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
3173 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DOMAIN, strlen(policy->cond_domain) + 1, policy->cond_domain,
3174 cond_buf, condition_tlv_length);
3175 }
3176 if (condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
3177 if (account_id_entry != NULL) {
3178 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ACCOUNT, strlen(account_id_entry->string) + 1, account_id_entry->string,
3179 cond_buf, condition_tlv_length);
3180 }
3181 }
3182 if (condition_mask & NECP_KERNEL_CONDITION_PID) {
3183 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PID, sizeof(policy->cond_pid), &policy->cond_pid,
3184 cond_buf, condition_tlv_length);
3185 }
3186 if (condition_mask & NECP_KERNEL_CONDITION_UID) {
3187 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_UID, sizeof(policy->cond_uid), &policy->cond_uid,
3188 cond_buf, condition_tlv_length);
3189 }
3190 if (condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
3191 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_TRAFFIC_CLASS, sizeof(policy->cond_traffic_class), &policy->cond_traffic_class,
3192 cond_buf, condition_tlv_length);
3193 }
3194 if (condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
3195 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, 0, "",
3196 cond_buf, condition_tlv_length);
3197 }
3198 if (condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
3199 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, strlen(policy->cond_custom_entitlement) + 1, policy->cond_custom_entitlement,
3200 cond_buf, condition_tlv_length);
3201 }
3202 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
3203 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
3204 struct necp_policy_condition_addr_range range;
3205 memcpy(&range.start_address, &policy->cond_local_start, sizeof(policy->cond_local_start));
3206 memcpy(&range.end_address, &policy->cond_local_end, sizeof(policy->cond_local_end));
3207 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE, sizeof(range), &range,
3208 cond_buf, condition_tlv_length);
3209 } else {
3210 struct necp_policy_condition_addr addr;
3211 addr.prefix = policy->cond_local_prefix;
3212 memcpy(&addr.address, &policy->cond_local_start, sizeof(policy->cond_local_start));
3213 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR, sizeof(addr), &addr,
3214 cond_buf, condition_tlv_length);
3215 }
3216 }
3217 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
3218 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
3219 struct necp_policy_condition_addr_range range;
3220 memcpy(&range.start_address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
3221 memcpy(&range.end_address, &policy->cond_remote_end, sizeof(policy->cond_remote_end));
3222 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE, sizeof(range), &range,
3223 cond_buf, condition_tlv_length);
3224 } else {
3225 struct necp_policy_condition_addr addr;
3226 addr.prefix = policy->cond_remote_prefix;
3227 memcpy(&addr.address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
3228 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR, sizeof(addr), &addr,
3229 cond_buf, condition_tlv_length);
3230 }
3231 }
3232 if (condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
3233 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_AGENT_TYPE,
3234 sizeof(policy->cond_agent_type), &policy->cond_agent_type,
3235 cond_buf, condition_tlv_length);
3236 }
3237 }
3238
3239 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_CONDITION, cond_buf_cursor - cond_buf, cond_buf, tlv_buffer, total_allocated_bytes);
3240 if (cond_buf != q_cond_buf) {
3241 FREE(cond_buf, M_NECP);
3242 }
3243
3244 tlv_buffer_pointers[policy_i] = tlv_buffer;
3245 tlv_buffer_lengths[policy_i] = (cursor - tlv_buffer);
3246
3247 // This is the length of the TLV for NECP_TLV_POLICY_DUMP
3248 total_tlv_len += sizeof(u_int8_t) + sizeof(u_int32_t) + (cursor - tlv_buffer);
3249 }
3250
3251 // UNLOCK
3252 lck_rw_done(&necp_kernel_policy_lock);
3253
3254 // Send packet
3255 if (packet != NULL) {
3256 u_int32_t total_result_length = sizeof(struct necp_packet_header) + total_tlv_len;
3257
3258 // Allow malloc to wait, since the total buffer may be large and we are not holding any locks
3259 MALLOC(result_buf, u_int8_t *, total_result_length, M_NECP, M_WAITOK | M_ZERO);
3260 if (result_buf == NULL) {
3261 NECPLOG(LOG_DEBUG, "Failed to allocate result_buffer (%u bytes)", total_result_length);
3262 REPORT_ERROR(NECP_ERROR_INTERNAL);
3263 }
3264
3265 result_buf_cursor = result_buf;
3266 result_buf_cursor = necp_buffer_write_packet_header(result_buf_cursor, NECP_PACKET_TYPE_POLICY_DUMP_ALL, NECP_PACKET_FLAGS_RESPONSE, message_id);
3267
3268 for (int i = 0; i < policy_count; i++) {
3269 if (tlv_buffer_pointers[i] != NULL) {
3270 result_buf_cursor = necp_buffer_write_tlv(result_buf_cursor, NECP_TLV_POLICY_DUMP, tlv_buffer_lengths[i], tlv_buffer_pointers[i], result_buf, total_result_length);
3271 }
3272 }
3273
3274 if (!necp_send_ctl_data(session, result_buf, result_buf_cursor - result_buf)) {
3275 NECPLOG(LOG_ERR, "Failed to send response (%u bytes)", result_buf_cursor - result_buf);
3276 } else {
3277 NECPLOG(LOG_ERR, "Sent data worth %u bytes. Total result buffer length was %u bytes", result_buf_cursor - result_buf, total_result_length);
3278 }
3279 }
3280
3281 // Copy out
3282 if (out_buffer != 0) {
3283 if (out_buffer_length < total_tlv_len + sizeof(u_int32_t)) {
3284 NECPLOG(LOG_DEBUG, "out_buffer_length too small (%u < %u)", out_buffer_length, total_tlv_len + sizeof(u_int32_t));
3285 REPORT_ERROR(NECP_ERROR_INVALID_TLV);
3286 }
3287
3288 // Allow malloc to wait, since the total buffer may be large and we are not holding any locks
3289 MALLOC(result_buf, u_int8_t *, total_tlv_len + sizeof(u_int32_t), M_NECP, M_WAITOK | M_ZERO);
3290 if (result_buf == NULL) {
3291 NECPLOG(LOG_DEBUG, "Failed to allocate result_buffer (%u bytes)", total_tlv_len + sizeof(u_int32_t));
3292 REPORT_ERROR(NECP_ERROR_INTERNAL);
3293 }
3294
3295 // Add four bytes for total length at the start
3296 memcpy(result_buf, &total_tlv_len, sizeof(u_int32_t));
3297
3298 // Copy the TLVs
3299 result_buf_cursor = result_buf + sizeof(u_int32_t);
3300 for (int i = 0; i < policy_count; i++) {
3301 if (tlv_buffer_pointers[i] != NULL) {
3302 result_buf_cursor = necp_buffer_write_tlv(result_buf_cursor, NECP_TLV_POLICY_DUMP, tlv_buffer_lengths[i], tlv_buffer_pointers[i],
3303 result_buf, total_tlv_len + sizeof(u_int32_t));
3304 }
3305 }
3306
3307 int copy_error = copyout(result_buf, out_buffer, total_tlv_len + sizeof(u_int32_t));
3308 if (copy_error) {
3309 NECPLOG(LOG_DEBUG, "Failed to copy out result_buffer (%u bytes)", total_tlv_len + sizeof(u_int32_t));
3310 REPORT_ERROR(NECP_ERROR_INTERNAL);
3311 }
3312 }
3313
3314 done:
3315
3316 if (error_occured) {
3317 if (packet != NULL) {
3318 if(!necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_DUMP_ALL, message_id, response_error)) {
3319 NECPLOG0(LOG_ERR, "Failed to send error response");
3320 } else {
3321 NECPLOG0(LOG_ERR, "Sent error response");
3322 }
3323 }
3324 error_code = necp_get_posix_error_for_necp_error(response_error);
3325 }
3326
3327 if (result_buf != NULL) {
3328 FREE(result_buf, M_NECP);
3329 }
3330
3331 if (tlv_buffer_pointers != NULL) {
3332 for (int i = 0; i < policy_count; i++) {
3333 if (tlv_buffer_pointers[i] != NULL) {
3334 FREE(tlv_buffer_pointers[i], M_NECP);
3335 tlv_buffer_pointers[i] = NULL;
3336 }
3337 }
3338 FREE(tlv_buffer_pointers, M_NECP);
3339 }
3340
3341 if (tlv_buffer_lengths != NULL) {
3342 FREE(tlv_buffer_lengths, M_NECP);
3343 }
3344 #undef N_QUICK
3345 #undef RESET_COND_BUF
3346 #undef REPORT_ERROR
3347 #undef UNLOCK_AND_REPORT_ERROR
3348
3349 return (error_code);
3350 }
3351
3352 static struct necp_session_policy *
3353 necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8_t *conditions_array, u_int32_t conditions_array_size, u_int8_t *route_rules_array, u_int32_t route_rules_array_size, u_int8_t *result, u_int32_t result_size)
3354 {
3355 struct necp_session_policy *new_policy = NULL;
3356 struct necp_session_policy *tmp_policy = NULL;
3357
3358 if (session == NULL || conditions_array == NULL || result == NULL || result_size == 0) {
3359 goto done;
3360 }
3361
3362 MALLOC_ZONE(new_policy, struct necp_session_policy *, sizeof(*new_policy), M_NECP_SESSION_POLICY, M_WAITOK);
3363 if (new_policy == NULL) {
3364 goto done;
3365 }
3366
3367 memset(new_policy, 0, sizeof(*new_policy)); // M_ZERO is not supported for MALLOC_ZONE
3368 new_policy->applied = FALSE;
3369 new_policy->pending_deletion = FALSE;
3370 new_policy->pending_update = FALSE;
3371 new_policy->order = order;
3372 new_policy->conditions = conditions_array;
3373 new_policy->conditions_size = conditions_array_size;
3374 new_policy->route_rules = route_rules_array;
3375 new_policy->route_rules_size = route_rules_array_size;
3376 new_policy->result = result;
3377 new_policy->result_size = result_size;
3378 new_policy->local_id = necp_policy_get_new_id(session);
3379
3380 LIST_INSERT_SORTED_ASCENDING(&session->policies, new_policy, chain, order, tmp_policy);
3381
3382 session->dirty = TRUE;
3383
3384 if (necp_debug) {
3385 NECPLOG(LOG_DEBUG, "Created NECP policy, order %d", order);
3386 }
3387 done:
3388 return (new_policy);
3389 }
3390
3391 static struct necp_session_policy *
3392 necp_policy_find(struct necp_session *session, necp_policy_id policy_id)
3393 {
3394 struct necp_session_policy *policy = NULL;
3395 if (policy_id == 0) {
3396 return (NULL);
3397 }
3398
3399 LIST_FOREACH(policy, &session->policies, chain) {
3400 if (policy->local_id == policy_id) {
3401 return (policy);
3402 }
3403 }
3404
3405 return (NULL);
3406 }
3407
3408 static inline u_int8_t
3409 necp_policy_get_result_type(struct necp_session_policy *policy)
3410 {
3411 return (policy ? necp_policy_result_get_type_from_buffer(policy->result, policy->result_size) : 0);
3412 }
3413
3414 static inline u_int32_t
3415 necp_policy_get_result_parameter_length(struct necp_session_policy *policy)
3416 {
3417 return (policy ? necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size) : 0);
3418 }
3419
3420 static bool
3421 necp_policy_get_result_parameter(struct necp_session_policy *policy, u_int8_t *parameter_buffer, u_int32_t parameter_buffer_length)
3422 {
3423 if (policy) {
3424 u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size);
3425 if (parameter_buffer_length >= parameter_length) {
3426 u_int8_t *parameter = necp_policy_result_get_parameter_pointer_from_buffer(policy->result, policy->result_size);
3427 if (parameter && parameter_buffer) {
3428 memcpy(parameter_buffer, parameter, parameter_length);
3429 return (TRUE);
3430 }
3431 }
3432 }
3433
3434 return (FALSE);
3435 }
3436
3437 static bool
3438 necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_policy *policy)
3439 {
3440 if (session == NULL || policy == NULL) {
3441 return (FALSE);
3442 }
3443
3444 policy->pending_deletion = TRUE;
3445 session->dirty = TRUE;
3446
3447 if (necp_debug) {
3448 NECPLOG0(LOG_DEBUG, "Marked NECP policy for removal");
3449 }
3450 return (TRUE);
3451 }
3452
3453 static bool
3454 necp_policy_mark_all_for_deletion(struct necp_session *session)
3455 {
3456 struct necp_session_policy *policy = NULL;
3457 struct necp_session_policy *temp_policy = NULL;
3458
3459 LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
3460 necp_policy_mark_for_deletion(session, policy);
3461 }
3462
3463 return (TRUE);
3464 }
3465
3466 static bool
3467 necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy)
3468 {
3469 if (session == NULL || policy == NULL) {
3470 return (FALSE);
3471 }
3472
3473 LIST_REMOVE(policy, chain);
3474
3475 if (policy->result) {
3476 FREE(policy->result, M_NECP);
3477 policy->result = NULL;
3478 }
3479
3480 if (policy->conditions) {
3481 FREE(policy->conditions, M_NECP);
3482 policy->conditions = NULL;
3483 }
3484
3485 if (policy->route_rules) {
3486 FREE(policy->route_rules, M_NECP);
3487 policy->route_rules = NULL;
3488 }
3489
3490 FREE_ZONE(policy, sizeof(*policy), M_NECP_SESSION_POLICY);
3491
3492 if (necp_debug) {
3493 NECPLOG0(LOG_DEBUG, "Removed NECP policy");
3494 }
3495 return (TRUE);
3496 }
3497
3498 static bool
3499 necp_policy_unapply(struct necp_session_policy *policy)
3500 {
3501 int i = 0;
3502 if (policy == NULL) {
3503 return (FALSE);
3504 }
3505
3506 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
3507
3508 // Release local uuid mappings
3509 if (!uuid_is_null(policy->applied_app_uuid)) {
3510 bool removed_mapping = FALSE;
3511 if (necp_remove_uuid_app_id_mapping(policy->applied_app_uuid, &removed_mapping, TRUE) && removed_mapping) {
3512 necp_uuid_app_id_mappings_dirty = TRUE;
3513 necp_num_uuid_app_id_mappings--;
3514 }
3515 uuid_clear(policy->applied_app_uuid);
3516 }
3517 if (!uuid_is_null(policy->applied_real_app_uuid)) {
3518 necp_remove_uuid_app_id_mapping(policy->applied_real_app_uuid, NULL, FALSE);
3519 uuid_clear(policy->applied_real_app_uuid);
3520 }
3521 if (!uuid_is_null(policy->applied_result_uuid)) {
3522 necp_remove_uuid_service_id_mapping(policy->applied_result_uuid);
3523 uuid_clear(policy->applied_result_uuid);
3524 }
3525
3526 // Release string mappings
3527 if (policy->applied_account != NULL) {
3528 necp_remove_string_to_id_mapping(&necp_account_id_list, policy->applied_account);
3529 FREE(policy->applied_account, M_NECP);
3530 policy->applied_account = NULL;
3531 }
3532
3533 // Release route rule
3534 if (policy->applied_route_rules_id != 0) {
3535 necp_remove_route_rule(&necp_route_rules, policy->applied_route_rules_id);
3536 policy->applied_route_rules_id = 0;
3537 }
3538
3539 // Remove socket policies
3540 for (i = 0; i < MAX_KERNEL_SOCKET_POLICIES; i++) {
3541 if (policy->kernel_socket_policies[i] != 0) {
3542 necp_kernel_socket_policy_delete(policy->kernel_socket_policies[i]);
3543 policy->kernel_socket_policies[i] = 0;
3544 }
3545 }
3546
3547 // Remove IP output policies
3548 for (i = 0; i < MAX_KERNEL_IP_OUTPUT_POLICIES; i++) {
3549 if (policy->kernel_ip_output_policies[i] != 0) {
3550 necp_kernel_ip_output_policy_delete(policy->kernel_ip_output_policies[i]);
3551 policy->kernel_ip_output_policies[i] = 0;
3552 }
3553 }
3554
3555 policy->applied = FALSE;
3556
3557 return (TRUE);
3558 }
3559
3560 #define NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION 0
3561 #define NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION 1
3562 #define NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION 2
3563 #define NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS 3
3564 struct necp_policy_result_ip_tunnel {
3565 u_int32_t secondary_result;
3566 char interface_name[IFXNAMSIZ];
3567 } __attribute__((__packed__));
3568
3569 struct necp_policy_result_service {
3570 uuid_t identifier;
3571 u_int32_t data;
3572 } __attribute__((__packed__));
3573
3574 static bool
3575 necp_policy_apply(struct necp_session *session, struct necp_session_policy *policy)
3576 {
3577 bool socket_only_conditions = FALSE;
3578 bool socket_ip_conditions = FALSE;
3579
3580 bool socket_layer_non_id_conditions = FALSE;
3581 bool ip_output_layer_non_id_conditions = FALSE;
3582 bool ip_output_layer_non_id_only = FALSE;
3583 bool ip_output_layer_id_condition = FALSE;
3584 bool ip_output_layer_tunnel_condition_from_id = FALSE;
3585 bool ip_output_layer_tunnel_condition_from_non_id = FALSE;
3586 necp_kernel_policy_id cond_ip_output_layer_id = NECP_KERNEL_POLICY_ID_NONE;
3587
3588 u_int32_t master_condition_mask = 0;
3589 u_int32_t master_condition_negated_mask = 0;
3590 ifnet_t cond_bound_interface = NULL;
3591 u_int32_t cond_account_id = 0;
3592 char *cond_domain = NULL;
3593 char *cond_custom_entitlement = NULL;
3594 pid_t cond_pid = 0;
3595 uid_t cond_uid = 0;
3596 necp_app_id cond_app_id = 0;
3597 necp_app_id cond_real_app_id = 0;
3598 struct necp_policy_condition_tc_range cond_traffic_class;
3599 cond_traffic_class.start_tc = 0;
3600 cond_traffic_class.end_tc = 0;
3601 u_int16_t cond_protocol = 0;
3602 union necp_sockaddr_union cond_local_start;
3603 union necp_sockaddr_union cond_local_end;
3604 u_int8_t cond_local_prefix = 0;
3605 union necp_sockaddr_union cond_remote_start;
3606 union necp_sockaddr_union cond_remote_end;
3607 u_int8_t cond_remote_prefix = 0;
3608 u_int32_t offset = 0;
3609 u_int8_t ultimate_result = 0;
3610 u_int32_t secondary_result = 0;
3611 struct necp_policy_condition_agent_type cond_agent_type = {};
3612 necp_kernel_policy_result_parameter secondary_result_parameter;
3613 memset(&secondary_result_parameter, 0, sizeof(secondary_result_parameter));
3614 u_int32_t cond_last_interface_index = 0;
3615 necp_kernel_policy_result_parameter ultimate_result_parameter;
3616 memset(&ultimate_result_parameter, 0, sizeof(ultimate_result_parameter));
3617
3618 if (policy == NULL) {
3619 return (FALSE);
3620 }
3621
3622 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
3623
3624 // Process conditions
3625 while (offset < policy->conditions_size) {
3626 u_int32_t length = 0;
3627 u_int8_t *value = necp_buffer_get_tlv_value(policy->conditions, offset, &length);
3628
3629 u_int8_t condition_type = necp_policy_condition_get_type_from_buffer(value, length);
3630 u_int8_t condition_flags = necp_policy_condition_get_flags_from_buffer(value, length);
3631 bool condition_is_negative = condition_flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE;
3632 u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(value, length);
3633 u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(value, length);
3634 switch (condition_type) {
3635 case NECP_POLICY_CONDITION_DEFAULT: {
3636 socket_ip_conditions = TRUE;
3637 break;
3638 }
3639 case NECP_POLICY_CONDITION_ALL_INTERFACES: {
3640 master_condition_mask |= NECP_KERNEL_CONDITION_ALL_INTERFACES;
3641 socket_ip_conditions = TRUE;
3642 break;
3643 }
3644 case NECP_POLICY_CONDITION_ENTITLEMENT: {
3645 if (condition_length > 0) {
3646 if (cond_custom_entitlement == NULL) {
3647 cond_custom_entitlement = necp_copy_string((char *)condition_value, condition_length);
3648 if (cond_custom_entitlement != NULL) {
3649 master_condition_mask |= NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT;
3650 socket_only_conditions = TRUE;
3651 }
3652 }
3653 } else {
3654 master_condition_mask |= NECP_KERNEL_CONDITION_ENTITLEMENT;
3655 socket_only_conditions = TRUE;
3656 }
3657 break;
3658 }
3659 case NECP_POLICY_CONDITION_DOMAIN: {
3660 // Make sure there is only one such rule
3661 if (condition_length > 0 && cond_domain == NULL) {
3662 cond_domain = necp_create_trimmed_domain((char *)condition_value, condition_length);
3663 if (cond_domain != NULL) {
3664 master_condition_mask |= NECP_KERNEL_CONDITION_DOMAIN;
3665 if (condition_is_negative) {
3666 master_condition_negated_mask |= NECP_KERNEL_CONDITION_DOMAIN;
3667 }
3668 socket_only_conditions = TRUE;
3669 }
3670 }
3671 break;
3672 }
3673 case NECP_POLICY_CONDITION_ACCOUNT: {
3674 // Make sure there is only one such rule
3675 if (condition_length > 0 && cond_account_id == 0 && policy->applied_account == NULL) {
3676 char *string = NULL;
3677 MALLOC(string, char *, condition_length + 1, M_NECP, M_WAITOK);
3678 if (string != NULL) {
3679 memcpy(string, condition_value, condition_length);
3680 string[condition_length] = 0;
3681 cond_account_id = necp_create_string_to_id_mapping(&necp_account_id_list, string);
3682 if (cond_account_id != 0) {
3683 policy->applied_account = string; // Save the string in parent policy
3684 master_condition_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
3685 if (condition_is_negative) {
3686 master_condition_negated_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
3687 }
3688 socket_only_conditions = TRUE;
3689 } else {
3690 FREE(string, M_NECP);
3691 }
3692 }
3693 }
3694 break;
3695 }
3696 case NECP_POLICY_CONDITION_APPLICATION: {
3697 // Make sure there is only one such rule, because we save the uuid in the policy
3698 if (condition_length >= sizeof(uuid_t) && cond_app_id == 0) {
3699 bool allocated_mapping = FALSE;
3700 uuid_t application_uuid;
3701 memcpy(application_uuid, condition_value, sizeof(uuid_t));
3702 cond_app_id = necp_create_uuid_app_id_mapping(application_uuid, &allocated_mapping, TRUE);
3703 if (cond_app_id != 0) {
3704 if (allocated_mapping) {
3705 necp_uuid_app_id_mappings_dirty = TRUE;
3706 necp_num_uuid_app_id_mappings++;
3707 }
3708 uuid_copy(policy->applied_app_uuid, application_uuid);
3709 master_condition_mask |= NECP_KERNEL_CONDITION_APP_ID;
3710 if (condition_is_negative) {
3711 master_condition_negated_mask |= NECP_KERNEL_CONDITION_APP_ID;
3712 }
3713 socket_only_conditions = TRUE;
3714 }
3715 }
3716 break;
3717 }
3718 case NECP_POLICY_CONDITION_REAL_APPLICATION: {
3719 // Make sure there is only one such rule, because we save the uuid in the policy
3720 if (condition_length >= sizeof(uuid_t) && cond_real_app_id == 0) {
3721 uuid_t real_application_uuid;
3722 memcpy(real_application_uuid, condition_value, sizeof(uuid_t));
3723 cond_real_app_id = necp_create_uuid_app_id_mapping(real_application_uuid, NULL, FALSE);
3724 if (cond_real_app_id != 0) {
3725 uuid_copy(policy->applied_real_app_uuid, real_application_uuid);
3726 master_condition_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
3727 if (condition_is_negative) {
3728 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
3729 }
3730 socket_only_conditions = TRUE;
3731 }
3732 }
3733 break;
3734 }
3735 case NECP_POLICY_CONDITION_PID: {
3736 if (condition_length >= sizeof(pid_t)) {
3737 master_condition_mask |= NECP_KERNEL_CONDITION_PID;
3738 if (condition_is_negative) {
3739 master_condition_negated_mask |= NECP_KERNEL_CONDITION_PID;
3740 }
3741 memcpy(&cond_pid, condition_value, sizeof(cond_pid));
3742 socket_only_conditions = TRUE;
3743 }
3744 break;
3745 }
3746 case NECP_POLICY_CONDITION_UID: {
3747 if (condition_length >= sizeof(uid_t)) {
3748 master_condition_mask |= NECP_KERNEL_CONDITION_UID;
3749 if (condition_is_negative) {
3750 master_condition_negated_mask |= NECP_KERNEL_CONDITION_UID;
3751 }
3752 memcpy(&cond_uid, condition_value, sizeof(cond_uid));
3753 socket_only_conditions = TRUE;
3754 }
3755 break;
3756 }
3757 case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
3758 if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
3759 master_condition_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
3760 if (condition_is_negative) {
3761 master_condition_negated_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
3762 }
3763 memcpy(&cond_traffic_class, condition_value, sizeof(cond_traffic_class));
3764 socket_only_conditions = TRUE;
3765 }
3766 break;
3767 }
3768 case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
3769 if (condition_length <= IFXNAMSIZ && condition_length > 0) {
3770 char interface_name[IFXNAMSIZ];
3771 memcpy(interface_name, condition_value, condition_length);
3772 interface_name[condition_length - 1] = 0; // Make sure the string is NULL terminated
3773 if (ifnet_find_by_name(interface_name, &cond_bound_interface) == 0) {
3774 master_condition_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
3775 if (condition_is_negative) {
3776 master_condition_negated_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
3777 }
3778 }
3779 socket_ip_conditions = TRUE;
3780 }
3781 break;
3782 }
3783 case NECP_POLICY_CONDITION_IP_PROTOCOL: {
3784 if (condition_length >= sizeof(u_int16_t)) {
3785 master_condition_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
3786 if (condition_is_negative) {
3787 master_condition_negated_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
3788 }
3789 memcpy(&cond_protocol, condition_value, sizeof(cond_protocol));
3790 socket_ip_conditions = TRUE;
3791 }
3792 break;
3793 }
3794 case NECP_POLICY_CONDITION_LOCAL_ADDR: {
3795 struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
3796 if (!necp_address_is_valid(&address_struct->address.sa)) {
3797 break;
3798 }
3799
3800 cond_local_prefix = address_struct->prefix;
3801 memcpy(&cond_local_start, &address_struct->address, sizeof(address_struct->address));
3802 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
3803 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
3804 if (condition_is_negative) {
3805 master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
3806 master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
3807 }
3808 socket_ip_conditions = TRUE;
3809 break;
3810 }
3811 case NECP_POLICY_CONDITION_REMOTE_ADDR: {
3812 struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
3813 if (!necp_address_is_valid(&address_struct->address.sa)) {
3814 break;
3815 }
3816
3817 cond_remote_prefix = address_struct->prefix;
3818 memcpy(&cond_remote_start, &address_struct->address, sizeof(address_struct->address));
3819 master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
3820 master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
3821 if (condition_is_negative) {
3822 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
3823 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
3824 }
3825 socket_ip_conditions = TRUE;
3826 break;
3827 }
3828 case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE: {
3829 struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
3830 if (!necp_address_is_valid(&address_struct->start_address.sa) ||
3831 !necp_address_is_valid(&address_struct->end_address.sa)) {
3832 break;
3833 }
3834
3835 memcpy(&cond_local_start, &address_struct->start_address, sizeof(address_struct->start_address));
3836 memcpy(&cond_local_end, &address_struct->end_address, sizeof(address_struct->end_address));
3837 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
3838 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
3839 if (condition_is_negative) {
3840 master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
3841 master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
3842 }
3843 socket_ip_conditions = TRUE;
3844 break;
3845 }
3846 case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE: {
3847 struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
3848 if (!necp_address_is_valid(&address_struct->start_address.sa) ||
3849 !necp_address_is_valid(&address_struct->end_address.sa)) {
3850 break;
3851 }
3852
3853 memcpy(&cond_remote_start, &address_struct->start_address, sizeof(address_struct->start_address));
3854 memcpy(&cond_remote_end, &address_struct->end_address, sizeof(address_struct->end_address));
3855 master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
3856 master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
3857 if (condition_is_negative) {
3858 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
3859 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
3860 }
3861 socket_ip_conditions = TRUE;
3862 break;
3863 }
3864 case NECP_POLICY_CONDITION_AGENT_TYPE: {
3865 if (condition_length >= sizeof(cond_agent_type)) {
3866 master_condition_mask |= NECP_KERNEL_CONDITION_AGENT_TYPE;
3867 memcpy(&cond_agent_type, condition_value, sizeof(cond_agent_type));
3868 socket_only_conditions = TRUE;
3869 }
3870 break;
3871 }
3872 default: {
3873 break;
3874 }
3875 }
3876
3877 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
3878 }
3879
3880 // Process result
3881 ultimate_result = necp_policy_get_result_type(policy);
3882 switch (ultimate_result) {
3883 case NECP_POLICY_RESULT_PASS: {
3884 if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
3885 socket_layer_non_id_conditions = TRUE;
3886 ip_output_layer_id_condition = TRUE;
3887 } else if (socket_ip_conditions) {
3888 socket_layer_non_id_conditions = TRUE;
3889 ip_output_layer_id_condition = TRUE;
3890 ip_output_layer_non_id_conditions = TRUE;
3891 }
3892 break;
3893 }
3894 case NECP_POLICY_RESULT_DROP: {
3895 if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
3896 socket_layer_non_id_conditions = TRUE;
3897 } else if (socket_ip_conditions) {
3898 socket_layer_non_id_conditions = TRUE;
3899 ip_output_layer_non_id_conditions = TRUE;
3900 ip_output_layer_non_id_only = TRUE; // Only apply drop to packets that didn't go through socket layer
3901 }
3902 break;
3903 }
3904 case NECP_POLICY_RESULT_SKIP: {
3905 u_int32_t skip_policy_order = 0;
3906 if (necp_policy_get_result_parameter(policy, (u_int8_t *)&skip_policy_order, sizeof(skip_policy_order))) {
3907 ultimate_result_parameter.skip_policy_order = skip_policy_order;
3908 }
3909
3910 if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
3911 socket_layer_non_id_conditions = TRUE;
3912 ip_output_layer_id_condition = TRUE;
3913 } else if (socket_ip_conditions) {
3914 socket_layer_non_id_conditions = TRUE;
3915 ip_output_layer_non_id_conditions = TRUE;
3916 }
3917 break;
3918 }
3919 case NECP_POLICY_RESULT_SOCKET_DIVERT:
3920 case NECP_POLICY_RESULT_SOCKET_FILTER: {
3921 u_int32_t control_unit = 0;
3922 if (necp_policy_get_result_parameter(policy, (u_int8_t *)&control_unit, sizeof(control_unit))) {
3923 ultimate_result_parameter.flow_divert_control_unit = control_unit;
3924 }
3925 socket_layer_non_id_conditions = TRUE;
3926 break;
3927 }
3928 case NECP_POLICY_RESULT_IP_TUNNEL: {
3929 struct necp_policy_result_ip_tunnel tunnel_parameters;
3930 u_int32_t tunnel_parameters_length = necp_policy_get_result_parameter_length(policy);
3931 if (tunnel_parameters_length > sizeof(u_int32_t) &&
3932 tunnel_parameters_length <= sizeof(struct necp_policy_result_ip_tunnel) &&
3933 necp_policy_get_result_parameter(policy, (u_int8_t *)&tunnel_parameters, sizeof(tunnel_parameters))) {
3934 ifnet_t tunnel_interface = NULL;
3935 tunnel_parameters.interface_name[tunnel_parameters_length - sizeof(u_int32_t) - 1] = 0; // Make sure the string is NULL terminated
3936 if (ifnet_find_by_name(tunnel_parameters.interface_name, &tunnel_interface) == 0) {
3937 ultimate_result_parameter.tunnel_interface_index = tunnel_interface->if_index;
3938 ifnet_release(tunnel_interface);
3939 }
3940
3941 secondary_result = tunnel_parameters.secondary_result;
3942 if (secondary_result) {
3943 cond_last_interface_index = ultimate_result_parameter.tunnel_interface_index;
3944 }
3945 }
3946
3947 if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
3948 socket_layer_non_id_conditions = TRUE;
3949 ip_output_layer_id_condition = TRUE;
3950 if (secondary_result) {
3951 ip_output_layer_tunnel_condition_from_id = TRUE;
3952 }
3953 } else if (socket_ip_conditions) {
3954 socket_layer_non_id_conditions = TRUE;
3955 ip_output_layer_id_condition = TRUE;
3956 ip_output_layer_non_id_conditions = TRUE;
3957 if (secondary_result) {
3958 ip_output_layer_tunnel_condition_from_id = TRUE;
3959 ip_output_layer_tunnel_condition_from_non_id = TRUE;
3960 }
3961 }
3962 break;
3963 }
3964 case NECP_POLICY_RESULT_TRIGGER:
3965 case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
3966 case NECP_POLICY_RESULT_TRIGGER_SCOPED:
3967 case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
3968 struct necp_policy_result_service service_parameters;
3969 u_int32_t service_result_length = necp_policy_get_result_parameter_length(policy);
3970 bool has_extra_service_data = FALSE;
3971 if (service_result_length >= (sizeof(service_parameters))) {
3972 has_extra_service_data = TRUE;
3973 }
3974 if (necp_policy_get_result_parameter(policy, (u_int8_t *)&service_parameters, sizeof(service_parameters))) {
3975 ultimate_result_parameter.service.identifier = necp_create_uuid_service_id_mapping(service_parameters.identifier);
3976 if (ultimate_result_parameter.service.identifier != 0) {
3977 uuid_copy(policy->applied_result_uuid, service_parameters.identifier);
3978 socket_layer_non_id_conditions = TRUE;
3979 if (has_extra_service_data) {
3980 ultimate_result_parameter.service.data = service_parameters.data;
3981 } else {
3982 ultimate_result_parameter.service.data = 0;
3983 }
3984 }
3985 }
3986 break;
3987 }
3988 case NECP_POLICY_RESULT_USE_NETAGENT:
3989 case NECP_POLICY_RESULT_NETAGENT_SCOPED: {
3990 uuid_t netagent_uuid;
3991 if (necp_policy_get_result_parameter(policy, (u_int8_t *)&netagent_uuid, sizeof(netagent_uuid))) {
3992 ultimate_result_parameter.netagent_id = necp_create_uuid_service_id_mapping(netagent_uuid);
3993 if (ultimate_result_parameter.netagent_id != 0) {
3994 uuid_copy(policy->applied_result_uuid, netagent_uuid);
3995 socket_layer_non_id_conditions = TRUE;
3996 }
3997 }
3998 break;
3999 }
4000 case NECP_POLICY_RESULT_SOCKET_SCOPED: {
4001 u_int32_t interface_name_length = necp_policy_get_result_parameter_length(policy);
4002 if (interface_name_length <= IFXNAMSIZ && interface_name_length > 0) {
4003 char interface_name[IFXNAMSIZ];
4004 ifnet_t scope_interface = NULL;
4005 necp_policy_get_result_parameter(policy, (u_int8_t *)interface_name, interface_name_length);
4006 interface_name[interface_name_length - 1] = 0; // Make sure the string is NULL terminated
4007 if (ifnet_find_by_name(interface_name, &scope_interface) == 0) {
4008 ultimate_result_parameter.scoped_interface_index = scope_interface->if_index;
4009 socket_layer_non_id_conditions = TRUE;
4010 ifnet_release(scope_interface);
4011 }
4012 }
4013 break;
4014 }
4015 case NECP_POLICY_RESULT_SCOPED_DIRECT: {
4016 socket_layer_non_id_conditions = TRUE;
4017 break;
4018 }
4019 case NECP_POLICY_RESULT_ROUTE_RULES: {
4020 if (policy->route_rules != NULL && policy->route_rules_size > 0) {
4021 u_int32_t route_rule_id = necp_create_route_rule(&necp_route_rules, policy->route_rules, policy->route_rules_size);
4022 if (route_rule_id > 0) {
4023 policy->applied_route_rules_id = route_rule_id;
4024 ultimate_result_parameter.route_rule_id = route_rule_id;
4025 socket_layer_non_id_conditions = TRUE;
4026 }
4027 }
4028 break;
4029 }
4030 default: {
4031 break;
4032 }
4033 }
4034
4035 if (socket_layer_non_id_conditions) {
4036 necp_kernel_policy_id policy_id = necp_kernel_socket_policy_add(policy->order, session->session_order, session->proc_pid, master_condition_mask, master_condition_negated_mask, cond_app_id, cond_real_app_id, cond_custom_entitlement, cond_account_id, cond_domain, cond_pid, cond_uid, cond_bound_interface, cond_traffic_class, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, &cond_agent_type, ultimate_result, ultimate_result_parameter);
4037
4038 if (policy_id == 0) {
4039 NECPLOG0(LOG_DEBUG, "Error applying socket kernel policy");
4040 goto fail;
4041 }
4042
4043 cond_ip_output_layer_id = policy_id;
4044 policy->kernel_socket_policies[0] = policy_id;
4045 }
4046
4047 if (ip_output_layer_non_id_conditions) {
4048 u_int32_t condition_mask = master_condition_mask;
4049 if (ip_output_layer_non_id_only) {
4050 condition_mask |= NECP_KERNEL_CONDITION_POLICY_ID;
4051 }
4052 necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS, session->session_order, session->proc_pid, condition_mask, master_condition_negated_mask, NECP_KERNEL_POLICY_ID_NONE, cond_bound_interface, 0, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, ultimate_result, ultimate_result_parameter);
4053
4054 if (policy_id == 0) {
4055 NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
4056 goto fail;
4057 }
4058
4059 policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS] = policy_id;
4060 }
4061
4062 if (ip_output_layer_id_condition) {
4063 necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, cond_ip_output_layer_id, NULL, 0, 0, NULL, NULL, 0, NULL, NULL, 0, ultimate_result, ultimate_result_parameter);
4064
4065 if (policy_id == 0) {
4066 NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
4067 goto fail;
4068 }
4069
4070 policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION] = policy_id;
4071 }
4072
4073 // Extra policies for IP Output tunnels for when packets loop back
4074 if (ip_output_layer_tunnel_condition_from_id) {
4075 necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
4076
4077 if (policy_id == 0) {
4078 NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
4079 goto fail;
4080 }
4081
4082 policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION] = policy_id;
4083 }
4084
4085 if (ip_output_layer_tunnel_condition_from_id) {
4086 necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
4087
4088 if (policy_id == 0) {
4089 NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
4090 goto fail;
4091 }
4092
4093 policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION] = policy_id;
4094 }
4095
4096 policy->applied = TRUE;
4097 policy->pending_update = FALSE;
4098 return (TRUE);
4099
4100 fail:
4101 return (FALSE);
4102 }
4103
4104 static void
4105 necp_policy_apply_all(struct necp_session *session)
4106 {
4107 struct necp_session_policy *policy = NULL;
4108 struct necp_session_policy *temp_policy = NULL;
4109 struct kev_necp_policies_changed_data kev_data;
4110 kev_data.changed_count = 0;
4111
4112 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
4113
4114 // Remove exisiting applied policies
4115 if (session->dirty) {
4116 LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
4117 if (policy->pending_deletion) {
4118 if (policy->applied) {
4119 necp_policy_unapply(policy);
4120 }
4121 // Delete the policy
4122 necp_policy_delete(session, policy);
4123 } else if (!policy->applied) {
4124 necp_policy_apply(session, policy);
4125 } else if (policy->pending_update) {
4126 // Must have been applied, but needs an update. Remove and re-add.
4127 necp_policy_unapply(policy);
4128 necp_policy_apply(session, policy);
4129 }
4130 }
4131
4132 necp_kernel_socket_policies_update_uuid_table();
4133 necp_kernel_socket_policies_reprocess();
4134 necp_kernel_ip_output_policies_reprocess();
4135
4136 // Clear dirty bit flags
4137 session->dirty = FALSE;
4138 }
4139
4140 lck_rw_done(&necp_kernel_policy_lock);
4141
4142 necp_update_all_clients();
4143 necp_post_change_event(&kev_data);
4144
4145 if (necp_debug) {
4146 NECPLOG0(LOG_DEBUG, "Applied NECP policies");
4147 }
4148 }
4149
4150 // Kernel Policy Management
4151 // ---------------------
4152 // Kernel policies are derived from session policies
4153 static necp_kernel_policy_id
4154 necp_kernel_policy_get_new_id(bool socket_level)
4155 {
4156 static necp_kernel_policy_id necp_last_kernel_socket_policy_id = 0;
4157 static necp_kernel_policy_id necp_last_kernel_ip_policy_id = 0;
4158
4159 necp_kernel_policy_id newid = NECP_KERNEL_POLICY_ID_NONE;
4160
4161 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4162
4163 if (socket_level) {
4164 bool wrapped = FALSE;
4165 do {
4166 necp_last_kernel_socket_policy_id++;
4167 if (necp_last_kernel_socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET ||
4168 necp_last_kernel_socket_policy_id >= NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
4169 if (wrapped) {
4170 // Already wrapped, give up
4171 NECPLOG0(LOG_ERR, "Failed to find a free socket kernel policy ID.\n");
4172 return (NECP_KERNEL_POLICY_ID_NONE);
4173 }
4174 necp_last_kernel_socket_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET;
4175 wrapped = TRUE;
4176 }
4177 newid = necp_last_kernel_socket_policy_id;
4178 } while (necp_kernel_socket_policy_find(newid) != NULL); // If already used, keep trying
4179 } else {
4180 bool wrapped = FALSE;
4181 do {
4182 necp_last_kernel_ip_policy_id++;
4183 if (necp_last_kernel_ip_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
4184 if (wrapped) {
4185 // Already wrapped, give up
4186 NECPLOG0(LOG_ERR, "Failed to find a free IP kernel policy ID.\n");
4187 return (NECP_KERNEL_POLICY_ID_NONE);
4188 }
4189 necp_last_kernel_ip_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_IP;
4190 wrapped = TRUE;
4191 }
4192 newid = necp_last_kernel_ip_policy_id;
4193 } while (necp_kernel_ip_output_policy_find(newid) != NULL); // If already used, keep trying
4194 }
4195
4196 if (newid == NECP_KERNEL_POLICY_ID_NONE) {
4197 NECPLOG0(LOG_ERR, "Allocate kernel policy id failed.\n");
4198 return (NECP_KERNEL_POLICY_ID_NONE);
4199 }
4200
4201 return (newid);
4202 }
4203
4204 #define NECP_KERNEL_VALID_SOCKET_CONDITIONS (NECP_KERNEL_CONDITION_APP_ID | NECP_KERNEL_CONDITION_REAL_APP_ID | NECP_KERNEL_CONDITION_DOMAIN | NECP_KERNEL_CONDITION_ACCOUNT_ID | NECP_KERNEL_CONDITION_PID | NECP_KERNEL_CONDITION_UID | NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_TRAFFIC_CLASS | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_ENTITLEMENT | NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT | NECP_KERNEL_CONDITION_AGENT_TYPE)
4205 static necp_kernel_policy_id
4206 necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *cond_domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
4207 {
4208 struct necp_kernel_socket_policy *new_kernel_policy = NULL;
4209 struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
4210
4211 MALLOC_ZONE(new_kernel_policy, struct necp_kernel_socket_policy *, sizeof(*new_kernel_policy), M_NECP_SOCKET_POLICY, M_WAITOK);
4212 if (new_kernel_policy == NULL) {
4213 goto done;
4214 }
4215
4216 memset(new_kernel_policy, 0, sizeof(*new_kernel_policy)); // M_ZERO is not supported for MALLOC_ZONE
4217 new_kernel_policy->id = necp_kernel_policy_get_new_id(true);
4218 new_kernel_policy->order = order;
4219 new_kernel_policy->session_order = session_order;
4220 new_kernel_policy->session_pid = session_pid;
4221
4222 // Sanitize condition mask
4223 new_kernel_policy->condition_mask = (condition_mask & NECP_KERNEL_VALID_SOCKET_CONDITIONS);
4224 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE)) {
4225 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_BOUND_INTERFACE;
4226 }
4227 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
4228 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REAL_APP_ID;
4229 }
4230 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
4231 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_ENTITLEMENT;
4232 }
4233 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX)) {
4234 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_LOCAL_PREFIX;
4235 }
4236 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX)) {
4237 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REMOTE_PREFIX;
4238 }
4239 new_kernel_policy->condition_negated_mask = condition_negated_mask & new_kernel_policy->condition_mask;
4240
4241 // Set condition values
4242 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
4243 new_kernel_policy->cond_app_id = cond_app_id;
4244 }
4245 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
4246 new_kernel_policy->cond_real_app_id = cond_real_app_id;
4247 }
4248 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
4249 new_kernel_policy->cond_custom_entitlement = cond_custom_entitlement;
4250 new_kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_unknown;
4251 }
4252 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
4253 new_kernel_policy->cond_account_id = cond_account_id;
4254 }
4255 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
4256 new_kernel_policy->cond_domain = cond_domain;
4257 new_kernel_policy->cond_domain_dot_count = necp_count_dots(cond_domain, strlen(cond_domain));
4258 }
4259 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PID) {
4260 new_kernel_policy->cond_pid = cond_pid;
4261 }
4262 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_UID) {
4263 new_kernel_policy->cond_uid = cond_uid;
4264 }
4265 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
4266 if (cond_bound_interface) {
4267 ifnet_reference(cond_bound_interface);
4268 }
4269 new_kernel_policy->cond_bound_interface = cond_bound_interface;
4270 }
4271 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
4272 new_kernel_policy->cond_traffic_class = cond_traffic_class;
4273 }
4274 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
4275 new_kernel_policy->cond_protocol = cond_protocol;
4276 }
4277 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
4278 memcpy(&new_kernel_policy->cond_local_start, cond_local_start, cond_local_start->sa.sa_len);
4279 }
4280 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
4281 memcpy(&new_kernel_policy->cond_local_end, cond_local_end, cond_local_end->sa.sa_len);
4282 }
4283 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
4284 new_kernel_policy->cond_local_prefix = cond_local_prefix;
4285 }
4286 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
4287 memcpy(&new_kernel_policy->cond_remote_start, cond_remote_start, cond_remote_start->sa.sa_len);
4288 }
4289 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
4290 memcpy(&new_kernel_policy->cond_remote_end, cond_remote_end, cond_remote_end->sa.sa_len);
4291 }
4292 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
4293 new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
4294 }
4295 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
4296 memcpy(&new_kernel_policy->cond_agent_type, cond_agent_type, sizeof(*cond_agent_type));
4297 }
4298
4299 new_kernel_policy->result = result;
4300 memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
4301
4302 if (necp_debug) {
4303 NECPLOG(LOG_DEBUG, "Added kernel policy: socket, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
4304 }
4305 LIST_INSERT_SORTED_TWICE_ASCENDING(&necp_kernel_socket_policies, new_kernel_policy, chain, session_order, order, tmp_kernel_policy);
4306 done:
4307 return (new_kernel_policy ? new_kernel_policy->id : 0);
4308 }
4309
4310 static struct necp_kernel_socket_policy *
4311 necp_kernel_socket_policy_find(necp_kernel_policy_id policy_id)
4312 {
4313 struct necp_kernel_socket_policy *kernel_policy = NULL;
4314 struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
4315
4316 if (policy_id == 0) {
4317 return (NULL);
4318 }
4319
4320 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_socket_policies, chain, tmp_kernel_policy) {
4321 if (kernel_policy->id == policy_id) {
4322 return (kernel_policy);
4323 }
4324 }
4325
4326 return (NULL);
4327 }
4328
4329 static bool
4330 necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id)
4331 {
4332 struct necp_kernel_socket_policy *policy = NULL;
4333
4334 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4335
4336 policy = necp_kernel_socket_policy_find(policy_id);
4337 if (policy) {
4338 LIST_REMOVE(policy, chain);
4339
4340 if (policy->cond_bound_interface) {
4341 ifnet_release(policy->cond_bound_interface);
4342 policy->cond_bound_interface = NULL;
4343 }
4344
4345 if (policy->cond_domain) {
4346 FREE(policy->cond_domain, M_NECP);
4347 policy->cond_domain = NULL;
4348 }
4349
4350 if (policy->cond_custom_entitlement) {
4351 FREE(policy->cond_custom_entitlement, M_NECP);
4352 policy->cond_custom_entitlement = NULL;
4353 }
4354
4355 FREE_ZONE(policy, sizeof(*policy), M_NECP_SOCKET_POLICY);
4356 return (TRUE);
4357 }
4358
4359 return (FALSE);
4360 }
4361
4362 static inline const char *
4363 necp_get_result_description(char *result_string, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
4364 {
4365 uuid_string_t uuid_string;
4366 switch (result) {
4367 case NECP_KERNEL_POLICY_RESULT_NONE: {
4368 snprintf(result_string, MAX_RESULT_STRING_LEN, "None");
4369 break;
4370 }
4371 case NECP_KERNEL_POLICY_RESULT_PASS: {
4372 snprintf(result_string, MAX_RESULT_STRING_LEN, "Pass");
4373 break;
4374 }
4375 case NECP_KERNEL_POLICY_RESULT_SKIP: {
4376 snprintf(result_string, MAX_RESULT_STRING_LEN, "Skip (%u)", result_parameter.skip_policy_order);
4377 break;
4378 }
4379 case NECP_KERNEL_POLICY_RESULT_DROP: {
4380 snprintf(result_string, MAX_RESULT_STRING_LEN, "Drop");
4381 break;
4382 }
4383 case NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT: {
4384 snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketDivert (%d)", result_parameter.flow_divert_control_unit);
4385 break;
4386 }
4387 case NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER: {
4388 snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketFilter (%d)", result_parameter.filter_control_unit);
4389 break;
4390 }
4391 case NECP_KERNEL_POLICY_RESULT_IP_TUNNEL: {
4392 ifnet_t interface = ifindex2ifnet[result_parameter.tunnel_interface_index];
4393 snprintf(result_string, MAX_RESULT_STRING_LEN, "IPTunnel (%s%d)", ifnet_name(interface), ifnet_unit(interface));
4394 break;
4395 }
4396 case NECP_KERNEL_POLICY_RESULT_IP_FILTER: {
4397 snprintf(result_string, MAX_RESULT_STRING_LEN, "IPFilter");
4398 break;
4399 }
4400 case NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED: {
4401 ifnet_t interface = ifindex2ifnet[result_parameter.scoped_interface_index];
4402 snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketScoped (%s%d)", ifnet_name(interface), ifnet_unit(interface));
4403 break;
4404 }
4405 case NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT: {
4406 snprintf(result_string, MAX_RESULT_STRING_LEN, "ScopedDirect");
4407 break;
4408 }
4409 case NECP_KERNEL_POLICY_RESULT_ROUTE_RULES: {
4410 int index = 0;
4411 char interface_names[IFXNAMSIZ][MAX_ROUTE_RULE_INTERFACES];
4412 struct necp_route_rule *route_rule = necp_lookup_route_rule_locked(&necp_route_rules, result_parameter.route_rule_id);
4413 if (route_rule != NULL) {
4414 for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
4415 if (route_rule->exception_if_indices[index] != 0) {
4416 ifnet_t interface = ifindex2ifnet[route_rule->exception_if_indices[index]];
4417 snprintf(interface_names[index], IFXNAMSIZ, "%s%d", ifnet_name(interface), ifnet_unit(interface));
4418 } else {
4419 memset(interface_names[index], 0, IFXNAMSIZ);
4420 }
4421 }
4422 switch (route_rule->default_action) {
4423 case NECP_ROUTE_RULE_DENY_INTERFACE:
4424 snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Only %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
4425 (route_rule->cellular_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Cell " : "",
4426 (route_rule->wifi_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "WiFi " : "",
4427 (route_rule->wired_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Wired " : "",
4428 (route_rule->expensive_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Exp " : "",
4429 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[0] : "",
4430 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4431 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[1] : "",
4432 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4433 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[2] : "",
4434 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4435 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[3] : "",
4436 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4437 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[4] : "",
4438 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4439 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[5] : "",
4440 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4441 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[6] : "",
4442 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4443 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[7] : "",
4444 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4445 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[8] : "",
4446 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4447 (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[9] : "");
4448 break;
4449 case NECP_ROUTE_RULE_ALLOW_INTERFACE:
4450 snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
4451 (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Cell " : "",
4452 (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!WiFi " : "",
4453 (route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Wired " : "",
4454 (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Exp " : "",
4455 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4456 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[0] : "",
4457 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4458 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[1] : "",
4459 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4460 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[2] : "",
4461 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4462 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[3] : "",
4463 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4464 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[4] : "",
4465 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4466 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[5] : "",
4467 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4468 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[6] : "",
4469 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4470 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[7] : "",
4471 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4472 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[8] : "",
4473 (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4474 (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[9] : "");
4475 break;
4476 case NECP_ROUTE_RULE_QOS_MARKING:
4477 snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (QoSMarking %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
4478 (route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Cell " : "",
4479 (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING) ? "WiFi " : "",
4480 (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Wired " : "",
4481 (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Exp " : "",
4482 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[0] : "",
4483 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4484 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[1] : "",
4485 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4486 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[2] : "",
4487 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4488 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[3] : "",
4489 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4490 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[4] : "",
4491 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4492 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[5] : "",
4493 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4494 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[6] : "",
4495 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4496 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[7] : "",
4497 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4498 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[8] : "",
4499 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4500 (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[9] : "");
4501 break;
4502 default:
4503 snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Unknown)");
4504 break;
4505 }
4506 }
4507 break;
4508 }
4509 case NECP_KERNEL_POLICY_RESULT_USE_NETAGENT: {
4510 bool found_mapping = FALSE;
4511 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
4512 if (mapping != NULL) {
4513 uuid_unparse(mapping->uuid, uuid_string);
4514 found_mapping = TRUE;
4515 }
4516 snprintf(result_string, MAX_RESULT_STRING_LEN, "UseNetAgent (%s)", found_mapping ? uuid_string : "Unknown");
4517 break;
4518 }
4519 case NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED: {
4520 bool found_mapping = FALSE;
4521 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
4522 if (mapping != NULL) {
4523 uuid_unparse(mapping->uuid, uuid_string);
4524 found_mapping = TRUE;
4525 }
4526 snprintf(result_string, MAX_RESULT_STRING_LEN, "NetAgentScoped (%s)", found_mapping ? uuid_string : "Unknown");
4527 break;
4528 }
4529 case NECP_POLICY_RESULT_TRIGGER: {
4530 bool found_mapping = FALSE;
4531 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
4532 if (mapping != NULL) {
4533 uuid_unparse(mapping->uuid, uuid_string);
4534 found_mapping = TRUE;
4535 }
4536 snprintf(result_string, MAX_RESULT_STRING_LEN, "Trigger (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
4537 break;
4538 }
4539 case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED: {
4540 bool found_mapping = FALSE;
4541 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
4542 if (mapping != NULL) {
4543 uuid_unparse(mapping->uuid, uuid_string);
4544 found_mapping = TRUE;
4545 }
4546 snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerIfNeeded (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
4547 break;
4548 }
4549 case NECP_POLICY_RESULT_TRIGGER_SCOPED: {
4550 bool found_mapping = FALSE;
4551 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
4552 if (mapping != NULL) {
4553 uuid_unparse(mapping->uuid, uuid_string);
4554 found_mapping = TRUE;
4555 }
4556 snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
4557 break;
4558 }
4559 case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
4560 bool found_mapping = FALSE;
4561 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
4562 if (mapping != NULL) {
4563 uuid_unparse(mapping->uuid, uuid_string);
4564 found_mapping = TRUE;
4565 }
4566 snprintf(result_string, MAX_RESULT_STRING_LEN, "NoTriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
4567 break;
4568 }
4569 default: {
4570 snprintf(result_string, MAX_RESULT_STRING_LEN, "Unknown %d (%d)", result, result_parameter.tunnel_interface_index);
4571 break;
4572 }
4573 }
4574 return (result_string);
4575 }
4576
4577 static void
4578 necp_kernel_socket_policies_dump_all(void)
4579 {
4580 if (necp_debug) {
4581 struct necp_kernel_socket_policy *policy = NULL;
4582 int policy_i;
4583 int app_i;
4584 char result_string[MAX_RESULT_STRING_LEN];
4585 char proc_name_string[MAXCOMLEN + 1];
4586 memset(result_string, 0, MAX_RESULT_STRING_LEN);
4587 memset(proc_name_string, 0, MAXCOMLEN + 1);
4588
4589 NECPLOG0(LOG_DEBUG, "NECP Application Policies:\n");
4590 NECPLOG0(LOG_DEBUG, "-----------\n");
4591 for (policy_i = 0; necp_kernel_socket_policies_app_layer_map != NULL && necp_kernel_socket_policies_app_layer_map[policy_i] != NULL; policy_i++) {
4592 policy = necp_kernel_socket_policies_app_layer_map[policy_i];
4593 proc_name(policy->session_pid, proc_name_string, MAXCOMLEN);
4594 NECPLOG(LOG_DEBUG, "\t%3d. Policy ID: %5d\tProcess: %10.10s\tOrder: %04d.%04d\tMask: %5x\tResult: %s\n", policy_i, policy->id, proc_name_string, policy->session_order, policy->order, policy->condition_mask, necp_get_result_description(result_string, policy->result, policy->result_parameter));
4595 }
4596 if (necp_kernel_socket_policies_app_layer_map[0] != NULL) {
4597 NECPLOG0(LOG_DEBUG, "-----------\n");
4598 }
4599
4600 NECPLOG0(LOG_DEBUG, "NECP Socket Policies:\n");
4601 NECPLOG0(LOG_DEBUG, "-----------\n");
4602 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4603 NECPLOG(LOG_DEBUG, "\tApp Bucket: %d\n", app_i);
4604 for (policy_i = 0; necp_kernel_socket_policies_map[app_i] != NULL && (necp_kernel_socket_policies_map[app_i])[policy_i] != NULL; policy_i++) {
4605 policy = (necp_kernel_socket_policies_map[app_i])[policy_i];
4606 proc_name(policy->session_pid, proc_name_string, MAXCOMLEN);
4607 NECPLOG(LOG_DEBUG, "\t%3d. Policy ID: %5d\tProcess: %10.10s\tOrder: %04d.%04d\tMask: %5x\tResult: %s\n", policy_i, policy->id, proc_name_string, policy->session_order, policy->order, policy->condition_mask, necp_get_result_description(result_string, policy->result, policy->result_parameter));
4608 }
4609 NECPLOG0(LOG_DEBUG, "-----------\n");
4610 }
4611 }
4612 }
4613
4614 static inline bool
4615 necp_kernel_socket_result_is_trigger_service_type(struct necp_kernel_socket_policy *kernel_policy)
4616 {
4617 return (kernel_policy->result >= NECP_KERNEL_POLICY_RESULT_TRIGGER && kernel_policy->result <= NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED);
4618 }
4619
4620 static inline bool
4621 necp_kernel_socket_policy_results_overlap(struct necp_kernel_socket_policy *upper_policy, struct necp_kernel_socket_policy *lower_policy)
4622 {
4623 if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_DROP) {
4624 // Drop always cancels out lower policies
4625 return (TRUE);
4626 } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER ||
4627 upper_policy->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES ||
4628 upper_policy->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ||
4629 upper_policy->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED) {
4630 // Filters and route rules never cancel out lower policies
4631 return (FALSE);
4632 } else if (necp_kernel_socket_result_is_trigger_service_type(upper_policy)) {
4633 // Trigger/Scoping policies can overlap one another, but not other results
4634 return (necp_kernel_socket_result_is_trigger_service_type(lower_policy));
4635 } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
4636 if (upper_policy->session_order != lower_policy->session_order) {
4637 // A skip cannot override a policy of a different session
4638 return (FALSE);
4639 } else {
4640 if (upper_policy->result_parameter.skip_policy_order == 0 ||
4641 lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
4642 // This policy is beyond the skip
4643 return (FALSE);
4644 } else {
4645 // This policy is inside the skip
4646 return (TRUE);
4647 }
4648 }
4649 }
4650
4651 // A hard pass, flow divert, tunnel, or scope will currently block out lower policies
4652 return (TRUE);
4653 }
4654
4655 static bool
4656 necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *policy, struct necp_kernel_socket_policy **policy_array, int valid_indices)
4657 {
4658 bool can_skip = FALSE;
4659 u_int32_t highest_skip_session_order = 0;
4660 u_int32_t highest_skip_order = 0;
4661 int i;
4662 for (i = 0; i < valid_indices; i++) {
4663 struct necp_kernel_socket_policy *compared_policy = policy_array[i];
4664
4665 // For policies in a skip window, we can't mark conflicting policies as unnecessary
4666 if (can_skip) {
4667 if (highest_skip_session_order != compared_policy->session_order ||
4668 (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
4669 // If we've moved on to the next session, or passed the skip window
4670 highest_skip_session_order = 0;
4671 highest_skip_order = 0;
4672 can_skip = FALSE;
4673 } else {
4674 // If this policy is also a skip, in can increase the skip window
4675 if (compared_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
4676 if (compared_policy->result_parameter.skip_policy_order > highest_skip_order) {
4677 highest_skip_order = compared_policy->result_parameter.skip_policy_order;
4678 }
4679 }
4680 continue;
4681 }
4682 }
4683
4684 if (compared_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
4685 // This policy is a skip. Set the skip window accordingly
4686 can_skip = TRUE;
4687 highest_skip_session_order = compared_policy->session_order;
4688 highest_skip_order = compared_policy->result_parameter.skip_policy_order;
4689 }
4690
4691 // The result of the compared policy must be able to block out this policy result
4692 if (!necp_kernel_socket_policy_results_overlap(compared_policy, policy)) {
4693 continue;
4694 }
4695
4696 // If new policy matches All Interfaces, compared policy must also
4697 if ((policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
4698 continue;
4699 }
4700
4701 // Default makes lower policies unecessary always
4702 if (compared_policy->condition_mask == 0) {
4703 return (TRUE);
4704 }
4705
4706 // Compared must be more general than policy, and include only conditions within policy
4707 if ((policy->condition_mask & compared_policy->condition_mask) != compared_policy->condition_mask) {
4708 continue;
4709 }
4710
4711 // Negative conditions must match for the overlapping conditions
4712 if ((policy->condition_negated_mask & compared_policy->condition_mask) != (compared_policy->condition_negated_mask & compared_policy->condition_mask)) {
4713 continue;
4714 }
4715
4716 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN &&
4717 strcmp(compared_policy->cond_domain, policy->cond_domain) != 0) {
4718 continue;
4719 }
4720
4721 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT &&
4722 strcmp(compared_policy->cond_custom_entitlement, policy->cond_custom_entitlement) != 0) {
4723 continue;
4724 }
4725
4726 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID &&
4727 compared_policy->cond_account_id != policy->cond_account_id) {
4728 continue;
4729 }
4730
4731 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
4732 compared_policy->cond_policy_id != policy->cond_policy_id) {
4733 continue;
4734 }
4735
4736 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID &&
4737 compared_policy->cond_app_id != policy->cond_app_id) {
4738 continue;
4739 }
4740
4741 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID &&
4742 compared_policy->cond_real_app_id != policy->cond_real_app_id) {
4743 continue;
4744 }
4745
4746 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PID &&
4747 compared_policy->cond_pid != policy->cond_pid) {
4748 continue;
4749 }
4750
4751 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_UID &&
4752 compared_policy->cond_uid != policy->cond_uid) {
4753 continue;
4754 }
4755
4756 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
4757 compared_policy->cond_bound_interface != policy->cond_bound_interface) {
4758 continue;
4759 }
4760
4761 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
4762 compared_policy->cond_protocol != policy->cond_protocol) {
4763 continue;
4764 }
4765
4766 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS &&
4767 !(compared_policy->cond_traffic_class.start_tc <= policy->cond_traffic_class.start_tc &&
4768 compared_policy->cond_traffic_class.end_tc >= policy->cond_traffic_class.end_tc)) {
4769 continue;
4770 }
4771
4772 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
4773 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
4774 if (!necp_is_range_in_range((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&policy->cond_local_end, (struct sockaddr *)&compared_policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_end)) {
4775 continue;
4776 }
4777 } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
4778 if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
4779 !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
4780 continue;
4781 }
4782 }
4783 }
4784
4785 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
4786 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
4787 if (!necp_is_range_in_range((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&policy->cond_remote_end, (struct sockaddr *)&compared_policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_end)) {
4788 continue;
4789 }
4790 } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
4791 if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
4792 !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
4793 continue;
4794 }
4795 }
4796 }
4797
4798 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE &&
4799 memcmp(&compared_policy->cond_agent_type, &policy->cond_agent_type, sizeof(policy->cond_agent_type)) == 0) {
4800 continue;
4801 }
4802
4803 return (TRUE);
4804 }
4805
4806 return (FALSE);
4807 }
4808
4809 static bool
4810 necp_kernel_socket_policies_reprocess(void)
4811 {
4812 int app_i;
4813 int bucket_allocation_counts[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
4814 int bucket_current_free_index[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
4815 int app_layer_allocation_count = 0;
4816 int app_layer_current_free_index = 0;
4817 struct necp_kernel_socket_policy *kernel_policy = NULL;
4818
4819 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4820
4821 // Reset mask to 0
4822 necp_kernel_application_policies_condition_mask = 0;
4823 necp_kernel_socket_policies_condition_mask = 0;
4824 necp_kernel_application_policies_count = 0;
4825 necp_kernel_socket_policies_count = 0;
4826 necp_kernel_socket_policies_non_app_count = 0;
4827
4828 // Reset all maps to NULL
4829 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4830 if (necp_kernel_socket_policies_map[app_i] != NULL) {
4831 FREE(necp_kernel_socket_policies_map[app_i], M_NECP);
4832 necp_kernel_socket_policies_map[app_i] = NULL;
4833 }
4834
4835 // Init counts
4836 bucket_allocation_counts[app_i] = 0;
4837 }
4838 if (necp_kernel_socket_policies_app_layer_map != NULL) {
4839 FREE(necp_kernel_socket_policies_app_layer_map, M_NECP);
4840 necp_kernel_socket_policies_app_layer_map = NULL;
4841 }
4842
4843 // Create masks and counts
4844 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
4845 // App layer mask/count
4846 necp_kernel_application_policies_condition_mask |= kernel_policy->condition_mask;
4847 necp_kernel_application_policies_count++;
4848 app_layer_allocation_count++;
4849
4850 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) {
4851 // Agent type conditions only apply to app layer
4852 continue;
4853 }
4854
4855 // Update socket layer bucket mask/counts
4856 necp_kernel_socket_policies_condition_mask |= kernel_policy->condition_mask;
4857 necp_kernel_socket_policies_count++;
4858
4859 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
4860 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
4861 necp_kernel_socket_policies_non_app_count++;
4862 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4863 bucket_allocation_counts[app_i]++;
4864 }
4865 } else {
4866 bucket_allocation_counts[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id)]++;
4867 }
4868 }
4869
4870 // Allocate maps
4871 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4872 if (bucket_allocation_counts[app_i] > 0) {
4873 // Allocate a NULL-terminated array of policy pointers for each bucket
4874 MALLOC(necp_kernel_socket_policies_map[app_i], struct necp_kernel_socket_policy **, sizeof(struct necp_kernel_socket_policy *) * (bucket_allocation_counts[app_i] + 1), M_NECP, M_WAITOK);
4875 if (necp_kernel_socket_policies_map[app_i] == NULL) {
4876 goto fail;
4877 }
4878
4879 // Initialize the first entry to NULL
4880 (necp_kernel_socket_policies_map[app_i])[0] = NULL;
4881 }
4882 bucket_current_free_index[app_i] = 0;
4883 }
4884 MALLOC(necp_kernel_socket_policies_app_layer_map, struct necp_kernel_socket_policy **, sizeof(struct necp_kernel_socket_policy *) * (app_layer_allocation_count + 1), M_NECP, M_WAITOK);
4885 if (necp_kernel_socket_policies_app_layer_map == NULL) {
4886 goto fail;
4887 }
4888 necp_kernel_socket_policies_app_layer_map[0] = NULL;
4889
4890 // Fill out maps
4891 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
4892 // Add app layer policies
4893 if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_app_layer_map, app_layer_current_free_index)) {
4894 necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy;
4895 app_layer_current_free_index++;
4896 necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = NULL;
4897 }
4898
4899 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) {
4900 // Agent type conditions only apply to app layer
4901 continue;
4902 }
4903
4904 // Add socket policies
4905 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
4906 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
4907 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4908 if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
4909 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
4910 bucket_current_free_index[app_i]++;
4911 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
4912 }
4913 }
4914 } else {
4915 app_i = NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id);
4916 if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
4917 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
4918 bucket_current_free_index[app_i]++;
4919 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
4920 }
4921 }
4922 }
4923 necp_kernel_socket_policies_dump_all();
4924 BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT();
4925 return (TRUE);
4926
4927 fail:
4928 // Free memory, reset masks to 0
4929 necp_kernel_application_policies_condition_mask = 0;
4930 necp_kernel_socket_policies_condition_mask = 0;
4931 necp_kernel_application_policies_count = 0;
4932 necp_kernel_socket_policies_count = 0;
4933 necp_kernel_socket_policies_non_app_count = 0;
4934 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4935 if (necp_kernel_socket_policies_map[app_i] != NULL) {
4936 FREE(necp_kernel_socket_policies_map[app_i], M_NECP);
4937 necp_kernel_socket_policies_map[app_i] = NULL;
4938 }
4939 }
4940 if (necp_kernel_socket_policies_app_layer_map != NULL) {
4941 FREE(necp_kernel_socket_policies_app_layer_map, M_NECP);
4942 necp_kernel_socket_policies_app_layer_map = NULL;
4943 }
4944 return (FALSE);
4945 }
4946
4947 static u_int32_t
4948 necp_get_new_string_id(void)
4949 {
4950 static u_int32_t necp_last_string_id = 0;
4951
4952 u_int32_t newid = 0;
4953
4954 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4955
4956 bool wrapped = FALSE;
4957 do {
4958 necp_last_string_id++;
4959 if (necp_last_string_id < 1) {
4960 if (wrapped) {
4961 // Already wrapped, give up
4962 NECPLOG0(LOG_ERR, "Failed to find a free app UUID.\n");
4963 return (0);
4964 }
4965 necp_last_string_id = 1;
4966 wrapped = TRUE;
4967 }
4968 newid = necp_last_string_id;
4969 } while (necp_lookup_string_with_id_locked(&necp_account_id_list, newid) != NULL); // If already used, keep trying
4970
4971 if (newid == 0) {
4972 NECPLOG0(LOG_ERR, "Allocate string id failed.\n");
4973 return (0);
4974 }
4975
4976 return (newid);
4977 }
4978
4979 static struct necp_string_id_mapping *
4980 necp_lookup_string_to_id_locked(struct necp_string_id_mapping_list *list, char *string)
4981 {
4982 struct necp_string_id_mapping *searchentry = NULL;
4983 struct necp_string_id_mapping *foundentry = NULL;
4984
4985 LIST_FOREACH(searchentry, list, chain) {
4986 if (strcmp(searchentry->string, string) == 0) {
4987 foundentry = searchentry;
4988 break;
4989 }
4990 }
4991
4992 return (foundentry);
4993 }
4994
4995 static struct necp_string_id_mapping *
4996 necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_int32_t local_id)
4997 {
4998 struct necp_string_id_mapping *searchentry = NULL;
4999 struct necp_string_id_mapping *foundentry = NULL;
5000
5001 LIST_FOREACH(searchentry, list, chain) {
5002 if (searchentry->id == local_id) {
5003 foundentry = searchentry;
5004 break;
5005 }
5006 }
5007
5008 return (foundentry);
5009 }
5010
5011 static u_int32_t
5012 necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *string)
5013 {
5014 u_int32_t string_id = 0;
5015 struct necp_string_id_mapping *existing_mapping = NULL;
5016
5017 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5018
5019 existing_mapping = necp_lookup_string_to_id_locked(list, string);
5020 if (existing_mapping != NULL) {
5021 string_id = existing_mapping->id;
5022 existing_mapping->refcount++;
5023 } else {
5024 struct necp_string_id_mapping *new_mapping = NULL;
5025 MALLOC(new_mapping, struct necp_string_id_mapping *, sizeof(struct necp_string_id_mapping), M_NECP, M_WAITOK);
5026 if (new_mapping != NULL) {
5027 memset(new_mapping, 0, sizeof(struct necp_string_id_mapping));
5028
5029 size_t length = strlen(string) + 1;
5030 MALLOC(new_mapping->string, char *, length, M_NECP, M_WAITOK);
5031 if (new_mapping->string != NULL) {
5032 memcpy(new_mapping->string, string, length);
5033 new_mapping->id = necp_get_new_string_id();
5034 new_mapping->refcount = 1;
5035 LIST_INSERT_HEAD(list, new_mapping, chain);
5036 string_id = new_mapping->id;
5037 } else {
5038 FREE(new_mapping, M_NECP);
5039 new_mapping = NULL;
5040 }
5041 }
5042 }
5043 return (string_id);
5044 }
5045
5046 static bool
5047 necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *string)
5048 {
5049 struct necp_string_id_mapping *existing_mapping = NULL;
5050
5051 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5052
5053 existing_mapping = necp_lookup_string_to_id_locked(list, string);
5054 if (existing_mapping != NULL) {
5055 if (--existing_mapping->refcount == 0) {
5056 LIST_REMOVE(existing_mapping, chain);
5057 FREE(existing_mapping->string, M_NECP);
5058 FREE(existing_mapping, M_NECP);
5059 }
5060 return (TRUE);
5061 }
5062
5063 return (FALSE);
5064 }
5065
5066 #define NECP_FIRST_VALID_ROUTE_RULE_ID 1
5067 #define NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID UINT16_MAX
5068 static u_int32_t
5069 necp_get_new_route_rule_id(bool aggregate)
5070 {
5071 static u_int32_t necp_last_route_rule_id = 0;
5072 static u_int32_t necp_last_aggregate_route_rule_id = 0;
5073
5074 u_int32_t newid = 0;
5075
5076 if (!aggregate) {
5077 // Main necp_kernel_policy_lock protects non-aggregate rule IDs
5078 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5079
5080 bool wrapped = FALSE;
5081 do {
5082 necp_last_route_rule_id++;
5083 if (necp_last_route_rule_id < NECP_FIRST_VALID_ROUTE_RULE_ID ||
5084 necp_last_route_rule_id >= NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID) {
5085 if (wrapped) {
5086 // Already wrapped, give up
5087 NECPLOG0(LOG_ERR, "Failed to find a free route rule id.\n");
5088 return (0);
5089 }
5090 necp_last_route_rule_id = NECP_FIRST_VALID_ROUTE_RULE_ID;
5091 wrapped = TRUE;
5092 }
5093 newid = necp_last_route_rule_id;
5094 } while (necp_lookup_route_rule_locked(&necp_route_rules, newid) != NULL); // If already used, keep trying
5095 } else {
5096 // necp_route_rule_lock protects aggregate rule IDs
5097 LCK_RW_ASSERT(&necp_route_rule_lock, LCK_RW_ASSERT_EXCLUSIVE);
5098
5099 bool wrapped = FALSE;
5100 do {
5101 necp_last_aggregate_route_rule_id++;
5102 if (necp_last_aggregate_route_rule_id < NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID) {
5103 if (wrapped) {
5104 // Already wrapped, give up
5105 NECPLOG0(LOG_ERR, "Failed to find a free aggregate route rule id.\n");
5106 return (0);
5107 }
5108 necp_last_aggregate_route_rule_id = NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID;
5109 wrapped = TRUE;
5110 }
5111 newid = necp_last_aggregate_route_rule_id;
5112 } while (necp_lookup_route_rule_locked(&necp_route_rules, newid) != NULL); // If already used, keep trying
5113 }
5114
5115 if (newid == 0) {
5116 NECPLOG0(LOG_ERR, "Allocate route rule ID failed.\n");
5117 return (0);
5118 }
5119
5120 return (newid);
5121 }
5122
5123 static struct necp_route_rule *
5124 necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route_rule_id)
5125 {
5126 struct necp_route_rule *searchentry = NULL;
5127 struct necp_route_rule *foundentry = NULL;
5128
5129 LIST_FOREACH(searchentry, list, chain) {
5130 if (searchentry->id == route_rule_id) {
5131 foundentry = searchentry;
5132 break;
5133 }
5134 }
5135
5136 return (foundentry);
5137 }
5138
5139 static struct necp_route_rule *
5140 necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_int32_t default_action, u_int8_t cellular_action, u_int8_t wifi_action, u_int8_t wired_action, u_int8_t expensive_action, u_int32_t *if_indices, u_int8_t *if_actions)
5141 {
5142 struct necp_route_rule *searchentry = NULL;
5143 struct necp_route_rule *foundentry = NULL;
5144
5145 LIST_FOREACH(searchentry, list, chain) {
5146 if (searchentry->default_action == default_action &&
5147 searchentry->cellular_action == cellular_action &&
5148 searchentry->wifi_action == wifi_action &&
5149 searchentry->wired_action == wired_action &&
5150 searchentry->expensive_action == expensive_action) {
5151 bool match_failed = FALSE;
5152 size_t index_a = 0;
5153 size_t index_b = 0;
5154 size_t count_a = 0;
5155 size_t count_b = 0;
5156 for (index_a = 0; index_a < MAX_ROUTE_RULE_INTERFACES; index_a++) {
5157 bool found_index = FALSE;
5158 if (searchentry->exception_if_indices[index_a] == 0) {
5159 break;
5160 }
5161 count_a++;
5162 for (index_b = 0; index_b < MAX_ROUTE_RULE_INTERFACES; index_b++) {
5163 if (if_indices[index_b] == 0) {
5164 break;
5165 }
5166 if (index_b >= count_b) {
5167 count_b = index_b + 1;
5168 }
5169 if (searchentry->exception_if_indices[index_a] == if_indices[index_b] &&
5170 searchentry->exception_if_actions[index_a] == if_actions[index_b]) {
5171 found_index = TRUE;
5172 break;
5173 }
5174 }
5175 if (!found_index) {
5176 match_failed = TRUE;
5177 break;
5178 }
5179 }
5180 if (!match_failed && count_a == count_b) {
5181 foundentry = searchentry;
5182 break;
5183 }
5184 }
5185 }
5186
5187 return (foundentry);
5188 }
5189
5190 static u_int32_t
5191 necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_array, u_int32_t route_rules_array_size)
5192 {
5193 size_t offset = 0;
5194 u_int32_t route_rule_id = 0;
5195 struct necp_route_rule *existing_rule = NULL;
5196 u_int32_t default_action = NECP_ROUTE_RULE_ALLOW_INTERFACE;
5197 u_int8_t cellular_action = NECP_ROUTE_RULE_NONE;
5198 u_int8_t wifi_action = NECP_ROUTE_RULE_NONE;
5199 u_int8_t wired_action = NECP_ROUTE_RULE_NONE;
5200 u_int8_t expensive_action = NECP_ROUTE_RULE_NONE;
5201 u_int32_t if_indices[MAX_ROUTE_RULE_INTERFACES];
5202 size_t num_valid_indices = 0;
5203 memset(&if_indices, 0, sizeof(if_indices));
5204 u_int8_t if_actions[MAX_ROUTE_RULE_INTERFACES];
5205 memset(&if_actions, 0, sizeof(if_actions));
5206
5207 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5208
5209 if (route_rules_array == NULL || route_rules_array_size == 0) {
5210 return (0);
5211 }
5212
5213 // Process rules
5214 while (offset < route_rules_array_size) {
5215 ifnet_t rule_interface = NULL;
5216 char interface_name[IFXNAMSIZ];
5217 u_int32_t length = 0;
5218 u_int8_t *value = necp_buffer_get_tlv_value(route_rules_array, offset, &length);
5219
5220 u_int8_t rule_type = necp_policy_condition_get_type_from_buffer(value, length);
5221 u_int8_t rule_flags = necp_policy_condition_get_flags_from_buffer(value, length);
5222 u_int32_t rule_length = necp_policy_condition_get_value_length_from_buffer(value, length);
5223 u_int8_t *rule_value = necp_policy_condition_get_value_pointer_from_buffer(value, length);
5224
5225 if (rule_type == NECP_ROUTE_RULE_NONE) {
5226 // Don't allow an explicit rule to be None action
5227 continue;
5228 }
5229
5230 if (rule_length == 0) {
5231 if (rule_flags & NECP_ROUTE_RULE_FLAG_CELLULAR) {
5232 cellular_action = rule_type;
5233 }
5234 if (rule_flags & NECP_ROUTE_RULE_FLAG_WIFI) {
5235 wifi_action = rule_type;
5236 }
5237 if (rule_flags & NECP_ROUTE_RULE_FLAG_WIRED) {
5238 wired_action = rule_type;
5239 }
5240 if (rule_flags & NECP_ROUTE_RULE_FLAG_EXPENSIVE) {
5241 expensive_action = rule_type;
5242 }
5243 if (rule_flags == 0) {
5244 default_action = rule_type;
5245 }
5246 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
5247 continue;
5248 }
5249
5250 if (num_valid_indices >= MAX_ROUTE_RULE_INTERFACES) {
5251 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
5252 continue;
5253 }
5254
5255 if (rule_length <= IFXNAMSIZ) {
5256 memcpy(interface_name, rule_value, rule_length);
5257 interface_name[rule_length - 1] = 0; // Make sure the string is NULL terminated
5258 if (ifnet_find_by_name(interface_name, &rule_interface) == 0) {
5259 if_actions[num_valid_indices] = rule_type;
5260 if_indices[num_valid_indices++] = rule_interface->if_index;
5261 ifnet_release(rule_interface);
5262 }
5263 }
5264 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
5265 }
5266
5267 existing_rule = necp_lookup_route_rule_by_contents_locked(list, default_action, cellular_action, wifi_action, wired_action, expensive_action, if_indices, if_actions);
5268 if (existing_rule != NULL) {
5269 route_rule_id = existing_rule->id;
5270 existing_rule->refcount++;
5271 } else {
5272 struct necp_route_rule *new_rule = NULL;
5273 MALLOC(new_rule, struct necp_route_rule *, sizeof(struct necp_route_rule), M_NECP, M_WAITOK);
5274 if (new_rule != NULL) {
5275 memset(new_rule, 0, sizeof(struct necp_route_rule));
5276 route_rule_id = new_rule->id = necp_get_new_route_rule_id(false);
5277 new_rule->default_action = default_action;
5278 new_rule->cellular_action = cellular_action;
5279 new_rule->wifi_action = wifi_action;
5280 new_rule->wired_action = wired_action;
5281 new_rule->expensive_action = expensive_action;
5282 memcpy(&new_rule->exception_if_indices, &if_indices, sizeof(if_indices));
5283 memcpy(&new_rule->exception_if_actions, &if_actions, sizeof(if_actions));
5284 new_rule->refcount = 1;
5285 LIST_INSERT_HEAD(list, new_rule, chain);
5286 }
5287 }
5288 return (route_rule_id);
5289 }
5290
5291 static void
5292 necp_remove_aggregate_route_rule_for_id(u_int32_t rule_id)
5293 {
5294 if (rule_id) {
5295 lck_rw_lock_exclusive(&necp_route_rule_lock);
5296
5297 struct necp_aggregate_route_rule *existing_rule = NULL;
5298 struct necp_aggregate_route_rule *tmp_rule = NULL;
5299
5300 LIST_FOREACH_SAFE(existing_rule, &necp_aggregate_route_rules, chain, tmp_rule) {
5301 int index = 0;
5302 for (index = 0; index < MAX_AGGREGATE_ROUTE_RULES; index++) {
5303 u_int32_t route_rule_id = existing_rule->rule_ids[index];
5304 if (route_rule_id == rule_id) {
5305 LIST_REMOVE(existing_rule, chain);
5306 FREE(existing_rule, M_NECP);
5307 break;
5308 }
5309 }
5310 }
5311
5312 lck_rw_done(&necp_route_rule_lock);
5313 }
5314 }
5315
5316 static bool
5317 necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_id)
5318 {
5319 struct necp_route_rule *existing_rule = NULL;
5320
5321 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5322
5323 existing_rule = necp_lookup_route_rule_locked(list, route_rule_id);
5324 if (existing_rule != NULL) {
5325 if (--existing_rule->refcount == 0) {
5326 necp_remove_aggregate_route_rule_for_id(existing_rule->id);
5327 LIST_REMOVE(existing_rule, chain);
5328 FREE(existing_rule, M_NECP);
5329 }
5330 return (TRUE);
5331 }
5332
5333 return (FALSE);
5334 }
5335
5336 static struct necp_aggregate_route_rule *
5337 necp_lookup_aggregate_route_rule_locked(u_int32_t route_rule_id)
5338 {
5339 struct necp_aggregate_route_rule *searchentry = NULL;
5340 struct necp_aggregate_route_rule *foundentry = NULL;
5341
5342 lck_rw_lock_shared(&necp_route_rule_lock);
5343
5344 LIST_FOREACH(searchentry, &necp_aggregate_route_rules, chain) {
5345 if (searchentry->id == route_rule_id) {
5346 foundentry = searchentry;
5347 break;
5348 }
5349 }
5350
5351 lck_rw_done(&necp_route_rule_lock);
5352
5353 return (foundentry);
5354 }
5355
5356 static u_int32_t
5357 necp_create_aggregate_route_rule(u_int32_t *rule_ids)
5358 {
5359 u_int32_t aggregate_route_rule_id = 0;
5360 struct necp_aggregate_route_rule *new_rule = NULL;
5361 struct necp_aggregate_route_rule *existing_rule = NULL;
5362
5363 LIST_FOREACH(existing_rule, &necp_aggregate_route_rules, chain) {
5364 if (memcmp(existing_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES)) == 0) {
5365 return (existing_rule->id);
5366 }
5367 }
5368
5369 lck_rw_lock_exclusive(&necp_route_rule_lock);
5370
5371 LIST_FOREACH(existing_rule, &necp_aggregate_route_rules, chain) {
5372 // Re-check, in case something else created the rule while we are waiting to lock
5373 if (memcmp(existing_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES)) == 0) {
5374 lck_rw_done(&necp_route_rule_lock);
5375 return (existing_rule->id);
5376 }
5377 }
5378
5379 MALLOC(new_rule, struct necp_aggregate_route_rule *, sizeof(struct necp_aggregate_route_rule), M_NECP, M_WAITOK);
5380 if (new_rule != NULL) {
5381 memset(new_rule, 0, sizeof(struct necp_aggregate_route_rule));
5382 aggregate_route_rule_id = new_rule->id = necp_get_new_route_rule_id(true);
5383 new_rule->id = aggregate_route_rule_id;
5384 memcpy(new_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES));
5385 LIST_INSERT_HEAD(&necp_aggregate_route_rules, new_rule, chain);
5386 }
5387 lck_rw_done(&necp_route_rule_lock);
5388
5389 return (aggregate_route_rule_id);
5390 }
5391
5392 #define NECP_NULL_SERVICE_ID 1
5393 #define NECP_FIRST_VALID_SERVICE_ID 2
5394 #define NECP_FIRST_VALID_APP_ID UINT16_MAX
5395 static u_int32_t
5396 necp_get_new_uuid_id(bool service)
5397 {
5398 static u_int32_t necp_last_service_uuid_id = 0;
5399 static u_int32_t necp_last_app_uuid_id = 0;
5400
5401 u_int32_t newid = 0;
5402
5403 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5404
5405 if (service) {
5406 bool wrapped = FALSE;
5407 do {
5408 necp_last_service_uuid_id++;
5409 if (necp_last_service_uuid_id < NECP_FIRST_VALID_SERVICE_ID ||
5410 necp_last_service_uuid_id >= NECP_FIRST_VALID_APP_ID) {
5411 if (wrapped) {
5412 // Already wrapped, give up
5413 NECPLOG0(LOG_ERR, "Failed to find a free service UUID.\n");
5414 return (NECP_NULL_SERVICE_ID);
5415 }
5416 necp_last_service_uuid_id = NECP_FIRST_VALID_SERVICE_ID;
5417 wrapped = TRUE;
5418 }
5419 newid = necp_last_service_uuid_id;
5420 } while (necp_uuid_lookup_uuid_with_service_id_locked(newid) != NULL); // If already used, keep trying
5421 } else {
5422 bool wrapped = FALSE;
5423 do {
5424 necp_last_app_uuid_id++;
5425 if (necp_last_app_uuid_id < NECP_FIRST_VALID_APP_ID) {
5426 if (wrapped) {
5427 // Already wrapped, give up
5428 NECPLOG0(LOG_ERR, "Failed to find a free app UUID.\n");
5429 return (NECP_NULL_SERVICE_ID);
5430 }
5431 necp_last_app_uuid_id = NECP_FIRST_VALID_APP_ID;
5432 wrapped = TRUE;
5433 }
5434 newid = necp_last_app_uuid_id;
5435 } while (necp_uuid_lookup_uuid_with_app_id_locked(newid) != NULL); // If already used, keep trying
5436 }
5437
5438 if (newid == NECP_NULL_SERVICE_ID) {
5439 NECPLOG0(LOG_ERR, "Allocate uuid ID failed.\n");
5440 return (NECP_NULL_SERVICE_ID);
5441 }
5442
5443 return (newid);
5444 }
5445
5446 static struct necp_uuid_id_mapping *
5447 necp_uuid_lookup_app_id_locked(uuid_t uuid)
5448 {
5449 struct necp_uuid_id_mapping *searchentry = NULL;
5450 struct necp_uuid_id_mapping *foundentry = NULL;
5451
5452 LIST_FOREACH(searchentry, APPUUIDHASH(uuid), chain) {
5453 if (uuid_compare(searchentry->uuid, uuid) == 0) {
5454 foundentry = searchentry;
5455 break;
5456 }
5457 }
5458
5459 return (foundentry);
5460 }
5461
5462 static struct necp_uuid_id_mapping *
5463 necp_uuid_lookup_uuid_with_app_id_locked(u_int32_t local_id)
5464 {
5465 struct necp_uuid_id_mapping *searchentry = NULL;
5466 struct necp_uuid_id_mapping *foundentry = NULL;
5467
5468 struct necp_uuid_id_mapping_head *uuid_list_head = NULL;
5469 for (uuid_list_head = &necp_uuid_app_id_hashtbl[necp_uuid_app_id_hash_num_buckets - 1]; uuid_list_head >= necp_uuid_app_id_hashtbl; uuid_list_head--) {
5470 LIST_FOREACH(searchentry, uuid_list_head, chain) {
5471 if (searchentry->id == local_id) {
5472 foundentry = searchentry;
5473 break;
5474 }
5475 }
5476 }
5477
5478 return (foundentry);
5479 }
5480
5481 static u_int32_t
5482 necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_policy_table)
5483 {
5484 u_int32_t local_id = 0;
5485 struct necp_uuid_id_mapping *existing_mapping = NULL;
5486
5487 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5488
5489 if (allocated_mapping) {
5490 *allocated_mapping = FALSE;
5491 }
5492
5493 existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
5494 if (existing_mapping != NULL) {
5495 local_id = existing_mapping->id;
5496 existing_mapping->refcount++;
5497 if (uuid_policy_table) {
5498 existing_mapping->table_refcount++;
5499 }
5500 } else {
5501 struct necp_uuid_id_mapping *new_mapping = NULL;
5502 MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
5503 if (new_mapping != NULL) {
5504 uuid_copy(new_mapping->uuid, uuid);
5505 new_mapping->id = necp_get_new_uuid_id(false);
5506 new_mapping->refcount = 1;
5507 if (uuid_policy_table) {
5508 new_mapping->table_refcount = 1;
5509 } else {
5510 new_mapping->table_refcount = 0;
5511 }
5512
5513 LIST_INSERT_HEAD(APPUUIDHASH(uuid), new_mapping, chain);
5514
5515 if (allocated_mapping) {
5516 *allocated_mapping = TRUE;
5517 }
5518
5519 local_id = new_mapping->id;
5520 }
5521 }
5522
5523 return (local_id);
5524 }
5525
5526 static bool
5527 necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_policy_table)
5528 {
5529 struct necp_uuid_id_mapping *existing_mapping = NULL;
5530
5531 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5532
5533 if (removed_mapping) {
5534 *removed_mapping = FALSE;
5535 }
5536
5537 existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
5538 if (existing_mapping != NULL) {
5539 if (uuid_policy_table) {
5540 existing_mapping->table_refcount--;
5541 }
5542 if (--existing_mapping->refcount == 0) {
5543 LIST_REMOVE(existing_mapping, chain);
5544 FREE(existing_mapping, M_NECP);
5545 if (removed_mapping) {
5546 *removed_mapping = TRUE;
5547 }
5548 }
5549 return (TRUE);
5550 }
5551
5552 return (FALSE);
5553 }
5554
5555 static struct necp_uuid_id_mapping *
5556 necp_uuid_get_null_service_id_mapping(void)
5557 {
5558 static struct necp_uuid_id_mapping null_mapping;
5559 uuid_clear(null_mapping.uuid);
5560 null_mapping.id = NECP_NULL_SERVICE_ID;
5561
5562 return (&null_mapping);
5563 }
5564
5565 static struct necp_uuid_id_mapping *
5566 necp_uuid_lookup_service_id_locked(uuid_t uuid)
5567 {
5568 struct necp_uuid_id_mapping *searchentry = NULL;
5569 struct necp_uuid_id_mapping *foundentry = NULL;
5570
5571 if (uuid_is_null(uuid)) {
5572 return necp_uuid_get_null_service_id_mapping();
5573 }
5574
5575 LIST_FOREACH(searchentry, &necp_uuid_service_id_list, chain) {
5576 if (uuid_compare(searchentry->uuid, uuid) == 0) {
5577 foundentry = searchentry;
5578 break;
5579 }
5580 }
5581
5582 return (foundentry);
5583 }
5584
5585 static struct necp_uuid_id_mapping *
5586 necp_uuid_lookup_uuid_with_service_id_locked(u_int32_t local_id)
5587 {
5588 struct necp_uuid_id_mapping *searchentry = NULL;
5589 struct necp_uuid_id_mapping *foundentry = NULL;
5590
5591 if (local_id == NECP_NULL_SERVICE_ID) {
5592 return necp_uuid_get_null_service_id_mapping();
5593 }
5594
5595 LIST_FOREACH(searchentry, &necp_uuid_service_id_list, chain) {
5596 if (searchentry->id == local_id) {
5597 foundentry = searchentry;
5598 break;
5599 }
5600 }
5601
5602 return (foundentry);
5603 }
5604
5605 static u_int32_t
5606 necp_create_uuid_service_id_mapping(uuid_t uuid)
5607 {
5608 u_int32_t local_id = 0;
5609 struct necp_uuid_id_mapping *existing_mapping = NULL;
5610
5611 if (uuid_is_null(uuid)) {
5612 return (NECP_NULL_SERVICE_ID);
5613 }
5614
5615 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5616
5617 existing_mapping = necp_uuid_lookup_service_id_locked(uuid);
5618 if (existing_mapping != NULL) {
5619 local_id = existing_mapping->id;
5620 existing_mapping->refcount++;
5621 } else {
5622 struct necp_uuid_id_mapping *new_mapping = NULL;
5623 MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
5624 if (new_mapping != NULL) {
5625 uuid_copy(new_mapping->uuid, uuid);
5626 new_mapping->id = necp_get_new_uuid_id(true);
5627 new_mapping->refcount = 1;
5628
5629 LIST_INSERT_HEAD(&necp_uuid_service_id_list, new_mapping, chain);
5630
5631 local_id = new_mapping->id;
5632 }
5633 }
5634
5635 return (local_id);
5636 }
5637
5638 static bool
5639 necp_remove_uuid_service_id_mapping(uuid_t uuid)
5640 {
5641 struct necp_uuid_id_mapping *existing_mapping = NULL;
5642
5643 if (uuid_is_null(uuid)) {
5644 return (TRUE);
5645 }
5646
5647 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5648
5649 existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
5650 if (existing_mapping != NULL) {
5651 if (--existing_mapping->refcount == 0) {
5652 LIST_REMOVE(existing_mapping, chain);
5653 FREE(existing_mapping, M_NECP);
5654 }
5655 return (TRUE);
5656 }
5657
5658 return (FALSE);
5659 }
5660
5661
5662 static bool
5663 necp_kernel_socket_policies_update_uuid_table(void)
5664 {
5665 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5666
5667 if (necp_uuid_app_id_mappings_dirty) {
5668 if (proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_CLEAR, NULL, PROC_UUID_NECP_APP_POLICY) < 0) {
5669 NECPLOG0(LOG_DEBUG, "Error clearing uuids from policy table\n");
5670 return (FALSE);
5671 }
5672
5673 if (necp_num_uuid_app_id_mappings > 0) {
5674 struct necp_uuid_id_mapping_head *uuid_list_head = NULL;
5675 for (uuid_list_head = &necp_uuid_app_id_hashtbl[necp_uuid_app_id_hash_num_buckets - 1]; uuid_list_head >= necp_uuid_app_id_hashtbl; uuid_list_head--) {
5676 struct necp_uuid_id_mapping *mapping = NULL;
5677 LIST_FOREACH(mapping, uuid_list_head, chain) {
5678 if (mapping->table_refcount > 0 &&
5679 proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_ADD, mapping->uuid, PROC_UUID_NECP_APP_POLICY) < 0) {
5680 NECPLOG0(LOG_DEBUG, "Error adding uuid to policy table\n");
5681 }
5682 }
5683 }
5684 }
5685
5686 necp_uuid_app_id_mappings_dirty = FALSE;
5687 }
5688
5689 return (TRUE);
5690 }
5691
5692 #define NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS (NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE)
5693 static necp_kernel_policy_id
5694 necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
5695 {
5696 struct necp_kernel_ip_output_policy *new_kernel_policy = NULL;
5697 struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
5698
5699 MALLOC_ZONE(new_kernel_policy, struct necp_kernel_ip_output_policy *, sizeof(*new_kernel_policy), M_NECP_IP_POLICY, M_WAITOK);
5700 if (new_kernel_policy == NULL) {
5701 goto done;
5702 }
5703
5704 memset(new_kernel_policy, 0, sizeof(*new_kernel_policy)); // M_ZERO is not supported for MALLOC_ZONE
5705 new_kernel_policy->id = necp_kernel_policy_get_new_id(false);
5706 new_kernel_policy->suborder = suborder;
5707 new_kernel_policy->order = order;
5708 new_kernel_policy->session_order = session_order;
5709 new_kernel_policy->session_pid = session_pid;
5710
5711 // Sanitize condition mask
5712 new_kernel_policy->condition_mask = (condition_mask & NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS);
5713 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE)) {
5714 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_BOUND_INTERFACE;
5715 }
5716 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX)) {
5717 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_LOCAL_PREFIX;
5718 }
5719 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX)) {
5720 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REMOTE_PREFIX;
5721 }
5722 new_kernel_policy->condition_negated_mask = condition_negated_mask & new_kernel_policy->condition_mask;
5723
5724 // Set condition values
5725 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) {
5726 new_kernel_policy->cond_policy_id = cond_policy_id;
5727 }
5728 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
5729 if (cond_bound_interface) {
5730 ifnet_reference(cond_bound_interface);
5731 }
5732 new_kernel_policy->cond_bound_interface = cond_bound_interface;
5733 }
5734 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) {
5735 new_kernel_policy->cond_last_interface_index = cond_last_interface_index;
5736 }
5737 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
5738 new_kernel_policy->cond_protocol = cond_protocol;
5739 }
5740 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
5741 memcpy(&new_kernel_policy->cond_local_start, cond_local_start, cond_local_start->sa.sa_len);
5742 }
5743 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
5744 memcpy(&new_kernel_policy->cond_local_end, cond_local_end, cond_local_end->sa.sa_len);
5745 }
5746 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
5747 new_kernel_policy->cond_local_prefix = cond_local_prefix;
5748 }
5749 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
5750 memcpy(&new_kernel_policy->cond_remote_start, cond_remote_start, cond_remote_start->sa.sa_len);
5751 }
5752 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
5753 memcpy(&new_kernel_policy->cond_remote_end, cond_remote_end, cond_remote_end->sa.sa_len);
5754 }
5755 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
5756 new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
5757 }
5758
5759 new_kernel_policy->result = result;
5760 memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
5761
5762 if (necp_debug) {
5763 NECPLOG(LOG_DEBUG, "Added kernel policy: ip output, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
5764 }
5765 LIST_INSERT_SORTED_THRICE_ASCENDING(&necp_kernel_ip_output_policies, new_kernel_policy, chain, session_order, order, suborder, tmp_kernel_policy);
5766 done:
5767 return (new_kernel_policy ? new_kernel_policy->id : 0);
5768 }
5769
5770 static struct necp_kernel_ip_output_policy *
5771 necp_kernel_ip_output_policy_find(necp_kernel_policy_id policy_id)
5772 {
5773 struct necp_kernel_ip_output_policy *kernel_policy = NULL;
5774 struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
5775
5776 if (policy_id == 0) {
5777 return (NULL);
5778 }
5779
5780 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_ip_output_policies, chain, tmp_kernel_policy) {
5781 if (kernel_policy->id == policy_id) {
5782 return (kernel_policy);
5783 }
5784 }
5785
5786 return (NULL);
5787 }
5788
5789 static bool
5790 necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id)
5791 {
5792 struct necp_kernel_ip_output_policy *policy = NULL;
5793
5794 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5795
5796 policy = necp_kernel_ip_output_policy_find(policy_id);
5797 if (policy) {
5798 LIST_REMOVE(policy, chain);
5799
5800 if (policy->cond_bound_interface) {
5801 ifnet_release(policy->cond_bound_interface);
5802 policy->cond_bound_interface = NULL;
5803 }
5804
5805 FREE_ZONE(policy, sizeof(*policy), M_NECP_IP_POLICY);
5806 return (TRUE);
5807 }
5808
5809 return (FALSE);
5810 }
5811
5812 static void
5813 necp_kernel_ip_output_policies_dump_all(void)
5814 {
5815 if (necp_debug) {
5816 struct necp_kernel_ip_output_policy *policy = NULL;
5817 int policy_i;
5818 int id_i;
5819 char result_string[MAX_RESULT_STRING_LEN];
5820 char proc_name_string[MAXCOMLEN + 1];
5821 memset(result_string, 0, MAX_RESULT_STRING_LEN);
5822 memset(proc_name_string, 0, MAXCOMLEN + 1);
5823
5824 NECPLOG0(LOG_DEBUG, "NECP IP Output Policies:\n");
5825 NECPLOG0(LOG_DEBUG, "-----------\n");
5826 for (id_i = 0; id_i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; id_i++) {
5827 NECPLOG(LOG_DEBUG, " ID Bucket: %d\n", id_i);
5828 for (policy_i = 0; necp_kernel_ip_output_policies_map[id_i] != NULL && (necp_kernel_ip_output_policies_map[id_i])[policy_i] != NULL; policy_i++) {
5829 policy = (necp_kernel_ip_output_policies_map[id_i])[policy_i];
5830 proc_name(policy->session_pid, proc_name_string, MAXCOMLEN);
5831 NECPLOG(LOG_DEBUG, "\t%3d. Policy ID: %5d\tProcess: %10.10s\tOrder: %04d.%04d.%d\tMask: %5x\tResult: %s\n", policy_i, policy->id, proc_name_string, policy->session_order, policy->order, policy->suborder, policy->condition_mask, necp_get_result_description(result_string, policy->result, policy->result_parameter));
5832 }
5833 NECPLOG0(LOG_DEBUG, "-----------\n");
5834 }
5835 }
5836 }
5837
5838 static inline bool
5839 necp_kernel_ip_output_policy_results_overlap(struct necp_kernel_ip_output_policy *upper_policy, struct necp_kernel_ip_output_policy *lower_policy)
5840 {
5841 if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
5842 if (upper_policy->session_order != lower_policy->session_order) {
5843 // A skip cannot override a policy of a different session
5844 return (FALSE);
5845 } else {
5846 if (upper_policy->result_parameter.skip_policy_order == 0 ||
5847 lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
5848 // This policy is beyond the skip
5849 return (FALSE);
5850 } else {
5851 // This policy is inside the skip
5852 return (TRUE);
5853 }
5854 }
5855 }
5856
5857 // All other IP Output policy results (drop, tunnel, hard pass) currently overlap
5858 return (TRUE);
5859 }
5860
5861 static bool
5862 necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy *policy, struct necp_kernel_ip_output_policy **policy_array, int valid_indices)
5863 {
5864 bool can_skip = FALSE;
5865 u_int32_t highest_skip_session_order = 0;
5866 u_int32_t highest_skip_order = 0;
5867 int i;
5868 for (i = 0; i < valid_indices; i++) {
5869 struct necp_kernel_ip_output_policy *compared_policy = policy_array[i];
5870
5871 // For policies in a skip window, we can't mark conflicting policies as unnecessary
5872 if (can_skip) {
5873 if (highest_skip_session_order != compared_policy->session_order ||
5874 (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
5875 // If we've moved on to the next session, or passed the skip window
5876 highest_skip_session_order = 0;
5877 highest_skip_order = 0;
5878 can_skip = FALSE;
5879 } else {
5880 // If this policy is also a skip, in can increase the skip window
5881 if (compared_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
5882 if (compared_policy->result_parameter.skip_policy_order > highest_skip_order) {
5883 highest_skip_order = compared_policy->result_parameter.skip_policy_order;
5884 }
5885 }
5886 continue;
5887 }
5888 }
5889
5890 if (compared_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
5891 // This policy is a skip. Set the skip window accordingly
5892 can_skip = TRUE;
5893 highest_skip_session_order = compared_policy->session_order;
5894 highest_skip_order = compared_policy->result_parameter.skip_policy_order;
5895 }
5896
5897 // The result of the compared policy must be able to block out this policy result
5898 if (!necp_kernel_ip_output_policy_results_overlap(compared_policy, policy)) {
5899 continue;
5900 }
5901
5902 // If new policy matches All Interfaces, compared policy must also
5903 if ((policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
5904 continue;
5905 }
5906
5907 // Default makes lower policies unecessary always
5908 if (compared_policy->condition_mask == 0) {
5909 return (TRUE);
5910 }
5911
5912 // Compared must be more general than policy, and include only conditions within policy
5913 if ((policy->condition_mask & compared_policy->condition_mask) != compared_policy->condition_mask) {
5914 continue;
5915 }
5916
5917 // Negative conditions must match for the overlapping conditions
5918 if ((policy->condition_negated_mask & compared_policy->condition_mask) != (compared_policy->condition_negated_mask & compared_policy->condition_mask)) {
5919 continue;
5920 }
5921
5922 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
5923 compared_policy->cond_policy_id != policy->cond_policy_id) {
5924 continue;
5925 }
5926
5927 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
5928 compared_policy->cond_bound_interface != policy->cond_bound_interface) {
5929 continue;
5930 }
5931
5932 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
5933 compared_policy->cond_protocol != policy->cond_protocol) {
5934 continue;
5935 }
5936
5937 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
5938 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
5939 if (!necp_is_range_in_range((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&policy->cond_local_end, (struct sockaddr *)&compared_policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_end)) {
5940 continue;
5941 }
5942 } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
5943 if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
5944 !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
5945 continue;
5946 }
5947 }
5948 }
5949
5950 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
5951 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
5952 if (!necp_is_range_in_range((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&policy->cond_remote_end, (struct sockaddr *)&compared_policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_end)) {
5953 continue;
5954 }
5955 } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
5956 if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
5957 !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
5958 continue;
5959 }
5960 }
5961 }
5962
5963 return (TRUE);
5964 }
5965
5966 return (FALSE);
5967 }
5968
5969 static bool
5970 necp_kernel_ip_output_policies_reprocess(void)
5971 {
5972 int i;
5973 int bucket_allocation_counts[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
5974 int bucket_current_free_index[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
5975 struct necp_kernel_ip_output_policy *kernel_policy = NULL;
5976
5977 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5978
5979 // Reset mask to 0
5980 necp_kernel_ip_output_policies_condition_mask = 0;
5981 necp_kernel_ip_output_policies_count = 0;
5982 necp_kernel_ip_output_policies_non_id_count = 0;
5983
5984 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
5985 if (necp_kernel_ip_output_policies_map[i] != NULL) {
5986 FREE(necp_kernel_ip_output_policies_map[i], M_NECP);
5987 necp_kernel_ip_output_policies_map[i] = NULL;
5988 }
5989
5990 // Init counts
5991 bucket_allocation_counts[i] = 0;
5992 }
5993
5994 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) {
5995 // Update mask
5996 necp_kernel_ip_output_policies_condition_mask |= kernel_policy->condition_mask;
5997 necp_kernel_ip_output_policies_count++;
5998
5999 /* Update bucket counts:
6000 * Non-id and SKIP policies will be added to all buckets
6001 */
6002 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) ||
6003 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
6004 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
6005 bucket_allocation_counts[i]++;
6006 }
6007 }
6008 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) {
6009 necp_kernel_ip_output_policies_non_id_count++;
6010 } else {
6011 bucket_allocation_counts[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id)]++;
6012 }
6013 }
6014
6015 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
6016 if (bucket_allocation_counts[i] > 0) {
6017 // Allocate a NULL-terminated array of policy pointers for each bucket
6018 MALLOC(necp_kernel_ip_output_policies_map[i], struct necp_kernel_ip_output_policy **, sizeof(struct necp_kernel_ip_output_policy *) * (bucket_allocation_counts[i] + 1), M_NECP, M_WAITOK);
6019 if (necp_kernel_ip_output_policies_map[i] == NULL) {
6020 goto fail;
6021 }
6022
6023 // Initialize the first entry to NULL
6024 (necp_kernel_ip_output_policies_map[i])[0] = NULL;
6025 }
6026 bucket_current_free_index[i] = 0;
6027 }
6028
6029 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) {
6030 // Insert pointers into map
6031 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) ||
6032 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
6033 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
6034 if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
6035 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
6036 bucket_current_free_index[i]++;
6037 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
6038 }
6039 }
6040 } else {
6041 i = NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id);
6042 if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
6043 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
6044 bucket_current_free_index[i]++;
6045 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
6046 }
6047 }
6048 }
6049 necp_kernel_ip_output_policies_dump_all();
6050 return (TRUE);
6051
6052 fail:
6053 // Free memory, reset mask to 0
6054 necp_kernel_ip_output_policies_condition_mask = 0;
6055 necp_kernel_ip_output_policies_count = 0;
6056 necp_kernel_ip_output_policies_non_id_count = 0;
6057 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
6058 if (necp_kernel_ip_output_policies_map[i] != NULL) {
6059 FREE(necp_kernel_ip_output_policies_map[i], M_NECP);
6060 necp_kernel_ip_output_policies_map[i] = NULL;
6061 }
6062 }
6063 return (FALSE);
6064 }
6065
6066 // Outbound Policy Matching
6067 // ---------------------
6068 struct substring {
6069 char *string;
6070 size_t length;
6071 };
6072
6073 static struct substring
6074 necp_trim_dots_and_stars(char *string, size_t length)
6075 {
6076 struct substring sub;
6077 sub.string = string;
6078 sub.length = string ? length : 0;
6079
6080 while (sub.length && (sub.string[0] == '.' || sub.string[0] == '*')) {
6081 sub.string++;
6082 sub.length--;
6083 }
6084
6085 while (sub.length && (sub.string[sub.length - 1] == '.' || sub.string[sub.length - 1] == '*')) {
6086 sub.length--;
6087 }
6088
6089 return (sub);
6090 }
6091
6092 static char *
6093 necp_create_trimmed_domain(char *string, size_t length)
6094 {
6095 char *trimmed_domain = NULL;
6096 struct substring sub = necp_trim_dots_and_stars(string, length);
6097
6098 MALLOC(trimmed_domain, char *, sub.length + 1, M_NECP, M_WAITOK);
6099 if (trimmed_domain == NULL) {
6100 return (NULL);
6101 }
6102
6103 memcpy(trimmed_domain, sub.string, sub.length);
6104 trimmed_domain[sub.length] = 0;
6105
6106 return (trimmed_domain);
6107 }
6108
6109 static inline int
6110 necp_count_dots(char *string, size_t length)
6111 {
6112 int dot_count = 0;
6113 size_t i = 0;
6114
6115 for (i = 0; i < length; i++) {
6116 if (string[i] == '.') {
6117 dot_count++;
6118 }
6119 }
6120
6121 return (dot_count);
6122 }
6123
6124 static bool
6125 necp_check_suffix(struct substring parent, struct substring suffix, bool require_dot_before_suffix)
6126 {
6127 if (parent.length <= suffix.length) {
6128 return (FALSE);
6129 }
6130
6131 size_t length_difference = (parent.length - suffix.length);
6132
6133 if (require_dot_before_suffix) {
6134 if (((char *)(parent.string + length_difference - 1))[0] != '.') {
6135 return (FALSE);
6136 }
6137 }
6138
6139 // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
6140 return (strncasecmp(parent.string + length_difference, suffix.string, suffix.length) == 0);
6141 }
6142
6143 static bool
6144 necp_hostname_matches_domain(struct substring hostname_substring, u_int8_t hostname_dot_count, char *domain, u_int8_t domain_dot_count)
6145 {
6146 if (hostname_substring.string == NULL || domain == NULL) {
6147 return (hostname_substring.string == domain);
6148 }
6149
6150 struct substring domain_substring;
6151 domain_substring.string = domain;
6152 domain_substring.length = strlen(domain);
6153
6154 if (hostname_dot_count == domain_dot_count) {
6155 // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
6156 if (hostname_substring.length == domain_substring.length &&
6157 strncasecmp(hostname_substring.string, domain_substring.string, hostname_substring.length) == 0) {
6158 return (TRUE);
6159 }
6160 } else if (domain_dot_count < hostname_dot_count) {
6161 if (necp_check_suffix(hostname_substring, domain_substring, TRUE)) {
6162 return (TRUE);
6163 }
6164 }
6165
6166 return (FALSE);
6167 }
6168
6169 static char *
6170 necp_copy_string(char *string, size_t length)
6171 {
6172 char *copied_string = NULL;
6173
6174 MALLOC(copied_string, char *, length + 1, M_NECP, M_WAITOK);
6175 if (copied_string == NULL) {
6176 return (NULL);
6177 }
6178
6179 memcpy(copied_string, string, length);
6180 copied_string[length] = 0;
6181
6182 return (copied_string);
6183 }
6184
6185 static u_int32_t
6186 necp_get_primary_direct_interface_index(void)
6187 {
6188 u_int32_t interface_index = IFSCOPE_NONE;
6189
6190 ifnet_head_lock_shared();
6191 struct ifnet *ordered_interface = NULL;
6192 TAILQ_FOREACH(ordered_interface, &ifnet_ordered_head, if_ordered_link) {
6193 const u_int8_t functional_type = if_functional_type(ordered_interface, TRUE);
6194 if (functional_type != IFRTYPE_FUNCTIONAL_UNKNOWN &&
6195 functional_type != IFRTYPE_FUNCTIONAL_LOOPBACK) {
6196 // All known, non-loopback functional types represent direct physical interfaces (Wi-Fi, Cellular, Wired)
6197 interface_index = ordered_interface->if_index;
6198 break;
6199 }
6200 }
6201 ifnet_head_done();
6202
6203 return interface_index;
6204 }
6205
6206 static inline void
6207 necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info)
6208 {
6209 task_t task = proc_task(proc ? proc : current_proc());
6210 coalition_t coal = COALITION_NULL;
6211 Boolean is_leader = coalition_is_leader(task, COALITION_TYPE_JETSAM, &coal);
6212
6213 if (is_leader == TRUE) {
6214 // No parent, nothing to do
6215 return;
6216 }
6217
6218 if (coal != NULL) {
6219 task_t lead_task = coalition_get_leader(coal);
6220 if (lead_task != NULL) {
6221 proc_t lead_proc = get_bsdtask_info(lead_task);
6222 if (lead_proc != NULL) {
6223 kauth_cred_t lead_cred = kauth_cred_proc_ref(lead_proc);
6224 if (lead_cred != NULL) {
6225 errno_t cred_result = priv_check_cred(lead_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
6226 kauth_cred_unref(&lead_cred);
6227 info->cred_result = cred_result;
6228 }
6229 }
6230 task_deallocate(lead_task);
6231 }
6232 }
6233 }
6234
6235 #define NECP_KERNEL_ADDRESS_TYPE_CONDITIONS (NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX)
6236 static void
6237 necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_application_uuid, char *account, char *domain, pid_t pid, uid_t uid, u_int16_t protocol, u_int32_t bound_interface_index, u_int32_t traffic_class, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, proc_t proc, struct necp_socket_info *info)
6238 {
6239 memset(info, 0, sizeof(struct necp_socket_info));
6240
6241 info->pid = pid;
6242 info->uid = uid;
6243 info->protocol = protocol;
6244 info->bound_interface_index = bound_interface_index;
6245 info->traffic_class = traffic_class;
6246
6247 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT && proc != NULL) {
6248 info->cred_result = priv_check_cred(proc_ucred(proc), PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
6249 if (info->cred_result != 0) {
6250 // Process does not have entitlement, check the parent process
6251 necp_get_parent_cred_result(proc, info);
6252 }
6253 }
6254
6255 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID && !uuid_is_null(application_uuid)) {
6256 struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(application_uuid);
6257 if (existing_mapping) {
6258 info->application_id = existing_mapping->id;
6259 }
6260 }
6261
6262 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID && !uuid_is_null(real_application_uuid)) {
6263 if (uuid_compare(application_uuid, real_application_uuid) == 0) {
6264 info->real_application_id = info->application_id;
6265 } else {
6266 struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(real_application_uuid);
6267 if (existing_mapping) {
6268 info->real_application_id = existing_mapping->id;
6269 }
6270 }
6271 }
6272
6273 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && account != NULL) {
6274 struct necp_string_id_mapping *existing_mapping = necp_lookup_string_to_id_locked(&necp_account_id_list, account);
6275 if (existing_mapping) {
6276 info->account_id = existing_mapping->id;
6277 }
6278 }
6279
6280 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
6281 info->domain = domain;
6282 }
6283
6284 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
6285 if (local_addr && local_addr->sa.sa_len > 0) {
6286 memcpy(&info->local_addr, local_addr, local_addr->sa.sa_len);
6287 }
6288 if (remote_addr && remote_addr->sa.sa_len > 0) {
6289 memcpy(&info->remote_addr, remote_addr, remote_addr->sa.sa_len);
6290 }
6291 }
6292 }
6293
6294 static void
6295 necp_send_application_interface_denied_event(pid_t pid, uuid_t proc_uuid, u_int32_t if_functional_type)
6296 {
6297 struct kev_netpolicy_ifdenied ev_ifdenied;
6298
6299 bzero(&ev_ifdenied, sizeof(ev_ifdenied));
6300
6301 ev_ifdenied.ev_data.epid = pid;
6302 uuid_copy(ev_ifdenied.ev_data.euuid, proc_uuid);
6303 ev_ifdenied.ev_if_functional_type = if_functional_type;
6304
6305 netpolicy_post_msg(KEV_NETPOLICY_IFDENIED, &ev_ifdenied.ev_data, sizeof(ev_ifdenied));
6306 }
6307
6308 extern char *proc_name_address(void *p);
6309
6310 #define NECP_VERIFY_DELEGATION_ENTITLEMENT(_p, _d) \
6311 if (!has_checked_delegation_entitlement) { \
6312 has_delegation_entitlement = (priv_check_cred(proc_ucred(_p), PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, 0) == 0); \
6313 has_checked_delegation_entitlement = TRUE; \
6314 } \
6315 if (!has_delegation_entitlement) { \
6316 NECPLOG(LOG_ERR, "%s(%d) does not hold the necessary entitlement to delegate network traffic for other processes by %s", \
6317 proc_name_address(_p), proc_pid(_p), _d); \
6318 break; \
6319 }
6320
6321 int
6322 necp_application_find_policy_match_internal(proc_t proc,
6323 u_int8_t *parameters,
6324 u_int32_t parameters_size,
6325 struct necp_aggregate_result *returned_result,
6326 u_int32_t *flags,
6327 u_int required_interface_index,
6328 const union necp_sockaddr_union *override_local_addr,
6329 const union necp_sockaddr_union *override_remote_addr,
6330 struct rtentry **returned_route, bool ignore_address)
6331 {
6332 int error = 0;
6333 size_t offset = 0;
6334
6335 struct necp_kernel_socket_policy *matched_policy = NULL;
6336 struct necp_socket_info info;
6337 necp_kernel_policy_filter filter_control_unit = 0;
6338 u_int32_t route_rule_id = 0;
6339 necp_kernel_policy_result service_action = 0;
6340 necp_kernel_policy_service service = { 0, 0 };
6341
6342 u_int16_t protocol = 0;
6343 u_int32_t bound_interface_index = required_interface_index;
6344 u_int32_t traffic_class = 0;
6345 u_int32_t client_flags = 0;
6346 union necp_sockaddr_union local_addr;
6347 union necp_sockaddr_union remote_addr;
6348 bool no_remote_addr = FALSE;
6349 u_int8_t remote_family = 0;
6350 bool no_local_addr = FALSE;
6351
6352 if (override_local_addr) {
6353 memcpy(&local_addr, override_local_addr, sizeof(local_addr));
6354 } else {
6355 memset(&local_addr, 0, sizeof(local_addr));
6356 }
6357 if (override_remote_addr) {
6358 memcpy(&remote_addr, override_remote_addr, sizeof(remote_addr));
6359 } else {
6360 memset(&remote_addr, 0, sizeof(remote_addr));
6361 }
6362
6363 // Initialize UID, PID, and UUIDs to the current process
6364 uid_t uid = kauth_cred_getuid(proc_ucred(proc));
6365 pid_t pid = proc_pid(proc);
6366 uuid_t application_uuid;
6367 uuid_clear(application_uuid);
6368 uuid_t real_application_uuid;
6369 uuid_clear(real_application_uuid);
6370 proc_getexecutableuuid(proc, real_application_uuid, sizeof(real_application_uuid));
6371 uuid_copy(application_uuid, real_application_uuid);
6372
6373 char *domain = NULL;
6374 char *account = NULL;
6375
6376 #define NECP_MAX_REQUIRED_AGENTS 16
6377 u_int32_t num_required_agent_types = 0;
6378 struct necp_client_parameter_netagent_type required_agent_types[NECP_MAX_REQUIRED_AGENTS];
6379 memset(&required_agent_types, 0, sizeof(required_agent_types));
6380
6381 u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
6382 u_int32_t netagent_use_flags[NECP_MAX_NETAGENTS];
6383 memset(&netagent_ids, 0, sizeof(netagent_ids));
6384 memset(&netagent_use_flags, 0, sizeof(netagent_use_flags));
6385 int netagent_cursor;
6386
6387 bool has_checked_delegation_entitlement = FALSE;
6388 bool has_delegation_entitlement = FALSE;
6389
6390 if (returned_result == NULL) {
6391 return (EINVAL);
6392 }
6393
6394 memset(returned_result, 0, sizeof(struct necp_aggregate_result));
6395
6396 lck_rw_lock_shared(&necp_kernel_policy_lock);
6397 if (necp_kernel_application_policies_count == 0) {
6398 if (necp_drop_all_order > 0) {
6399 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6400 lck_rw_done(&necp_kernel_policy_lock);
6401 return (0);
6402 }
6403 }
6404 lck_rw_done(&necp_kernel_policy_lock);
6405
6406 while ((offset + sizeof(u_int8_t) + sizeof(u_int32_t)) <= parameters_size) {
6407 u_int8_t type = necp_buffer_get_tlv_type(parameters, offset);
6408 u_int32_t length = necp_buffer_get_tlv_length(parameters, offset);
6409
6410 if (length > (parameters_size - (offset + sizeof(u_int8_t) + sizeof(u_int32_t)))) {
6411 // If the length is larger than what can fit in the remaining parameters size, bail
6412 NECPLOG(LOG_ERR, "Invalid TLV length (%u)", length);
6413 break;
6414 }
6415
6416 if (length > 0) {
6417 u_int8_t *value = necp_buffer_get_tlv_value(parameters, offset, NULL);
6418 if (value != NULL) {
6419 switch (type) {
6420 case NECP_CLIENT_PARAMETER_APPLICATION: {
6421 if (length >= sizeof(uuid_t)) {
6422 if (uuid_compare(application_uuid, value) == 0) {
6423 // No delegation
6424 break;
6425 }
6426
6427 NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "euuid");
6428
6429 uuid_copy(application_uuid, value);
6430 }
6431 break;
6432 }
6433 case NECP_CLIENT_PARAMETER_REAL_APPLICATION: {
6434 if (length >= sizeof(uuid_t)) {
6435 if (uuid_compare(real_application_uuid, value) == 0) {
6436 // No delegation
6437 break;
6438 }
6439
6440 NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uuid");
6441
6442 uuid_copy(real_application_uuid, value);
6443 }
6444 break;
6445 }
6446 case NECP_CLIENT_PARAMETER_PID: {
6447 if (length >= sizeof(pid_t)) {
6448 if (memcmp(&pid, value, sizeof(pid_t)) == 0) {
6449 // No delegation
6450 break;
6451 }
6452
6453 NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "pid");
6454
6455 memcpy(&pid, value, sizeof(pid_t));
6456 }
6457 break;
6458 }
6459 case NECP_CLIENT_PARAMETER_UID: {
6460 if (length >= sizeof(uid_t)) {
6461 if (memcmp(&uid, value, sizeof(uid_t)) == 0) {
6462 // No delegation
6463 break;
6464 }
6465
6466 NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uid");
6467
6468 memcpy(&uid, value, sizeof(uid_t));
6469 }
6470 break;
6471 }
6472 case NECP_CLIENT_PARAMETER_DOMAIN: {
6473 domain = (char *)value;
6474 domain[length - 1] = 0;
6475 break;
6476 }
6477 case NECP_CLIENT_PARAMETER_ACCOUNT: {
6478 account = (char *)value;
6479 account[length - 1] = 0;
6480 break;
6481 }
6482 case NECP_CLIENT_PARAMETER_TRAFFIC_CLASS: {
6483 if (length >= sizeof(u_int32_t)) {
6484 memcpy(&traffic_class, value, sizeof(u_int32_t));
6485 }
6486 break;
6487 }
6488 case NECP_CLIENT_PARAMETER_IP_PROTOCOL: {
6489 if (length >= sizeof(u_int16_t)) {
6490 memcpy(&protocol, value, sizeof(u_int16_t));
6491 }
6492 break;
6493 }
6494 case NECP_CLIENT_PARAMETER_BOUND_INTERFACE: {
6495 if (length <= IFXNAMSIZ && length > 0) {
6496 ifnet_t bound_interface = NULL;
6497 char interface_name[IFXNAMSIZ];
6498 memcpy(interface_name, value, length);
6499 interface_name[length - 1] = 0; // Make sure the string is NULL terminated
6500 if (ifnet_find_by_name(interface_name, &bound_interface) == 0) {
6501 bound_interface_index = bound_interface->if_index;
6502 ifnet_release(bound_interface);
6503 }
6504 }
6505 break;
6506 }
6507 case NECP_CLIENT_PARAMETER_LOCAL_ADDRESS: {
6508 if (ignore_address) {
6509 break;
6510 }
6511
6512 if (length >= sizeof(struct necp_policy_condition_addr)) {
6513 struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
6514 if (necp_address_is_valid(&address_struct->address.sa)) {
6515 memcpy(&local_addr, &address_struct->address, sizeof(address_struct->address));
6516 }
6517 }
6518 break;
6519 }
6520 case NECP_CLIENT_PARAMETER_REMOTE_ADDRESS: {
6521 if (ignore_address) {
6522 break;
6523 }
6524
6525 if (length >= sizeof(struct necp_policy_condition_addr)) {
6526 struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
6527 if (necp_address_is_valid(&address_struct->address.sa)) {
6528 memcpy(&remote_addr, &address_struct->address, sizeof(address_struct->address));
6529 }
6530 }
6531 break;
6532 }
6533 case NECP_CLIENT_PARAMETER_FLAGS: {
6534 if (length >= sizeof(client_flags)) {
6535 memcpy(&client_flags, value, sizeof(client_flags));
6536 }
6537 break;
6538 }
6539 case NECP_CLIENT_PARAMETER_REQUIRE_AGENT_TYPE: {
6540 if (num_required_agent_types >= NECP_MAX_REQUIRED_AGENTS) {
6541 break;
6542 }
6543 if (length >= sizeof(struct necp_client_parameter_netagent_type)) {
6544 memcpy(&required_agent_types[num_required_agent_types], value, sizeof(struct necp_client_parameter_netagent_type));
6545 num_required_agent_types++;
6546 }
6547 break;
6548 }
6549 default: {
6550 break;
6551 }
6552 }
6553 }
6554 }
6555
6556 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
6557 }
6558
6559 // Lock
6560 lck_rw_lock_shared(&necp_kernel_policy_lock);
6561
6562 necp_application_fillout_info_locked(application_uuid, real_application_uuid, account, domain, pid, uid, protocol, bound_interface_index, traffic_class, &local_addr, &remote_addr, proc, &info);
6563 matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_app_layer_map, &info, &filter_control_unit, &route_rule_id, &service_action, &service, netagent_ids, netagent_use_flags, NECP_MAX_NETAGENTS, required_agent_types, num_required_agent_types, proc, NULL);
6564 if (matched_policy) {
6565 returned_result->policy_id = matched_policy->id;
6566 returned_result->routing_result = matched_policy->result;
6567 memcpy(&returned_result->routing_result_parameter, &matched_policy->result_parameter, sizeof(returned_result->routing_result_parameter));
6568 } else if (necp_drop_all_order > 0) {
6569 // Mark socket as a drop if drop_all is set
6570 returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
6571 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6572 } else {
6573 returned_result->policy_id = 0;
6574 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_NONE;
6575 }
6576 returned_result->filter_control_unit = filter_control_unit;
6577 returned_result->service_action = service_action;
6578
6579 // Handle trigger service
6580 if (service.identifier != 0) {
6581 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(service.identifier);
6582 if (mapping != NULL) {
6583 struct necp_service_registration *service_registration = NULL;
6584 uuid_copy(returned_result->service_uuid, mapping->uuid);
6585 returned_result->service_data = service.data;
6586 if (service.identifier == NECP_NULL_SERVICE_ID) {
6587 // NULL service is always 'registered'
6588 returned_result->service_flags |= NECP_SERVICE_FLAGS_REGISTERED;
6589 } else {
6590 LIST_FOREACH(service_registration, &necp_registered_service_list, kernel_chain) {
6591 if (service.identifier == service_registration->service_id) {
6592 returned_result->service_flags |= NECP_SERVICE_FLAGS_REGISTERED;
6593 break;
6594 }
6595 }
6596 }
6597 }
6598 }
6599
6600 // Handle netagents
6601 for (netagent_cursor = 0; netagent_cursor < NECP_MAX_NETAGENTS; netagent_cursor++) {
6602 struct necp_uuid_id_mapping *mapping = NULL;
6603 u_int32_t netagent_id = netagent_ids[netagent_cursor];
6604 if (netagent_id == 0) {
6605 break;
6606 }
6607 mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
6608 if (mapping != NULL) {
6609 uuid_copy(returned_result->netagents[netagent_cursor], mapping->uuid);
6610 returned_result->netagent_use_flags[netagent_cursor] = netagent_use_flags[netagent_cursor];
6611 }
6612 }
6613
6614 // Do routing evaluation
6615 u_int output_bound_interface = bound_interface_index;
6616 if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
6617 output_bound_interface = returned_result->routing_result_parameter.scoped_interface_index;
6618 } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
6619 output_bound_interface = returned_result->routing_result_parameter.tunnel_interface_index;
6620 } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT) {
6621 output_bound_interface = necp_get_primary_direct_interface_index();
6622 if (output_bound_interface == IFSCOPE_NONE) {
6623 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6624 } else {
6625 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED;
6626 returned_result->routing_result_parameter.scoped_interface_index = output_bound_interface;
6627 }
6628 }
6629
6630 if (local_addr.sa.sa_len == 0 ||
6631 (local_addr.sa.sa_family == AF_INET && local_addr.sin.sin_addr.s_addr == 0) ||
6632 (local_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&local_addr.sin6.sin6_addr))) {
6633 no_local_addr = TRUE;
6634 }
6635
6636 if (remote_addr.sa.sa_len == 0 ||
6637 (remote_addr.sa.sa_family == AF_INET && remote_addr.sin.sin_addr.s_addr == 0) ||
6638 (remote_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&remote_addr.sin6.sin6_addr))) {
6639 no_remote_addr = TRUE;
6640 remote_family = remote_addr.sa.sa_family;
6641 }
6642
6643 returned_result->routed_interface_index = 0;
6644 struct rtentry *rt = NULL;
6645 if (!no_local_addr && (client_flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) != 0) {
6646 // Treat the output bound interface as the routed interface for local address
6647 // validation later.
6648 returned_result->routed_interface_index = output_bound_interface;
6649 } else {
6650 if (no_remote_addr) {
6651 memset(&remote_addr, 0, sizeof(remote_addr));
6652 if (remote_family == AF_INET6) {
6653 // Reset address to ::
6654 remote_addr.sa.sa_family = AF_INET6;
6655 remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
6656 } else {
6657 // Reset address to 0.0.0.0
6658 remote_addr.sa.sa_family = AF_INET;
6659 remote_addr.sa.sa_len = sizeof(struct sockaddr_in);
6660 }
6661 }
6662
6663 rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
6664 output_bound_interface);
6665
6666 if (remote_addr.sa.sa_family == AF_INET && rt != NULL &&
6667 IS_INTF_CLAT46(rt->rt_ifp)) {
6668 rtfree(rt);
6669 rt = NULL;
6670 returned_result->routed_interface_index = 0;
6671 }
6672
6673 if (no_remote_addr && remote_family == 0 &&
6674 (rt == NULL || rt->rt_ifp == NULL)) {
6675 // Route lookup for default IPv4 failed, try IPv6
6676
6677 // Cleanup old route if necessary
6678 if (rt != NULL) {
6679 rtfree(rt);
6680 rt = NULL;
6681 }
6682
6683 // Reset address to ::
6684 memset(&remote_addr, 0, sizeof(remote_addr));
6685 remote_addr.sa.sa_family = AF_INET6;
6686 remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
6687
6688 // Get route
6689 rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
6690 output_bound_interface);
6691 }
6692
6693 if (rt != NULL &&
6694 rt->rt_ifp != NULL) {
6695 returned_result->routed_interface_index = rt->rt_ifp->if_index;
6696 /*
6697 * For local addresses, we allow the interface scope to be
6698 * either the loopback interface or the interface hosting the
6699 * local address.
6700 */
6701 if (bound_interface_index != IFSCOPE_NONE &&
6702 rt->rt_ifa != NULL && rt->rt_ifa->ifa_ifp &&
6703 (output_bound_interface == lo_ifp->if_index ||
6704 rt->rt_ifp->if_index == lo_ifp->if_index ||
6705 rt->rt_ifa->ifa_ifp->if_index == bound_interface_index)) {
6706 struct sockaddr_storage dst;
6707 unsigned int ifscope = bound_interface_index;
6708
6709 /*
6710 * Transform dst into the internal routing table form
6711 */
6712 (void) sa_copy((struct sockaddr *)&remote_addr,
6713 &dst, &ifscope);
6714
6715 if ((rt->rt_ifp->if_index == lo_ifp->if_index) ||
6716 rt_ifa_is_dst((struct sockaddr *)&dst, rt->rt_ifa))
6717 returned_result->routed_interface_index =
6718 bound_interface_index;
6719 }
6720 }
6721 }
6722
6723 if (returned_result->routed_interface_index != 0 &&
6724 returned_result->routed_interface_index != lo_ifp->if_index && // Loopback can accept any local address
6725 !no_local_addr) {
6726
6727 // Transform local_addr into the ifaddr form
6728 // IPv6 Scope IDs are always embedded in the ifaddr list
6729 struct sockaddr_storage local_address_sanitized;
6730 u_int ifscope = IFSCOPE_NONE;
6731 (void)sa_copy(&local_addr.sa, &local_address_sanitized, &ifscope);
6732 SIN(&local_address_sanitized)->sin_port = 0;
6733 if (local_address_sanitized.ss_family == AF_INET6) {
6734 SIN6(&local_address_sanitized)->sin6_scope_id = 0;
6735 }
6736
6737 // Validate local address on routed interface
6738 struct ifaddr *ifa = ifa_ifwithaddr_scoped((struct sockaddr *)&local_address_sanitized, returned_result->routed_interface_index);
6739 if (ifa == NULL) {
6740 // Interface address not found, reject route
6741 returned_result->routed_interface_index = 0;
6742 if (rt != NULL) {
6743 rtfree(rt);
6744 rt = NULL;
6745 }
6746 } else {
6747 ifaddr_release(ifa);
6748 ifa = NULL;
6749 }
6750 }
6751
6752 if (flags != NULL) {
6753 if ((client_flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) == 0) {
6754 // Check for local/direct
6755 bool is_local = FALSE;
6756 if (rt != NULL && (rt->rt_flags & RTF_LOCAL)) {
6757 is_local = TRUE;
6758 } else if (returned_result->routed_interface_index != 0 &&
6759 !no_remote_addr) {
6760 // Clean up the address before comparison with interface addresses
6761
6762 // Transform remote_addr into the ifaddr form
6763 // IPv6 Scope IDs are always embedded in the ifaddr list
6764 struct sockaddr_storage remote_address_sanitized;
6765 u_int ifscope = IFSCOPE_NONE;
6766 (void)sa_copy(&remote_addr.sa, &remote_address_sanitized, &ifscope);
6767 SIN(&remote_address_sanitized)->sin_port = 0;
6768 if (remote_address_sanitized.ss_family == AF_INET6) {
6769 SIN6(&remote_address_sanitized)->sin6_scope_id = 0;
6770 }
6771
6772 // Check if remote address is an interface address
6773 struct ifaddr *ifa = ifa_ifwithaddr((struct sockaddr *)&remote_address_sanitized);
6774 if (ifa != NULL && ifa->ifa_ifp != NULL) {
6775 u_int if_index_for_remote_addr = ifa->ifa_ifp->if_index;
6776 if (if_index_for_remote_addr == returned_result->routed_interface_index ||
6777 if_index_for_remote_addr == lo_ifp->if_index) {
6778 is_local = TRUE;
6779 }
6780 }
6781 if (ifa != NULL) {
6782 ifaddr_release(ifa);
6783 ifa = NULL;
6784 }
6785 }
6786
6787 if (is_local) {
6788 *flags |= (NECP_CLIENT_RESULT_FLAG_IS_LOCAL | NECP_CLIENT_RESULT_FLAG_IS_DIRECT);
6789 } else {
6790 if (rt != NULL &&
6791 !(rt->rt_flags & RTF_GATEWAY) &&
6792 (rt->rt_ifa && rt->rt_ifa->ifa_ifp && !(rt->rt_ifa->ifa_ifp->if_flags & IFF_POINTOPOINT))) {
6793 // Route is directly accessible
6794 *flags |= NECP_CLIENT_RESULT_FLAG_IS_DIRECT;
6795 }
6796 }
6797
6798 if (rt != NULL &&
6799 rt->rt_ifp != NULL) {
6800 // Check probe status
6801 if (rt->rt_ifp->if_eflags & IFEF_PROBE_CONNECTIVITY) {
6802 *flags |= NECP_CLIENT_RESULT_FLAG_PROBE_CONNECTIVITY;
6803 }
6804
6805 if (rt->rt_ifp->if_type == IFT_CELLULAR) {
6806 struct if_cellular_status_v1 *ifsr;
6807
6808 ifnet_lock_shared(rt->rt_ifp);
6809 lck_rw_lock_exclusive(&rt->rt_ifp->if_link_status_lock);
6810
6811 if (rt->rt_ifp->if_link_status != NULL) {
6812 ifsr = &rt->rt_ifp->if_link_status->ifsr_u.ifsr_cell.if_cell_u.if_status_v1;
6813
6814 if (ifsr->valid_bitmask & IF_CELL_UL_MSS_RECOMMENDED_VALID) {
6815 if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_NONE) {
6816 returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_NONE;
6817 } else if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_MEDIUM) {
6818 returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_MEDIUM;
6819 } else if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_LOW) {
6820 returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_LOW;
6821 }
6822 }
6823 }
6824 lck_rw_done(&rt->rt_ifp->if_link_status_lock);
6825 ifnet_lock_done(rt->rt_ifp);
6826 }
6827
6828 // Check link quality
6829 if ((client_flags & NECP_CLIENT_PARAMETER_FLAG_DISCRETIONARY) &&
6830 (rt->rt_ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
6831 rt->rt_ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
6832 *flags |= NECP_CLIENT_RESULT_FLAG_LINK_QUALITY_ABORT;
6833 }
6834
6835 // Check QoS marking (fastlane)
6836 if (necp_update_qos_marking(rt->rt_ifp, route_rule_id)) {
6837 *flags |= NECP_CLIENT_RESULT_FLAG_ALLOW_QOS_MARKING;
6838 }
6839
6840 if (IFNET_IS_LOW_POWER(rt->rt_ifp)) {
6841 *flags |= NECP_CLIENT_RESULT_FLAG_INTERFACE_LOW_POWER;
6842 }
6843 }
6844 }
6845
6846 if (returned_result->routed_interface_index != 0) {
6847 union necp_sockaddr_union default_address;
6848 struct rtentry *v4Route = NULL;
6849 struct rtentry *v6Route = NULL;
6850
6851 memset(&default_address, 0, sizeof(default_address));
6852
6853 // Reset address to 0.0.0.0
6854 default_address.sa.sa_family = AF_INET;
6855 default_address.sa.sa_len = sizeof(struct sockaddr_in);
6856 v4Route = rtalloc1_scoped((struct sockaddr *)&default_address, 0, 0,
6857 returned_result->routed_interface_index);
6858
6859 // Reset address to ::
6860 default_address.sa.sa_family = AF_INET6;
6861 default_address.sa.sa_len = sizeof(struct sockaddr_in6);
6862 v6Route = rtalloc1_scoped((struct sockaddr *)&default_address, 0, 0,
6863 returned_result->routed_interface_index);
6864
6865 if (v4Route != NULL) {
6866 if (v4Route->rt_ifp != NULL && !IS_INTF_CLAT46(v4Route->rt_ifp)) {
6867 *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV4;
6868 }
6869 rtfree(v4Route);
6870 v4Route = NULL;
6871 }
6872
6873 if (v6Route != NULL) {
6874 if (v6Route->rt_ifp != NULL) {
6875 *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV6;
6876
6877 if (ifnet_get_nat64prefix(v6Route->rt_ifp, NULL) == 0) {
6878 *flags |= NECP_CLIENT_RESULT_FLAG_HAS_NAT64;
6879 }
6880 }
6881 rtfree(v6Route);
6882 v6Route = NULL;
6883 }
6884 }
6885 }
6886
6887 u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
6888 bool route_is_allowed = necp_route_is_allowed(rt, NULL, route_rule_id, &interface_type_denied);
6889 if (!route_is_allowed) {
6890 // If the route is blocked, treat the lookup as a drop
6891 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6892 memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
6893
6894 if (interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
6895 necp_send_application_interface_denied_event(pid, application_uuid, interface_type_denied);
6896 }
6897 }
6898
6899 if (rt != NULL) {
6900 if (returned_route != NULL) {
6901 *returned_route = rt;
6902 } else {
6903 rtfree(rt);
6904 }
6905 rt = NULL;
6906 }
6907 // Unlock
6908 lck_rw_done(&necp_kernel_policy_lock);
6909
6910 return (error);
6911 }
6912
6913 static bool
6914 necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_app_id app_id, necp_app_id real_app_id, errno_t cred_result, u_int32_t account_id, struct substring domain, u_int8_t domain_dot_count, pid_t pid, uid_t uid, u_int32_t bound_interface_index, u_int32_t traffic_class, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, proc_t proc)
6915 {
6916 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
6917 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
6918 u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_bound_interface->if_index : 0;
6919 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
6920 if (bound_interface_index == cond_bound_interface_index) {
6921 // No match, matches forbidden interface
6922 return (FALSE);
6923 }
6924 } else {
6925 if (bound_interface_index != cond_bound_interface_index) {
6926 // No match, does not match required interface
6927 return (FALSE);
6928 }
6929 }
6930 } else {
6931 if (bound_interface_index != 0) {
6932 // No match, requires a non-bound packet
6933 return (FALSE);
6934 }
6935 }
6936 }
6937
6938 if (kernel_policy->condition_mask == 0) {
6939 return (TRUE);
6940 }
6941
6942 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
6943 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
6944 if (app_id == kernel_policy->cond_app_id) {
6945 // No match, matches forbidden application
6946 return (FALSE);
6947 }
6948 } else {
6949 if (app_id != kernel_policy->cond_app_id) {
6950 // No match, does not match required application
6951 return (FALSE);
6952 }
6953 }
6954 }
6955
6956 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
6957 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
6958 if (real_app_id == kernel_policy->cond_real_app_id) {
6959 // No match, matches forbidden application
6960 return (FALSE);
6961 }
6962 } else {
6963 if (real_app_id != kernel_policy->cond_real_app_id) {
6964 // No match, does not match required application
6965 return (FALSE);
6966 }
6967 }
6968 }
6969
6970 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
6971 if (cred_result != 0) {
6972 // Process is missing entitlement
6973 return (FALSE);
6974 }
6975 }
6976
6977 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
6978 if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_false) {
6979 // Process is missing entitlement based on previous check
6980 return (FALSE);
6981 } else if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_unknown) {
6982 if (kernel_policy->cond_custom_entitlement != NULL) {
6983 if (proc == NULL) {
6984 // No process found, cannot check entitlement
6985 return (FALSE);
6986 }
6987 task_t task = proc_task(proc);
6988 if (task == NULL ||
6989 !IOTaskHasEntitlement(task, kernel_policy->cond_custom_entitlement)) {
6990 // Process is missing custom entitlement
6991 kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_false;
6992 return (FALSE);
6993 } else {
6994 kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_true;
6995 }
6996 }
6997 }
6998 }
6999
7000 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
7001 bool domain_matches = necp_hostname_matches_domain(domain, domain_dot_count, kernel_policy->cond_domain, kernel_policy->cond_domain_dot_count);
7002 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN) {
7003 if (domain_matches) {
7004 // No match, matches forbidden domain
7005 return (FALSE);
7006 }
7007 } else {
7008 if (!domain_matches) {
7009 // No match, does not match required domain
7010 return (FALSE);
7011 }
7012 }
7013 }
7014
7015 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
7016 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
7017 if (account_id == kernel_policy->cond_account_id) {
7018 // No match, matches forbidden account
7019 return (FALSE);
7020 }
7021 } else {
7022 if (account_id != kernel_policy->cond_account_id) {
7023 // No match, does not match required account
7024 return (FALSE);
7025 }
7026 }
7027 }
7028
7029 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PID) {
7030 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PID) {
7031 if (pid == kernel_policy->cond_pid) {
7032 // No match, matches forbidden pid
7033 return (FALSE);
7034 }
7035 } else {
7036 if (pid != kernel_policy->cond_pid) {
7037 // No match, does not match required pid
7038 return (FALSE);
7039 }
7040 }
7041 }
7042
7043 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_UID) {
7044 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_UID) {
7045 if (uid == kernel_policy->cond_uid) {
7046 // No match, matches forbidden uid
7047 return (FALSE);
7048 }
7049 } else {
7050 if (uid != kernel_policy->cond_uid) {
7051 // No match, does not match required uid
7052 return (FALSE);
7053 }
7054 }
7055 }
7056
7057 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
7058 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
7059 if (traffic_class >= kernel_policy->cond_traffic_class.start_tc &&
7060 traffic_class <= kernel_policy->cond_traffic_class.end_tc) {
7061 // No match, matches forbidden traffic class
7062 return (FALSE);
7063 }
7064 } else {
7065 if (traffic_class < kernel_policy->cond_traffic_class.start_tc ||
7066 traffic_class > kernel_policy->cond_traffic_class.end_tc) {
7067 // No match, does not match required traffic class
7068 return (FALSE);
7069 }
7070 }
7071 }
7072
7073 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
7074 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
7075 if (protocol == kernel_policy->cond_protocol) {
7076 // No match, matches forbidden protocol
7077 return (FALSE);
7078 }
7079 } else {
7080 if (protocol != kernel_policy->cond_protocol) {
7081 // No match, does not match required protocol
7082 return (FALSE);
7083 }
7084 }
7085 }
7086
7087 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
7088 bool matches_agent_type = FALSE;
7089 for (u_int32_t i = 0; i < num_required_agent_types; i++) {
7090 struct necp_client_parameter_netagent_type *required_agent_type = &required_agent_types[i];
7091 if ((strlen(kernel_policy->cond_agent_type.agent_domain) == 0 ||
7092 strncmp(required_agent_type->netagent_domain, kernel_policy->cond_agent_type.agent_domain, NETAGENT_DOMAINSIZE) == 0) &&
7093 (strlen(kernel_policy->cond_agent_type.agent_type) == 0 ||
7094 strncmp(required_agent_type->netagent_type, kernel_policy->cond_agent_type.agent_type, NETAGENT_TYPESIZE) == 0)) {
7095 // Found a required agent that matches
7096 matches_agent_type = TRUE;
7097 break;
7098 }
7099 }
7100 if (!matches_agent_type) {
7101 return (FALSE);
7102 }
7103 }
7104
7105 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
7106 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
7107 bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
7108 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
7109 if (inRange) {
7110 return (FALSE);
7111 }
7112 } else {
7113 if (!inRange) {
7114 return (FALSE);
7115 }
7116 }
7117 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
7118 bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
7119 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
7120 if (inSubnet) {
7121 return (FALSE);
7122 }
7123 } else {
7124 if (!inSubnet) {
7125 return (FALSE);
7126 }
7127 }
7128 }
7129 }
7130
7131 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
7132 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
7133 bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
7134 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
7135 if (inRange) {
7136 return (FALSE);
7137 }
7138 } else {
7139 if (!inRange) {
7140 return (FALSE);
7141 }
7142 }
7143 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
7144 bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
7145 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
7146 if (inSubnet) {
7147 return (FALSE);
7148 }
7149 } else {
7150 if (!inSubnet) {
7151 return (FALSE);
7152 }
7153 }
7154 }
7155 }
7156
7157 return (TRUE);
7158 }
7159
7160 static inline u_int32_t
7161 necp_socket_calc_flowhash_locked(struct necp_socket_info *info)
7162 {
7163 return (net_flowhash(info, sizeof(*info), necp_kernel_socket_policies_gencount));
7164 }
7165
7166 static void
7167 necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface, struct necp_socket_info *info)
7168 {
7169 struct socket *so = NULL;
7170
7171 memset(info, 0, sizeof(struct necp_socket_info));
7172
7173 so = inp->inp_socket;
7174
7175 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PID) {
7176 info->pid = ((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid);
7177 }
7178
7179 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_UID) {
7180 info->uid = kauth_cred_getuid(so->so_cred);
7181 }
7182
7183 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
7184 info->traffic_class = so->so_traffic_class;
7185 }
7186
7187 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
7188 if (inp->inp_ip_p) {
7189 info->protocol = inp->inp_ip_p;
7190 } else {
7191 info->protocol = SOCK_PROTO(so);
7192 }
7193 }
7194
7195 if (inp->inp_flags2 & INP2_WANT_APP_POLICY && necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
7196 struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(((so->so_flags & SOF_DELEGATED) ? so->e_uuid : so->last_uuid));
7197 if (existing_mapping) {
7198 info->application_id = existing_mapping->id;
7199 }
7200
7201 if (!(so->so_flags & SOF_DELEGATED)) {
7202 info->real_application_id = info->application_id;
7203 } else if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
7204 struct necp_uuid_id_mapping *real_existing_mapping = necp_uuid_lookup_app_id_locked(so->last_uuid);
7205 if (real_existing_mapping) {
7206 info->real_application_id = real_existing_mapping->id;
7207 }
7208 }
7209
7210 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
7211 info->cred_result = priv_check_cred(so->so_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
7212 if (info->cred_result != 0) {
7213 // Process does not have entitlement, check the parent process
7214 necp_get_parent_cred_result(NULL, info);
7215 }
7216 }
7217 }
7218
7219 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && inp->inp_necp_attributes.inp_account != NULL) {
7220 struct necp_string_id_mapping *existing_mapping = necp_lookup_string_to_id_locked(&necp_account_id_list, inp->inp_necp_attributes.inp_account);
7221 if (existing_mapping) {
7222 info->account_id = existing_mapping->id;
7223 }
7224 }
7225
7226 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
7227 info->domain = inp->inp_necp_attributes.inp_domain;
7228 }
7229
7230 if (override_bound_interface) {
7231 info->bound_interface_index = override_bound_interface;
7232 } else {
7233 if ((inp->inp_flags & INP_BOUND_IF) && inp->inp_boundifp) {
7234 info->bound_interface_index = inp->inp_boundifp->if_index;
7235 }
7236 }
7237
7238 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
7239 if (inp->inp_vflag & INP_IPV4) {
7240 if (override_local_addr) {
7241 if (override_local_addr->sa_len <= sizeof(struct sockaddr_in)) {
7242 memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
7243 }
7244 } else {
7245 ((struct sockaddr_in *)&info->local_addr)->sin_family = AF_INET;
7246 ((struct sockaddr_in *)&info->local_addr)->sin_len = sizeof(struct sockaddr_in);
7247 ((struct sockaddr_in *)&info->local_addr)->sin_port = inp->inp_lport;
7248 memcpy(&((struct sockaddr_in *)&info->local_addr)->sin_addr, &inp->inp_laddr, sizeof(struct in_addr));
7249 }
7250
7251 if (override_remote_addr) {
7252 if (override_remote_addr->sa_len <= sizeof(struct sockaddr_in)) {
7253 memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
7254 }
7255 } else {
7256 ((struct sockaddr_in *)&info->remote_addr)->sin_family = AF_INET;
7257 ((struct sockaddr_in *)&info->remote_addr)->sin_len = sizeof(struct sockaddr_in);
7258 ((struct sockaddr_in *)&info->remote_addr)->sin_port = inp->inp_fport;
7259 memcpy(&((struct sockaddr_in *)&info->remote_addr)->sin_addr, &inp->inp_faddr, sizeof(struct in_addr));
7260 }
7261 } else if (inp->inp_vflag & INP_IPV6) {
7262 if (override_local_addr) {
7263 if (override_local_addr->sa_len <= sizeof(struct sockaddr_in6)) {
7264 memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
7265 }
7266 } else {
7267 ((struct sockaddr_in6 *)&info->local_addr)->sin6_family = AF_INET6;
7268 ((struct sockaddr_in6 *)&info->local_addr)->sin6_len = sizeof(struct sockaddr_in6);
7269 ((struct sockaddr_in6 *)&info->local_addr)->sin6_port = inp->inp_lport;
7270 memcpy(&((struct sockaddr_in6 *)&info->local_addr)->sin6_addr, &inp->in6p_laddr, sizeof(struct in6_addr));
7271 }
7272
7273 if (override_remote_addr) {
7274 if (override_remote_addr->sa_len <= sizeof(struct sockaddr_in6)) {
7275 memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
7276 }
7277 } else {
7278 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_family = AF_INET6;
7279 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_len = sizeof(struct sockaddr_in6);
7280 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_port = inp->inp_fport;
7281 memcpy(&((struct sockaddr_in6 *)&info->remote_addr)->sin6_addr, &inp->in6p_faddr, sizeof(struct in6_addr));
7282 }
7283 }
7284 }
7285 }
7286
7287 static inline struct necp_kernel_socket_policy *
7288 necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info,
7289 necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id,
7290 necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service,
7291 u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count,
7292 struct necp_client_parameter_netagent_type *required_agent_types,
7293 u_int32_t num_required_agent_types, proc_t proc, necp_kernel_policy_id *skip_policy_id)
7294 {
7295 struct necp_kernel_socket_policy *matched_policy = NULL;
7296 u_int32_t skip_order = 0;
7297 u_int32_t skip_session_order = 0;
7298 u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
7299 size_t route_rule_id_count = 0;
7300 int i;
7301 size_t netagent_cursor = 0;
7302
7303 // Pre-process domain for quick matching
7304 struct substring domain_substring = necp_trim_dots_and_stars(info->domain, info->domain ? strlen(info->domain) : 0);
7305 u_int8_t domain_dot_count = necp_count_dots(domain_substring.string, domain_substring.length);
7306
7307 if (return_filter) {
7308 *return_filter = 0;
7309 }
7310
7311 if (return_route_rule_id) {
7312 *return_route_rule_id = 0;
7313 }
7314
7315 if (return_service_action) {
7316 *return_service_action = 0;
7317 }
7318
7319 if (return_service) {
7320 return_service->identifier = 0;
7321 return_service->data = 0;
7322 }
7323
7324 if (policy_search_array != NULL) {
7325 for (i = 0; policy_search_array[i] != NULL; i++) {
7326 if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
7327 // We've hit a drop all rule
7328 break;
7329 }
7330 if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
7331 // Done skipping
7332 skip_order = 0;
7333 skip_session_order = 0;
7334 }
7335 if (skip_order) {
7336 if (policy_search_array[i]->order < skip_order) {
7337 // Skip this policy
7338 continue;
7339 } else {
7340 // Done skipping
7341 skip_order = 0;
7342 skip_session_order = 0;
7343 }
7344 } else if (skip_session_order) {
7345 // Skip this policy
7346 continue;
7347 }
7348 if (necp_socket_check_policy(policy_search_array[i], info->application_id, info->real_application_id, info->cred_result, info->account_id, domain_substring, domain_dot_count, info->pid, info->uid, info->bound_interface_index, info->traffic_class, info->protocol, &info->local_addr, &info->remote_addr, required_agent_types, num_required_agent_types, proc)) {
7349 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER) {
7350 if (return_filter && *return_filter == 0) {
7351 *return_filter = policy_search_array[i]->result_parameter.filter_control_unit;
7352 if (necp_debug > 1) {
7353 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Filter %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.filter_control_unit);
7354 }
7355 }
7356 continue;
7357 } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
7358 if (return_route_rule_id && route_rule_id_count < MAX_AGGREGATE_ROUTE_RULES) {
7359 route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
7360 if (necp_debug > 1) {
7361 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Route Rule %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.route_rule_id);
7362 }
7363 }
7364 continue;
7365 } else if (necp_kernel_socket_result_is_trigger_service_type(policy_search_array[i])) {
7366 if (return_service_action && *return_service_action == 0) {
7367 *return_service_action = policy_search_array[i]->result;
7368 if (necp_debug > 1) {
7369 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Service Action %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result);
7370 }
7371 }
7372 if (return_service && return_service->identifier == 0) {
7373 return_service->identifier = policy_search_array[i]->result_parameter.service.identifier;
7374 return_service->data = policy_search_array[i]->result_parameter.service.data;
7375 if (necp_debug > 1) {
7376 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Service ID %d Data %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.service.identifier, policy_search_array[i]->result_parameter.service.data);
7377 }
7378 }
7379 continue;
7380 } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ||
7381 policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED) {
7382 if (return_netagent_array != NULL &&
7383 netagent_cursor < netagent_array_count) {
7384 return_netagent_array[netagent_cursor] = policy_search_array[i]->result_parameter.netagent_id;
7385 if (return_netagent_use_flags_array != NULL &&
7386 policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED) {
7387 return_netagent_use_flags_array[netagent_cursor] |= NECP_AGENT_USE_FLAG_SCOPE;
7388 }
7389 netagent_cursor++;
7390 if (necp_debug > 1) {
7391 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) %s Netagent %d",
7392 info->application_id, info->real_application_id, info->bound_interface_index, info->protocol,
7393 policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ? "Use" : "Scope",
7394 policy_search_array[i]->result_parameter.netagent_id);
7395 }
7396 }
7397 continue;
7398 }
7399
7400 // Matched policy is a skip. Do skip and continue.
7401 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
7402 skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
7403 skip_session_order = policy_search_array[i]->session_order + 1;
7404 if (skip_policy_id) {
7405 *skip_policy_id = policy_search_array[i]->id;
7406 }
7407 continue;
7408 }
7409
7410 // Passed all tests, found a match
7411 matched_policy = policy_search_array[i];
7412 break;
7413 }
7414 }
7415 }
7416
7417 if (route_rule_id_count == 1) {
7418 *return_route_rule_id = route_rule_id_array[0];
7419 } else if (route_rule_id_count > 1) {
7420 *return_route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
7421 }
7422 return (matched_policy);
7423 }
7424
7425 static bool
7426 necp_socket_uses_interface(struct inpcb *inp, u_int32_t interface_index)
7427 {
7428 bool found_match = FALSE;
7429 errno_t result = 0;
7430 ifaddr_t *addresses = NULL;
7431 union necp_sockaddr_union address_storage;
7432 int i;
7433 int family = AF_INET;
7434 ifnet_t interface = ifindex2ifnet[interface_index];
7435
7436 if (inp == NULL || interface == NULL) {
7437 return (FALSE);
7438 }
7439
7440 if (inp->inp_vflag & INP_IPV4) {
7441 family = AF_INET;
7442 } else if (inp->inp_vflag & INP_IPV6) {
7443 family = AF_INET6;
7444 }
7445
7446 result = ifnet_get_address_list_family(interface, &addresses, family);
7447 if (result != 0) {
7448 NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
7449 return (FALSE);
7450 }
7451
7452 for (i = 0; addresses[i] != NULL; i++) {
7453 if (ifaddr_address(addresses[i], &address_storage.sa, sizeof(address_storage)) == 0) {
7454 if (family == AF_INET) {
7455 if (memcmp(&address_storage.sin.sin_addr, &inp->inp_laddr, sizeof(inp->inp_laddr)) == 0) {
7456 found_match = TRUE;
7457 goto done;
7458 }
7459 } else if (family == AF_INET6) {
7460 if (memcmp(&address_storage.sin6.sin6_addr, &inp->in6p_laddr, sizeof(inp->in6p_laddr)) == 0) {
7461 found_match = TRUE;
7462 goto done;
7463 }
7464 }
7465 }
7466 }
7467
7468 done:
7469 ifnet_free_address_list(addresses);
7470 addresses = NULL;
7471 return (found_match);
7472 }
7473
7474 static inline bool
7475 necp_socket_is_connected(struct inpcb *inp)
7476 {
7477 return (inp->inp_socket->so_state & (SS_ISCONNECTING | SS_ISCONNECTED | SS_ISDISCONNECTING));
7478 }
7479
7480 static inline bool
7481 necp_socket_bypass(struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, struct inpcb *inp)
7482 {
7483
7484 if (necp_pass_loopback > 0 && necp_is_loopback(override_local_addr, override_remote_addr, inp, NULL)) {
7485 return (true);
7486 } else if (necp_is_intcoproc(inp, NULL)) {
7487 return (true);
7488 }
7489
7490 return (false);
7491 }
7492
7493 necp_kernel_policy_id
7494 necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface)
7495 {
7496 struct socket *so = NULL;
7497 necp_kernel_policy_filter filter_control_unit = 0;
7498 u_int32_t route_rule_id = 0;
7499 struct necp_kernel_socket_policy *matched_policy = NULL;
7500 necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
7501 necp_kernel_policy_result service_action = 0;
7502 necp_kernel_policy_service service = { 0, 0 };
7503
7504 u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
7505 memset(&netagent_ids, 0, sizeof(netagent_ids));
7506 int netagent_cursor;
7507
7508 struct necp_socket_info info;
7509
7510 if (inp == NULL) {
7511 return (NECP_KERNEL_POLICY_ID_NONE);
7512 }
7513
7514 // Ignore invalid addresses
7515 if (override_local_addr != NULL &&
7516 !necp_address_is_valid(override_local_addr)) {
7517 override_local_addr = NULL;
7518 }
7519 if (override_remote_addr != NULL &&
7520 !necp_address_is_valid(override_remote_addr)) {
7521 override_remote_addr = NULL;
7522 }
7523
7524 so = inp->inp_socket;
7525
7526 // Don't lock. Possible race condition, but we don't want the performance hit.
7527 if (necp_kernel_socket_policies_count == 0 ||
7528 (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
7529 if (necp_drop_all_order > 0) {
7530 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7531 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7532 inp->inp_policyresult.policy_gencount = 0;
7533 inp->inp_policyresult.app_id = 0;
7534 inp->inp_policyresult.flowhash = 0;
7535 inp->inp_policyresult.results.filter_control_unit = 0;
7536 inp->inp_policyresult.results.route_rule_id = 0;
7537 if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
7538 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
7539 } else {
7540 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
7541 }
7542 }
7543 return (NECP_KERNEL_POLICY_ID_NONE);
7544 }
7545
7546 // Check for loopback exception
7547 if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
7548 // Mark socket as a pass
7549 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7550 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7551 inp->inp_policyresult.policy_gencount = 0;
7552 inp->inp_policyresult.app_id = 0;
7553 inp->inp_policyresult.flowhash = 0;
7554 inp->inp_policyresult.results.filter_control_unit = 0;
7555 inp->inp_policyresult.results.route_rule_id = 0;
7556 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
7557 return (NECP_KERNEL_POLICY_ID_NONE);
7558 }
7559
7560 // Lock
7561 lck_rw_lock_shared(&necp_kernel_policy_lock);
7562
7563 necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, override_bound_interface, &info);
7564 inp->inp_policyresult.app_id = info.application_id;
7565
7566 // Check info
7567 u_int32_t flowhash = necp_socket_calc_flowhash_locked(&info);
7568 if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
7569 inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
7570 inp->inp_policyresult.flowhash == flowhash) {
7571 // If already matched this socket on this generation of table, skip
7572
7573 // Unlock
7574 lck_rw_done(&necp_kernel_policy_lock);
7575
7576 return (inp->inp_policyresult.policy_id);
7577 }
7578
7579 // Match socket to policy
7580 necp_kernel_policy_id skip_policy_id;
7581 matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, &route_rule_id, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, current_proc(), &skip_policy_id);
7582 // If the socket matched a scoped service policy, mark as Drop if not registered.
7583 // This covers the cases in which a service is required (on demand) but hasn't started yet.
7584 if ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
7585 service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
7586 service.identifier != 0 &&
7587 service.identifier != NECP_NULL_SERVICE_ID) {
7588 bool service_is_registered = FALSE;
7589 struct necp_service_registration *service_registration = NULL;
7590 LIST_FOREACH(service_registration, &necp_registered_service_list, kernel_chain) {
7591 if (service.identifier == service_registration->service_id) {
7592 service_is_registered = TRUE;
7593 break;
7594 }
7595 }
7596 if (!service_is_registered) {
7597 // Mark socket as a drop if service is not registered
7598 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7599 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7600 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7601 inp->inp_policyresult.flowhash = flowhash;
7602 inp->inp_policyresult.results.filter_control_unit = 0;
7603 inp->inp_policyresult.results.route_rule_id = 0;
7604 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
7605
7606 if (necp_debug > 1) {
7607 NECPLOG(LOG_DEBUG, "Socket Policy: (BoundInterface %d Proto %d) Dropping packet because service is not registered", info.bound_interface_index, info.protocol);
7608 }
7609
7610 // Unlock
7611 lck_rw_done(&necp_kernel_policy_lock);
7612 return (NECP_KERNEL_POLICY_ID_NONE);
7613 }
7614 }
7615 // Verify netagents
7616 for (netagent_cursor = 0; netagent_cursor < NECP_MAX_NETAGENTS; netagent_cursor++) {
7617 struct necp_uuid_id_mapping *mapping = NULL;
7618 u_int32_t netagent_id = netagent_ids[netagent_cursor];
7619 if (netagent_id == 0) {
7620 break;
7621 }
7622 mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
7623 if (mapping != NULL) {
7624 u_int32_t agent_flags = 0;
7625 agent_flags = netagent_get_flags(mapping->uuid);
7626 if (agent_flags & NETAGENT_FLAG_REGISTERED) {
7627 if (agent_flags & NETAGENT_FLAG_ACTIVE) {
7628 continue;
7629 } else if ((agent_flags & NETAGENT_FLAG_VOLUNTARY) == 0) {
7630 if (agent_flags & NETAGENT_FLAG_KERNEL_ACTIVATED) {
7631 int trigger_error = 0;
7632 trigger_error = netagent_kernel_trigger(mapping->uuid);
7633 if (necp_debug > 1) {
7634 NECPLOG(LOG_DEBUG, "Socket Policy: Triggering inactive agent, error %d", trigger_error);
7635 }
7636 }
7637
7638 // Mark socket as a drop if required agent is not active
7639 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7640 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7641 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7642 inp->inp_policyresult.flowhash = flowhash;
7643 inp->inp_policyresult.results.filter_control_unit = 0;
7644 inp->inp_policyresult.results.route_rule_id = 0;
7645 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
7646
7647 if (necp_debug > 1) {
7648 NECPLOG(LOG_DEBUG, "Socket Policy: (BoundInterface %d Proto %d) Dropping packet because agent is not active", info.bound_interface_index, info.protocol);
7649 }
7650
7651 // Unlock
7652 lck_rw_done(&necp_kernel_policy_lock);
7653 return (NECP_KERNEL_POLICY_ID_NONE);
7654 }
7655 }
7656 }
7657 }
7658 if (matched_policy) {
7659 matched_policy_id = matched_policy->id;
7660 inp->inp_policyresult.policy_id = matched_policy->id;
7661 inp->inp_policyresult.skip_policy_id = skip_policy_id;
7662 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7663 inp->inp_policyresult.flowhash = flowhash;
7664 inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
7665 inp->inp_policyresult.results.route_rule_id = route_rule_id;
7666 inp->inp_policyresult.results.result = matched_policy->result;
7667 memcpy(&inp->inp_policyresult.results.result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
7668
7669 if (necp_socket_is_connected(inp) &&
7670 (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
7671 (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && !necp_socket_uses_interface(inp, matched_policy->result_parameter.tunnel_interface_index)))) {
7672 if (necp_debug) {
7673 NECPLOG(LOG_DEBUG, "Marking socket in state %d as defunct", so->so_state);
7674 }
7675 sosetdefunct(current_proc(), so, SHUTDOWN_SOCKET_LEVEL_NECP | SHUTDOWN_SOCKET_LEVEL_DISCONNECT_ALL, TRUE);
7676 } else if (necp_socket_is_connected(inp) &&
7677 matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
7678 info.protocol == IPPROTO_TCP) {
7679 // Reset MSS on TCP socket if tunnel policy changes
7680 tcp_mtudisc(inp, 0);
7681 }
7682
7683 if (necp_debug > 1) {
7684 NECPLOG(LOG_DEBUG, "Socket Policy: %p (BoundInterface %d Proto %d) Policy %d Result %d Parameter %d", inp->inp_socket, info.bound_interface_index, info.protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
7685 }
7686 } else if (necp_drop_all_order > 0) {
7687 // Mark socket as a drop if set
7688 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7689 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7690 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7691 inp->inp_policyresult.flowhash = flowhash;
7692 inp->inp_policyresult.results.filter_control_unit = 0;
7693 inp->inp_policyresult.results.route_rule_id = 0;
7694 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
7695 } else {
7696 // Mark non-matching socket so we don't re-check it
7697 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7698 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7699 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7700 inp->inp_policyresult.flowhash = flowhash;
7701 inp->inp_policyresult.results.filter_control_unit = filter_control_unit; // We may have matched a filter, so mark it!
7702 inp->inp_policyresult.results.route_rule_id = route_rule_id; // We may have matched a route rule, so mark it!
7703 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_NONE;
7704 }
7705
7706 // Unlock
7707 lck_rw_done(&necp_kernel_policy_lock);
7708
7709 return (matched_policy_id);
7710 }
7711
7712 static bool
7713 necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote)
7714 {
7715 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
7716 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
7717 u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_bound_interface->if_index : 0;
7718 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
7719 if (bound_interface_index == cond_bound_interface_index) {
7720 // No match, matches forbidden interface
7721 return (FALSE);
7722 }
7723 } else {
7724 if (bound_interface_index != cond_bound_interface_index) {
7725 // No match, does not match required interface
7726 return (FALSE);
7727 }
7728 }
7729 } else {
7730 if (bound_interface_index != 0) {
7731 // No match, requires a non-bound packet
7732 return (FALSE);
7733 }
7734 }
7735 }
7736
7737 if (kernel_policy->condition_mask == 0) {
7738 return (TRUE);
7739 }
7740
7741 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) {
7742 necp_kernel_policy_id matched_policy_id =
7743 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP ? socket_skip_policy_id : socket_policy_id;
7744 if (matched_policy_id != kernel_policy->cond_policy_id) {
7745 // No match, does not match required id
7746 return (FALSE);
7747 }
7748 }
7749
7750 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) {
7751 if (last_interface_index != kernel_policy->cond_last_interface_index) {
7752 return (FALSE);
7753 }
7754 }
7755
7756 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
7757 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
7758 if (protocol == kernel_policy->cond_protocol) {
7759 // No match, matches forbidden protocol
7760 return (FALSE);
7761 }
7762 } else {
7763 if (protocol != kernel_policy->cond_protocol) {
7764 // No match, does not match required protocol
7765 return (FALSE);
7766 }
7767 }
7768 }
7769
7770 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
7771 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
7772 bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
7773 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
7774 if (inRange) {
7775 return (FALSE);
7776 }
7777 } else {
7778 if (!inRange) {
7779 return (FALSE);
7780 }
7781 }
7782 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
7783 bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
7784 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
7785 if (inSubnet) {
7786 return (FALSE);
7787 }
7788 } else {
7789 if (!inSubnet) {
7790 return (FALSE);
7791 }
7792 }
7793 }
7794 }
7795
7796 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
7797 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
7798 bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
7799 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
7800 if (inRange) {
7801 return (FALSE);
7802 }
7803 } else {
7804 if (!inRange) {
7805 return (FALSE);
7806 }
7807 }
7808 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
7809 bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
7810 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
7811 if (inSubnet) {
7812 return (FALSE);
7813 }
7814 } else {
7815 if (!inSubnet) {
7816 return (FALSE);
7817 }
7818 }
7819 }
7820 }
7821
7822 return (TRUE);
7823 }
7824
7825 static inline struct necp_kernel_ip_output_policy *
7826 necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr)
7827 {
7828 u_int32_t skip_order = 0;
7829 u_int32_t skip_session_order = 0;
7830 int i;
7831 struct necp_kernel_ip_output_policy *matched_policy = NULL;
7832 struct necp_kernel_ip_output_policy **policy_search_array = necp_kernel_ip_output_policies_map[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(socket_policy_id)];
7833 if (policy_search_array != NULL) {
7834 for (i = 0; policy_search_array[i] != NULL; i++) {
7835 if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
7836 // We've hit a drop all rule
7837 break;
7838 }
7839 if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
7840 // Done skipping
7841 skip_order = 0;
7842 skip_session_order = 0;
7843 }
7844 if (skip_order) {
7845 if (policy_search_array[i]->order < skip_order) {
7846 // Skip this policy
7847 continue;
7848 } else {
7849 // Done skipping
7850 skip_order = 0;
7851 skip_session_order = 0;
7852 }
7853 } else if (skip_session_order) {
7854 // Skip this policy
7855 continue;
7856 }
7857 if (necp_ip_output_check_policy(policy_search_array[i], socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, local_addr, remote_addr)) {
7858 // Passed all tests, found a match
7859 matched_policy = policy_search_array[i];
7860
7861 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
7862 skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
7863 skip_session_order = policy_search_array[i]->session_order + 1;
7864 continue;
7865 }
7866
7867 break;
7868 }
7869 }
7870 }
7871
7872 return (matched_policy);
7873 }
7874
7875 static inline bool
7876 necp_output_bypass(struct mbuf *packet)
7877 {
7878 if (necp_pass_loopback > 0 && necp_is_loopback(NULL, NULL, NULL, packet)) {
7879 return (true);
7880 }
7881 if (necp_pass_keepalives > 0 && necp_get_is_keepalive_from_packet(packet)) {
7882 return (true);
7883 }
7884 if (necp_is_intcoproc(NULL, packet)) {
7885 return (true);
7886 }
7887 return (false);
7888 }
7889
7890 necp_kernel_policy_id
7891 necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_args *ipoa, necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
7892 {
7893 struct ip *ip = NULL;
7894 int hlen = sizeof(struct ip);
7895 necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
7896 necp_kernel_policy_id socket_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
7897 necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
7898 struct necp_kernel_ip_output_policy *matched_policy = NULL;
7899 u_int16_t protocol = 0;
7900 u_int32_t bound_interface_index = 0;
7901 u_int32_t last_interface_index = 0;
7902 union necp_sockaddr_union local_addr;
7903 union necp_sockaddr_union remote_addr;
7904
7905 if (result) {
7906 *result = 0;
7907 }
7908
7909 if (result_parameter) {
7910 memset(result_parameter, 0, sizeof(*result_parameter));
7911 }
7912
7913 if (packet == NULL) {
7914 return (NECP_KERNEL_POLICY_ID_NONE);
7915 }
7916
7917 socket_policy_id = necp_get_policy_id_from_packet(packet);
7918 socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
7919
7920 // Exit early for an empty list
7921 // Don't lock. Possible race condition, but we don't want the performance hit.
7922 if (necp_kernel_ip_output_policies_count == 0 ||
7923 ((socket_policy_id == NECP_KERNEL_POLICY_ID_NONE) && necp_kernel_ip_output_policies_non_id_count == 0)) {
7924 if (necp_drop_all_order > 0) {
7925 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7926 if (result) {
7927 if (necp_output_bypass(packet)) {
7928 *result = NECP_KERNEL_POLICY_RESULT_PASS;
7929 } else {
7930 *result = NECP_KERNEL_POLICY_RESULT_DROP;
7931 }
7932 }
7933 }
7934
7935 return (matched_policy_id);
7936 }
7937
7938 // Check for loopback exception
7939 if (necp_output_bypass(packet)) {
7940 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7941 if (result) {
7942 *result = NECP_KERNEL_POLICY_RESULT_PASS;
7943 }
7944 return (matched_policy_id);
7945 }
7946
7947 last_interface_index = necp_get_last_interface_index_from_packet(packet);
7948
7949 // Process packet to get relevant fields
7950 ip = mtod(packet, struct ip *);
7951 #ifdef _IP_VHL
7952 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
7953 #else
7954 hlen = ip->ip_hl << 2;
7955 #endif
7956
7957 protocol = ip->ip_p;
7958
7959 if ((flags & IP_OUTARGS) && (ipoa != NULL) &&
7960 (ipoa->ipoa_flags & IPOAF_BOUND_IF) &&
7961 ipoa->ipoa_boundif != IFSCOPE_NONE) {
7962 bound_interface_index = ipoa->ipoa_boundif;
7963 }
7964
7965 local_addr.sin.sin_family = AF_INET;
7966 local_addr.sin.sin_len = sizeof(struct sockaddr_in);
7967 memcpy(&local_addr.sin.sin_addr, &ip->ip_src, sizeof(ip->ip_src));
7968
7969 remote_addr.sin.sin_family = AF_INET;
7970 remote_addr.sin.sin_len = sizeof(struct sockaddr_in);
7971 memcpy(&((struct sockaddr_in *)&remote_addr)->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
7972
7973 switch (protocol) {
7974 case IPPROTO_TCP: {
7975 struct tcphdr th;
7976 if ((int)(hlen + sizeof(th)) <= packet->m_pkthdr.len) {
7977 m_copydata(packet, hlen, sizeof(th), (u_int8_t *)&th);
7978 ((struct sockaddr_in *)&local_addr)->sin_port = th.th_sport;
7979 ((struct sockaddr_in *)&remote_addr)->sin_port = th.th_dport;
7980 }
7981 break;
7982 }
7983 case IPPROTO_UDP: {
7984 struct udphdr uh;
7985 if ((int)(hlen + sizeof(uh)) <= packet->m_pkthdr.len) {
7986 m_copydata(packet, hlen, sizeof(uh), (u_int8_t *)&uh);
7987 ((struct sockaddr_in *)&local_addr)->sin_port = uh.uh_sport;
7988 ((struct sockaddr_in *)&remote_addr)->sin_port = uh.uh_dport;
7989 }
7990 break;
7991 }
7992 default: {
7993 ((struct sockaddr_in *)&local_addr)->sin_port = 0;
7994 ((struct sockaddr_in *)&remote_addr)->sin_port = 0;
7995 break;
7996 }
7997 }
7998
7999 // Match packet to policy
8000 lck_rw_lock_shared(&necp_kernel_policy_lock);
8001 matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr);
8002 if (matched_policy) {
8003 matched_policy_id = matched_policy->id;
8004 if (result) {
8005 *result = matched_policy->result;
8006 }
8007
8008 if (result_parameter) {
8009 memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
8010 }
8011
8012 if (necp_debug > 1) {
8013 NECPLOG(LOG_DEBUG, "IP Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
8014 }
8015 } else if (necp_drop_all_order > 0) {
8016 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8017 if (result) {
8018 *result = NECP_KERNEL_POLICY_RESULT_DROP;
8019 }
8020 }
8021
8022 lck_rw_done(&necp_kernel_policy_lock);
8023
8024 return (matched_policy_id);
8025 }
8026
8027 necp_kernel_policy_id
8028 necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out_args *ip6oa, necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
8029 {
8030 struct ip6_hdr *ip6 = NULL;
8031 int next = -1;
8032 int offset = 0;
8033 necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8034 necp_kernel_policy_id socket_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8035 necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8036 struct necp_kernel_ip_output_policy *matched_policy = NULL;
8037 u_int16_t protocol = 0;
8038 u_int32_t bound_interface_index = 0;
8039 u_int32_t last_interface_index = 0;
8040 union necp_sockaddr_union local_addr;
8041 union necp_sockaddr_union remote_addr;
8042
8043 if (result) {
8044 *result = 0;
8045 }
8046
8047 if (result_parameter) {
8048 memset(result_parameter, 0, sizeof(*result_parameter));
8049 }
8050
8051 if (packet == NULL) {
8052 return (NECP_KERNEL_POLICY_ID_NONE);
8053 }
8054
8055 socket_policy_id = necp_get_policy_id_from_packet(packet);
8056 socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
8057
8058 // Exit early for an empty list
8059 // Don't lock. Possible race condition, but we don't want the performance hit.
8060 if (necp_kernel_ip_output_policies_count == 0 ||
8061 ((socket_policy_id == NECP_KERNEL_POLICY_ID_NONE) && necp_kernel_ip_output_policies_non_id_count == 0)) {
8062 if (necp_drop_all_order > 0) {
8063 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8064 if (result) {
8065 if (necp_output_bypass(packet)) {
8066 *result = NECP_KERNEL_POLICY_RESULT_PASS;
8067 } else {
8068 *result = NECP_KERNEL_POLICY_RESULT_DROP;
8069 }
8070 }
8071 }
8072
8073 return (matched_policy_id);
8074 }
8075
8076 // Check for loopback exception
8077 if (necp_output_bypass(packet)) {
8078 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8079 if (result) {
8080 *result = NECP_KERNEL_POLICY_RESULT_PASS;
8081 }
8082 return (matched_policy_id);
8083 }
8084
8085 last_interface_index = necp_get_last_interface_index_from_packet(packet);
8086
8087 // Process packet to get relevant fields
8088 ip6 = mtod(packet, struct ip6_hdr *);
8089
8090 if ((flags & IPV6_OUTARGS) && (ip6oa != NULL) &&
8091 (ip6oa->ip6oa_flags & IP6OAF_BOUND_IF) &&
8092 ip6oa->ip6oa_boundif != IFSCOPE_NONE) {
8093 bound_interface_index = ip6oa->ip6oa_boundif;
8094 }
8095
8096 ((struct sockaddr_in6 *)&local_addr)->sin6_family = AF_INET6;
8097 ((struct sockaddr_in6 *)&local_addr)->sin6_len = sizeof(struct sockaddr_in6);
8098 memcpy(&((struct sockaddr_in6 *)&local_addr)->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
8099
8100 ((struct sockaddr_in6 *)&remote_addr)->sin6_family = AF_INET6;
8101 ((struct sockaddr_in6 *)&remote_addr)->sin6_len = sizeof(struct sockaddr_in6);
8102 memcpy(&((struct sockaddr_in6 *)&remote_addr)->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
8103
8104 offset = ip6_lasthdr(packet, 0, IPPROTO_IPV6, &next);
8105 if (offset >= 0 && packet->m_pkthdr.len >= offset) {
8106 protocol = next;
8107 switch (protocol) {
8108 case IPPROTO_TCP: {
8109 struct tcphdr th;
8110 if ((int)(offset + sizeof(th)) <= packet->m_pkthdr.len) {
8111 m_copydata(packet, offset, sizeof(th), (u_int8_t *)&th);
8112 ((struct sockaddr_in6 *)&local_addr)->sin6_port = th.th_sport;
8113 ((struct sockaddr_in6 *)&remote_addr)->sin6_port = th.th_dport;
8114 }
8115 break;
8116 }
8117 case IPPROTO_UDP: {
8118 struct udphdr uh;
8119 if ((int)(offset + sizeof(uh)) <= packet->m_pkthdr.len) {
8120 m_copydata(packet, offset, sizeof(uh), (u_int8_t *)&uh);
8121 ((struct sockaddr_in6 *)&local_addr)->sin6_port = uh.uh_sport;
8122 ((struct sockaddr_in6 *)&remote_addr)->sin6_port = uh.uh_dport;
8123 }
8124 break;
8125 }
8126 default: {
8127 ((struct sockaddr_in6 *)&local_addr)->sin6_port = 0;
8128 ((struct sockaddr_in6 *)&remote_addr)->sin6_port = 0;
8129 break;
8130 }
8131 }
8132 }
8133
8134 // Match packet to policy
8135 lck_rw_lock_shared(&necp_kernel_policy_lock);
8136 matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr);
8137 if (matched_policy) {
8138 matched_policy_id = matched_policy->id;
8139 if (result) {
8140 *result = matched_policy->result;
8141 }
8142
8143 if (result_parameter) {
8144 memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
8145 }
8146
8147 if (necp_debug > 1) {
8148 NECPLOG(LOG_DEBUG, "IP6 Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
8149 }
8150 } else if (necp_drop_all_order > 0) {
8151 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8152 if (result) {
8153 *result = NECP_KERNEL_POLICY_RESULT_DROP;
8154 }
8155 }
8156
8157 lck_rw_done(&necp_kernel_policy_lock);
8158
8159 return (matched_policy_id);
8160 }
8161
8162 // Utilities
8163 static bool
8164 necp_is_addr_in_range(struct sockaddr *addr, struct sockaddr *range_start, struct sockaddr *range_end)
8165 {
8166 int cmp = 0;
8167
8168 if (addr == NULL || range_start == NULL || range_end == NULL) {
8169 return (FALSE);
8170 }
8171
8172 /* Must be greater than or equal to start */
8173 cmp = necp_addr_compare(addr, range_start, 1);
8174 if (cmp != 0 && cmp != 1) {
8175 return (FALSE);
8176 }
8177
8178 /* Must be less than or equal to end */
8179 cmp = necp_addr_compare(addr, range_end, 1);
8180 if (cmp != 0 && cmp != -1) {
8181 return (FALSE);
8182 }
8183
8184 return (TRUE);
8185 }
8186
8187 static bool
8188 necp_is_range_in_range(struct sockaddr *inner_range_start, struct sockaddr *inner_range_end, struct sockaddr *range_start, struct sockaddr *range_end)
8189 {
8190 int cmp = 0;
8191
8192 if (inner_range_start == NULL || inner_range_end == NULL || range_start == NULL || range_end == NULL) {
8193 return (FALSE);
8194 }
8195
8196 /* Must be greater than or equal to start */
8197 cmp = necp_addr_compare(inner_range_start, range_start, 1);
8198 if (cmp != 0 && cmp != 1) {
8199 return (FALSE);
8200 }
8201
8202 /* Must be less than or equal to end */
8203 cmp = necp_addr_compare(inner_range_end, range_end, 1);
8204 if (cmp != 0 && cmp != -1) {
8205 return (FALSE);
8206 }
8207
8208 return (TRUE);
8209 }
8210
8211 static bool
8212 necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix)
8213 {
8214 if (addr == NULL || subnet_addr == NULL) {
8215 return (FALSE);
8216 }
8217
8218 if (addr->sa_family != subnet_addr->sa_family || addr->sa_len != subnet_addr->sa_len) {
8219 return (FALSE);
8220 }
8221
8222 switch (addr->sa_family) {
8223 case AF_INET: {
8224 if (satosin(subnet_addr)->sin_port != 0 &&
8225 satosin(addr)->sin_port != satosin(subnet_addr)->sin_port) {
8226 return (FALSE);
8227 }
8228 return (necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin(addr)->sin_addr, (u_int8_t *)&satosin(subnet_addr)->sin_addr, subnet_prefix));
8229 }
8230 case AF_INET6: {
8231 if (satosin6(subnet_addr)->sin6_port != 0 &&
8232 satosin6(addr)->sin6_port != satosin6(subnet_addr)->sin6_port) {
8233 return (FALSE);
8234 }
8235 if (satosin6(addr)->sin6_scope_id &&
8236 satosin6(subnet_addr)->sin6_scope_id &&
8237 satosin6(addr)->sin6_scope_id != satosin6(subnet_addr)->sin6_scope_id) {
8238 return (FALSE);
8239 }
8240 return (necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin6(addr)->sin6_addr, (u_int8_t *)&satosin6(subnet_addr)->sin6_addr, subnet_prefix));
8241 }
8242 default: {
8243 return (FALSE);
8244 }
8245 }
8246
8247 return (FALSE);
8248 }
8249
8250 /*
8251 * Return values:
8252 * -1: sa1 < sa2
8253 * 0: sa1 == sa2
8254 * 1: sa1 > sa2
8255 * 2: Not comparable or error
8256 */
8257 static int
8258 necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port)
8259 {
8260 int result = 0;
8261 int port_result = 0;
8262
8263 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) {
8264 return (2);
8265 }
8266
8267 if (sa1->sa_len == 0) {
8268 return (0);
8269 }
8270
8271 switch (sa1->sa_family) {
8272 case AF_INET: {
8273 if (sa1->sa_len != sizeof(struct sockaddr_in)) {
8274 return (2);
8275 }
8276
8277 result = memcmp(&satosin(sa1)->sin_addr.s_addr, &satosin(sa2)->sin_addr.s_addr, sizeof(satosin(sa1)->sin_addr.s_addr));
8278
8279 if (check_port) {
8280 if (satosin(sa1)->sin_port < satosin(sa2)->sin_port) {
8281 port_result = -1;
8282 } else if (satosin(sa1)->sin_port > satosin(sa2)->sin_port) {
8283 port_result = 1;
8284 }
8285
8286 if (result == 0) {
8287 result = port_result;
8288 } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
8289 return (2);
8290 }
8291 }
8292
8293 break;
8294 }
8295 case AF_INET6: {
8296 if (sa1->sa_len != sizeof(struct sockaddr_in6)) {
8297 return (2);
8298 }
8299
8300 if (satosin6(sa1)->sin6_scope_id != satosin6(sa2)->sin6_scope_id) {
8301 return (2);
8302 }
8303
8304 result = memcmp(&satosin6(sa1)->sin6_addr.s6_addr[0], &satosin6(sa2)->sin6_addr.s6_addr[0], sizeof(struct in6_addr));
8305
8306 if (check_port) {
8307 if (satosin6(sa1)->sin6_port < satosin6(sa2)->sin6_port) {
8308 port_result = -1;
8309 } else if (satosin6(sa1)->sin6_port > satosin6(sa2)->sin6_port) {
8310 port_result = 1;
8311 }
8312
8313 if (result == 0) {
8314 result = port_result;
8315 } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
8316 return (2);
8317 }
8318 }
8319
8320 break;
8321 }
8322 default: {
8323 result = memcmp(sa1, sa2, sa1->sa_len);
8324 break;
8325 }
8326 }
8327
8328 if (result < 0) {
8329 result = (-1);
8330 } else if (result > 0) {
8331 result = (1);
8332 }
8333
8334 return (result);
8335 }
8336
8337 static bool
8338 necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits)
8339 {
8340 u_int8_t mask;
8341
8342 /* Handle null pointers */
8343 if (p1 == NULL || p2 == NULL) {
8344 return (p1 == p2);
8345 }
8346
8347 while (bits >= 8) {
8348 if (*p1++ != *p2++) {
8349 return (FALSE);
8350 }
8351 bits -= 8;
8352 }
8353
8354 if (bits > 0) {
8355 mask = ~((1<<(8-bits))-1);
8356 if ((*p1 & mask) != (*p2 & mask)) {
8357 return (FALSE);
8358 }
8359 }
8360 return (TRUE);
8361 }
8362
8363 static bool
8364 necp_update_qos_marking(struct ifnet *ifp, u_int32_t route_rule_id)
8365 {
8366 bool qos_marking = FALSE;
8367 int exception_index = 0;
8368 struct necp_route_rule *route_rule = NULL;
8369
8370 route_rule = necp_lookup_route_rule_locked(&necp_route_rules, route_rule_id);
8371 if (route_rule == NULL) {
8372 qos_marking = FALSE;
8373 goto done;
8374 }
8375
8376 qos_marking = (route_rule->default_action == NECP_ROUTE_RULE_QOS_MARKING) ? TRUE : FALSE;
8377
8378 if (ifp == NULL) {
8379 goto done;
8380 }
8381
8382 for (exception_index = 0; exception_index < MAX_ROUTE_RULE_INTERFACES; exception_index++) {
8383 if (route_rule->exception_if_indices[exception_index] == 0) {
8384 break;
8385 }
8386 if (route_rule->exception_if_actions[exception_index] != NECP_ROUTE_RULE_QOS_MARKING) {
8387 continue;
8388 }
8389 if (route_rule->exception_if_indices[exception_index] == ifp->if_index) {
8390 qos_marking = TRUE;
8391 if (necp_debug > 2) {
8392 NECPLOG(LOG_DEBUG, "QoS Marking : Interface match %d for Rule %d Allowed %d",
8393 route_rule->exception_if_indices[exception_index], route_rule_id, qos_marking);
8394 }
8395 goto done;
8396 }
8397 }
8398
8399 if ((route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_CELLULAR(ifp)) ||
8400 (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIFI(ifp)) ||
8401 (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIRED(ifp)) ||
8402 (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_EXPENSIVE(ifp))) {
8403 qos_marking = TRUE;
8404 if (necp_debug > 2) {
8405 NECPLOG(LOG_DEBUG, "QoS Marking: C:%d WF:%d W:%d E:%d for Rule %d Allowed %d",
8406 route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action,
8407 route_rule->expensive_action, route_rule_id, qos_marking);
8408 }
8409 goto done;
8410 }
8411 done:
8412 if (necp_debug > 1) {
8413 NECPLOG(LOG_DEBUG, "QoS Marking: Rule %d ifp %s Allowed %d",
8414 route_rule_id, ifp ? ifp->if_xname : "", qos_marking);
8415 }
8416 return (qos_marking);
8417 }
8418
8419 void
8420 necp_socket_update_qos_marking(struct inpcb *inp, struct rtentry *route, struct ifnet *interface, u_int32_t route_rule_id)
8421 {
8422 bool qos_marking = FALSE;
8423 struct ifnet *ifp = interface = NULL;
8424
8425 if (net_qos_policy_restricted == 0) {
8426 return;
8427 }
8428 if (inp->inp_socket == NULL) {
8429 return;
8430 }
8431 if ((inp->inp_socket->so_flags1 & SOF1_QOSMARKING_POLICY_OVERRIDE)) {
8432 return;
8433 }
8434 /*
8435 * This is racy but we do not need the performance hit of taking necp_kernel_policy_lock
8436 */
8437 if (inp->inp_policyresult.results.qos_marking_gencount == necp_kernel_socket_policies_gencount) {
8438 return;
8439 }
8440
8441 lck_rw_lock_shared(&necp_kernel_policy_lock);
8442
8443 if (ifp == NULL && route != NULL) {
8444 ifp = route->rt_ifp;
8445 }
8446 /*
8447 * By default, until we have a interface, do not mark and reevaluate the Qos marking policy
8448 */
8449 if (ifp == NULL || route_rule_id == 0) {
8450 qos_marking = FALSE;
8451 goto done;
8452 }
8453
8454 if (ROUTE_RULE_IS_AGGREGATE(route_rule_id)) {
8455 struct necp_aggregate_route_rule *aggregate_route_rule = necp_lookup_aggregate_route_rule_locked(route_rule_id);
8456 if (aggregate_route_rule != NULL) {
8457 int index = 0;
8458 for (index = 0; index < MAX_AGGREGATE_ROUTE_RULES; index++) {
8459 u_int32_t sub_route_rule_id = aggregate_route_rule->rule_ids[index];
8460 if (sub_route_rule_id == 0) {
8461 break;
8462 }
8463 qos_marking = necp_update_qos_marking(ifp, sub_route_rule_id);
8464 if (qos_marking == TRUE) {
8465 break;
8466 }
8467 }
8468 }
8469 } else {
8470 qos_marking = necp_update_qos_marking(ifp, route_rule_id);
8471 }
8472 /*
8473 * Now that we have an interface we remember the gencount
8474 */
8475 inp->inp_policyresult.results.qos_marking_gencount = necp_kernel_socket_policies_gencount;
8476
8477 done:
8478 lck_rw_done(&necp_kernel_policy_lock);
8479
8480 if (qos_marking == TRUE) {
8481 inp->inp_socket->so_flags1 |= SOF1_QOSMARKING_ALLOWED;
8482 } else {
8483 inp->inp_socket->so_flags1 &= ~SOF1_QOSMARKING_ALLOWED;
8484 }
8485 }
8486
8487 static bool
8488 necp_route_is_lqm_abort(struct ifnet *ifp, struct ifnet *delegated_ifp)
8489 {
8490 if (ifp != NULL &&
8491 (ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
8492 ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
8493 return true;
8494 }
8495 if (delegated_ifp != NULL &&
8496 (delegated_ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
8497 delegated_ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
8498 return true;
8499 }
8500 return false;
8501 }
8502
8503 static bool
8504 necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t route_rule_id, u_int32_t *interface_type_denied)
8505 {
8506 bool default_is_allowed = TRUE;
8507 u_int8_t type_aggregate_action = NECP_ROUTE_RULE_NONE;
8508 int exception_index = 0;
8509 struct ifnet *delegated_ifp = NULL;
8510 struct necp_route_rule *route_rule = NULL;
8511
8512 route_rule = necp_lookup_route_rule_locked(&necp_route_rules, route_rule_id);
8513 if (route_rule == NULL) {
8514 return (TRUE);
8515 }
8516
8517 default_is_allowed = (route_rule->default_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
8518 if (ifp == NULL) {
8519 ifp = route->rt_ifp;
8520 }
8521 if (ifp == NULL) {
8522 if (necp_debug > 1 && !default_is_allowed) {
8523 NECPLOG(LOG_DEBUG, "Route Allowed: No interface for route, using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
8524 }
8525 return (default_is_allowed);
8526 }
8527
8528 delegated_ifp = ifp->if_delegated.ifp;
8529 for (exception_index = 0; exception_index < MAX_ROUTE_RULE_INTERFACES; exception_index++) {
8530 if (route_rule->exception_if_indices[exception_index] == 0) {
8531 break;
8532 }
8533 if (route_rule->exception_if_indices[exception_index] == ifp->if_index ||
8534 (delegated_ifp != NULL && route_rule->exception_if_indices[exception_index] == delegated_ifp->if_index)) {
8535 if (route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8536 const bool lqm_abort = necp_route_is_lqm_abort(ifp, delegated_ifp);
8537 if (necp_debug > 1 && lqm_abort) {
8538 NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Deny LQM Abort",
8539 route_rule->exception_if_indices[exception_index], route_rule_id);
8540 }
8541 return false;
8542 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->exception_if_actions[exception_index])) {
8543 if (necp_debug > 1) {
8544 NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Allowed %d", route_rule->exception_if_indices[exception_index], route_rule_id, ((route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
8545 }
8546 return ((route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE);
8547 }
8548 }
8549 }
8550
8551 if (IFNET_IS_CELLULAR(ifp)) {
8552 if (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8553 if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
8554 if (interface_type_denied != NULL) {
8555 *interface_type_denied = IFRTYPE_FUNCTIONAL_CELLULAR;
8556 }
8557 // Mark aggregate action as deny
8558 type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
8559 }
8560 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->cellular_action)) {
8561 if (interface_type_denied != NULL) {
8562 *interface_type_denied = IFRTYPE_FUNCTIONAL_CELLULAR;
8563 }
8564 if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
8565 (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
8566 route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
8567 // Deny wins if there is a conflict
8568 type_aggregate_action = route_rule->cellular_action;
8569 }
8570 }
8571 }
8572
8573 if (IFNET_IS_WIFI(ifp)) {
8574 if (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8575 if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
8576 if (interface_type_denied != NULL) {
8577 *interface_type_denied = IFRTYPE_FUNCTIONAL_WIFI_INFRA;
8578 }
8579 // Mark aggregate action as deny
8580 type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
8581 }
8582 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wifi_action)) {
8583 if (interface_type_denied != NULL) {
8584 *interface_type_denied = IFRTYPE_FUNCTIONAL_WIFI_INFRA;
8585 }
8586 if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
8587 (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
8588 route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
8589 // Deny wins if there is a conflict
8590 type_aggregate_action = route_rule->wifi_action;
8591 }
8592 }
8593 }
8594
8595 if (IFNET_IS_WIRED(ifp)) {
8596 if (route_rule->wired_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8597 if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
8598 if (interface_type_denied != NULL) {
8599 *interface_type_denied = IFRTYPE_FUNCTIONAL_WIRED;
8600 }
8601 // Mark aggregate action as deny
8602 type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
8603 }
8604 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wired_action)) {
8605 if (interface_type_denied != NULL) {
8606 *interface_type_denied = IFRTYPE_FUNCTIONAL_WIRED;
8607 }
8608 if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
8609 (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
8610 route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
8611 // Deny wins if there is a conflict
8612 type_aggregate_action = route_rule->wired_action;
8613 }
8614 }
8615 }
8616
8617 if (IFNET_IS_EXPENSIVE(ifp)) {
8618 if (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8619 if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
8620 // Mark aggregate action as deny
8621 type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
8622 }
8623 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->expensive_action)) {
8624 if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
8625 (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
8626 route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
8627 // Deny wins if there is a conflict
8628 type_aggregate_action = route_rule->expensive_action;
8629 }
8630 }
8631 }
8632
8633 if (type_aggregate_action != NECP_ROUTE_RULE_NONE) {
8634 if (necp_debug > 1) {
8635 NECPLOG(LOG_DEBUG, "Route Allowed: C:%d WF:%d W:%d E:%d for Rule %d Allowed %d", route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action, route_rule->expensive_action, route_rule_id, ((type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
8636 }
8637 return ((type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE);
8638 }
8639
8640 if (necp_debug > 1 && !default_is_allowed) {
8641 NECPLOG(LOG_DEBUG, "Route Allowed: Using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
8642 }
8643 return (default_is_allowed);
8644 }
8645
8646 static bool
8647 necp_route_is_allowed(struct rtentry *route, struct ifnet *interface, u_int32_t route_rule_id, u_int32_t *interface_type_denied)
8648 {
8649 if ((route == NULL && interface == NULL) || route_rule_id == 0) {
8650 if (necp_debug > 1) {
8651 NECPLOG(LOG_DEBUG, "Route Allowed: no route or interface, Rule %d Allowed %d", route_rule_id, TRUE);
8652 }
8653 return (TRUE);
8654 }
8655
8656 if (ROUTE_RULE_IS_AGGREGATE(route_rule_id)) {
8657 struct necp_aggregate_route_rule *aggregate_route_rule = necp_lookup_aggregate_route_rule_locked(route_rule_id);
8658 if (aggregate_route_rule != NULL) {
8659 int index = 0;
8660 for (index = 0; index < MAX_AGGREGATE_ROUTE_RULES; index++) {
8661 u_int32_t sub_route_rule_id = aggregate_route_rule->rule_ids[index];
8662 if (sub_route_rule_id == 0) {
8663 break;
8664 }
8665 if (!necp_route_is_allowed_inner(route, interface, sub_route_rule_id, interface_type_denied)) {
8666 return (FALSE);
8667 }
8668 }
8669 }
8670 } else {
8671 return (necp_route_is_allowed_inner(route, interface, route_rule_id, interface_type_denied));
8672 }
8673
8674 return (TRUE);
8675 }
8676
8677 bool
8678 necp_packet_is_allowed_over_interface(struct mbuf *packet, struct ifnet *interface)
8679 {
8680 bool is_allowed = TRUE;
8681 u_int32_t route_rule_id = necp_get_route_rule_id_from_packet(packet);
8682 if (route_rule_id != 0 &&
8683 interface != NULL) {
8684 lck_rw_lock_shared(&necp_kernel_policy_lock);
8685 is_allowed = necp_route_is_allowed(NULL, interface, necp_get_route_rule_id_from_packet(packet), NULL);
8686 lck_rw_done(&necp_kernel_policy_lock);
8687 }
8688 return (is_allowed);
8689 }
8690
8691 static bool
8692 necp_netagents_allow_traffic(u_int32_t *netagent_ids, size_t netagent_id_count)
8693 {
8694 size_t netagent_cursor;
8695 for (netagent_cursor = 0; netagent_cursor < netagent_id_count; netagent_cursor++) {
8696 struct necp_uuid_id_mapping *mapping = NULL;
8697 u_int32_t netagent_id = netagent_ids[netagent_cursor];
8698 if (netagent_id == 0) {
8699 break;
8700 }
8701 mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
8702 if (mapping != NULL) {
8703 u_int32_t agent_flags = 0;
8704 agent_flags = netagent_get_flags(mapping->uuid);
8705 if (agent_flags & NETAGENT_FLAG_REGISTERED) {
8706 if (agent_flags & NETAGENT_FLAG_ACTIVE) {
8707 continue;
8708 } else if ((agent_flags & NETAGENT_FLAG_VOLUNTARY) == 0) {
8709 return (FALSE);
8710 }
8711 }
8712 }
8713 }
8714 return (TRUE);
8715 }
8716
8717 static bool
8718 necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
8719 {
8720 u_int32_t verifyifindex = interface ? interface->if_index : 0;
8721 bool allowed_to_receive = TRUE;
8722 struct necp_socket_info info;
8723 u_int32_t flowhash = 0;
8724 necp_kernel_policy_result service_action = 0;
8725 necp_kernel_policy_service service = { 0, 0 };
8726 u_int32_t route_rule_id = 0;
8727 struct rtentry *route = NULL;
8728 u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
8729
8730 u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
8731 memset(&netagent_ids, 0, sizeof(netagent_ids));
8732
8733 if (return_policy_id) {
8734 *return_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8735 }
8736 if (return_skip_policy_id) {
8737 *return_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8738 }
8739 if (return_route_rule_id) {
8740 *return_route_rule_id = 0;
8741 }
8742
8743 if (inp == NULL) {
8744 goto done;
8745 }
8746
8747 route = inp->inp_route.ro_rt;
8748
8749 // Don't lock. Possible race condition, but we don't want the performance hit.
8750 if (necp_kernel_socket_policies_count == 0 ||
8751 (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
8752 if (necp_drop_all_order > 0) {
8753 if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
8754 allowed_to_receive = TRUE;
8755 } else {
8756 allowed_to_receive = FALSE;
8757 }
8758 }
8759 goto done;
8760 }
8761
8762 // If this socket is connected, or we are not taking addresses into account, try to reuse last result
8763 if ((necp_socket_is_connected(inp) || (override_local_addr == NULL && override_remote_addr == NULL)) && inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE) {
8764 bool policies_have_changed = FALSE;
8765 bool route_allowed = TRUE;
8766
8767 if (inp->inp_policyresult.policy_gencount != necp_kernel_socket_policies_gencount) {
8768 policies_have_changed = TRUE;
8769 } else {
8770 if (inp->inp_policyresult.results.route_rule_id != 0) {
8771 lck_rw_lock_shared(&necp_kernel_policy_lock);
8772 if (!necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied)) {
8773 route_allowed = FALSE;
8774 }
8775 lck_rw_done(&necp_kernel_policy_lock);
8776 }
8777 }
8778
8779 if (!policies_have_changed) {
8780 if (!route_allowed ||
8781 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
8782 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
8783 (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
8784 inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex)) {
8785 allowed_to_receive = FALSE;
8786 } else {
8787 if (return_policy_id) {
8788 *return_policy_id = inp->inp_policyresult.policy_id;
8789 }
8790 if (return_skip_policy_id) {
8791 *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
8792 }
8793 if (return_route_rule_id) {
8794 *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
8795 }
8796 }
8797 goto done;
8798 }
8799 }
8800
8801 // Check for loopback exception
8802 if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
8803 allowed_to_receive = TRUE;
8804 goto done;
8805 }
8806
8807 // Actually calculate policy result
8808 lck_rw_lock_shared(&necp_kernel_policy_lock);
8809 necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, 0, &info);
8810
8811 flowhash = necp_socket_calc_flowhash_locked(&info);
8812 if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
8813 inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
8814 inp->inp_policyresult.flowhash == flowhash) {
8815 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
8816 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
8817 (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
8818 inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex) ||
8819 (inp->inp_policyresult.results.route_rule_id != 0 &&
8820 !necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied))) {
8821 allowed_to_receive = FALSE;
8822 } else {
8823 if (return_policy_id) {
8824 *return_policy_id = inp->inp_policyresult.policy_id;
8825 }
8826 if (return_route_rule_id) {
8827 *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
8828 }
8829 if (return_skip_policy_id) {
8830 *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
8831 }
8832 }
8833 lck_rw_done(&necp_kernel_policy_lock);
8834 goto done;
8835 }
8836
8837 struct necp_kernel_socket_policy *matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, NULL, &route_rule_id, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, current_proc(), return_skip_policy_id);
8838 if (matched_policy != NULL) {
8839 if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
8840 matched_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
8841 (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
8842 matched_policy->result_parameter.tunnel_interface_index != verifyifindex) ||
8843 ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
8844 service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
8845 service.identifier != 0 && service.identifier != NECP_NULL_SERVICE_ID) ||
8846 (route_rule_id != 0 &&
8847 !necp_route_is_allowed(route, interface, route_rule_id, &interface_type_denied)) ||
8848 !necp_netagents_allow_traffic(netagent_ids, NECP_MAX_NETAGENTS)) {
8849 allowed_to_receive = FALSE;
8850 } else {
8851 if (return_policy_id) {
8852 *return_policy_id = matched_policy->id;
8853 }
8854 if (return_route_rule_id) {
8855 *return_route_rule_id = route_rule_id;
8856 }
8857 }
8858 lck_rw_done(&necp_kernel_policy_lock);
8859
8860 if (necp_debug > 1 && matched_policy->id != inp->inp_policyresult.policy_id) {
8861 NECPLOG(LOG_DEBUG, "Socket Send/Recv Policy: Policy %d Allowed %d", return_policy_id ? *return_policy_id : 0, allowed_to_receive);
8862 }
8863 goto done;
8864 } else if (necp_drop_all_order > 0) {
8865 allowed_to_receive = FALSE;
8866 } else {
8867 if (return_policy_id) {
8868 *return_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8869 }
8870 if (return_route_rule_id) {
8871 *return_route_rule_id = route_rule_id;
8872 }
8873 }
8874
8875 lck_rw_done(&necp_kernel_policy_lock);
8876
8877 done:
8878 if (!allowed_to_receive && interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
8879 soevent(inp->inp_socket, (SO_FILT_HINT_LOCKED | SO_FILT_HINT_IFDENIED));
8880 }
8881
8882 return (allowed_to_receive);
8883 }
8884
8885 bool
8886 necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in_addr *local_addr, struct in_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
8887 {
8888 struct sockaddr_in local = {};
8889 struct sockaddr_in remote = {};
8890 local.sin_family = remote.sin_family = AF_INET;
8891 local.sin_len = remote.sin_len = sizeof(struct sockaddr_in);
8892 local.sin_port = local_port;
8893 remote.sin_port = remote_port;
8894 memcpy(&local.sin_addr, local_addr, sizeof(local.sin_addr));
8895 memcpy(&remote.sin_addr, remote_addr, sizeof(remote.sin_addr));
8896
8897 return (necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
8898 return_policy_id, return_route_rule_id, return_skip_policy_id));
8899 }
8900
8901 bool
8902 necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in6_addr *local_addr, struct in6_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
8903 {
8904 struct sockaddr_in6 local = {};
8905 struct sockaddr_in6 remote = {};
8906 local.sin6_family = remote.sin6_family = AF_INET6;
8907 local.sin6_len = remote.sin6_len = sizeof(struct sockaddr_in6);
8908 local.sin6_port = local_port;
8909 remote.sin6_port = remote_port;
8910 memcpy(&local.sin6_addr, local_addr, sizeof(local.sin6_addr));
8911 memcpy(&remote.sin6_addr, remote_addr, sizeof(remote.sin6_addr));
8912
8913 return (necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
8914 return_policy_id, return_route_rule_id, return_skip_policy_id));
8915 }
8916
8917 bool
8918 necp_socket_is_allowed_to_send_recv(struct inpcb *inp, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id,
8919 necp_kernel_policy_id *return_skip_policy_id)
8920 {
8921 return (necp_socket_is_allowed_to_send_recv_internal(inp, NULL, NULL, NULL, return_policy_id, return_route_rule_id, return_skip_policy_id));
8922 }
8923
8924 int
8925 necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel_policy_id policy_id, u_int32_t route_rule_id,
8926 necp_kernel_policy_id skip_policy_id)
8927 {
8928 if (packet == NULL || inp == NULL || !(packet->m_flags & M_PKTHDR)) {
8929 return (EINVAL);
8930 }
8931
8932 // Mark ID for Pass and IP Tunnel
8933 if (policy_id != NECP_KERNEL_POLICY_ID_NONE) {
8934 packet->m_pkthdr.necp_mtag.necp_policy_id = policy_id;
8935 } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS ||
8936 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
8937 packet->m_pkthdr.necp_mtag.necp_policy_id = inp->inp_policyresult.policy_id;
8938 } else {
8939 packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8940 }
8941 packet->m_pkthdr.necp_mtag.necp_last_interface_index = 0;
8942 if (route_rule_id != 0) {
8943 packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
8944 } else {
8945 packet->m_pkthdr.necp_mtag.necp_route_rule_id = inp->inp_policyresult.results.route_rule_id;
8946 }
8947 packet->m_pkthdr.necp_mtag.necp_app_id = inp->inp_policyresult.app_id;
8948
8949 if (skip_policy_id != NECP_KERNEL_POLICY_ID_NONE) {
8950 packet->m_pkthdr.necp_mtag.necp_skip_policy_id = skip_policy_id;
8951 }
8952
8953 return (0);
8954 }
8955
8956 int
8957 necp_mark_packet_from_ip(struct mbuf *packet, necp_kernel_policy_id policy_id)
8958 {
8959 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
8960 return (EINVAL);
8961 }
8962
8963 // Mark ID for Pass and IP Tunnel
8964 if (policy_id != NECP_KERNEL_POLICY_ID_NONE) {
8965 packet->m_pkthdr.necp_mtag.necp_policy_id = policy_id;
8966 } else {
8967 packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8968 }
8969
8970 return (0);
8971 }
8972
8973 int
8974 necp_mark_packet_from_interface(struct mbuf *packet, ifnet_t interface)
8975 {
8976 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
8977 return (EINVAL);
8978 }
8979
8980 // Mark ID for Pass and IP Tunnel
8981 if (interface != NULL) {
8982 packet->m_pkthdr.necp_mtag.necp_last_interface_index = interface->if_index;
8983 }
8984
8985 return (0);
8986 }
8987
8988 int
8989 necp_mark_packet_as_keepalive(struct mbuf *packet, bool is_keepalive)
8990 {
8991 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
8992 return (EINVAL);
8993 }
8994
8995 if (is_keepalive) {
8996 packet->m_pkthdr.pkt_flags |= PKTF_KEEPALIVE;
8997 } else {
8998 packet->m_pkthdr.pkt_flags &= ~PKTF_KEEPALIVE;
8999 }
9000
9001 return (0);
9002 }
9003
9004 necp_kernel_policy_id
9005 necp_get_policy_id_from_packet(struct mbuf *packet)
9006 {
9007 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9008 return (NECP_KERNEL_POLICY_ID_NONE);
9009 }
9010
9011 return (packet->m_pkthdr.necp_mtag.necp_policy_id);
9012 }
9013
9014 necp_kernel_policy_id
9015 necp_get_skip_policy_id_from_packet(struct mbuf *packet)
9016 {
9017 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9018 return (NECP_KERNEL_POLICY_ID_NONE);
9019 }
9020
9021 return (packet->m_pkthdr.necp_mtag.necp_skip_policy_id);
9022 }
9023
9024 u_int32_t
9025 necp_get_last_interface_index_from_packet(struct mbuf *packet)
9026 {
9027 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9028 return (0);
9029 }
9030
9031 return (packet->m_pkthdr.necp_mtag.necp_last_interface_index);
9032 }
9033
9034 u_int32_t
9035 necp_get_route_rule_id_from_packet(struct mbuf *packet)
9036 {
9037 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9038 return (0);
9039 }
9040
9041 return (packet->m_pkthdr.necp_mtag.necp_route_rule_id);
9042 }
9043
9044 int
9045 necp_get_app_uuid_from_packet(struct mbuf *packet,
9046 uuid_t app_uuid)
9047 {
9048 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9049 return (EINVAL);
9050 }
9051
9052 bool found_mapping = FALSE;
9053 if (packet->m_pkthdr.necp_mtag.necp_app_id != 0) {
9054 lck_rw_lock_shared(&necp_kernel_policy_lock);
9055 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(packet->m_pkthdr.necp_mtag.necp_app_id);
9056 if (entry != NULL) {
9057 uuid_copy(app_uuid, entry->uuid);
9058 found_mapping = true;
9059 }
9060 lck_rw_done(&necp_kernel_policy_lock);
9061 }
9062 if (!found_mapping) {
9063 uuid_clear(app_uuid);
9064 }
9065 return (0);
9066 }
9067
9068 bool
9069 necp_get_is_keepalive_from_packet(struct mbuf *packet)
9070 {
9071 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9072 return (FALSE);
9073 }
9074
9075 return (packet->m_pkthdr.pkt_flags & PKTF_KEEPALIVE);
9076 }
9077
9078 u_int32_t
9079 necp_socket_get_content_filter_control_unit(struct socket *so)
9080 {
9081 struct inpcb *inp = sotoinpcb(so);
9082
9083 if (inp == NULL) {
9084 return (0);
9085 }
9086 return (inp->inp_policyresult.results.filter_control_unit);
9087 }
9088
9089 bool
9090 necp_socket_should_use_flow_divert(struct inpcb *inp)
9091 {
9092 if (inp == NULL) {
9093 return (FALSE);
9094 }
9095
9096 return (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT);
9097 }
9098
9099 u_int32_t
9100 necp_socket_get_flow_divert_control_unit(struct inpcb *inp)
9101 {
9102 if (inp == NULL) {
9103 return (0);
9104 }
9105
9106 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
9107 return (inp->inp_policyresult.results.result_parameter.flow_divert_control_unit);
9108 }
9109
9110 return (0);
9111 }
9112
9113 bool
9114 necp_socket_should_rescope(struct inpcb *inp)
9115 {
9116 if (inp == NULL) {
9117 return (FALSE);
9118 }
9119
9120 return (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED ||
9121 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT);
9122 }
9123
9124 u_int
9125 necp_socket_get_rescope_if_index(struct inpcb *inp)
9126 {
9127 if (inp == NULL) {
9128 return (0);
9129 }
9130
9131 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
9132 return (inp->inp_policyresult.results.result_parameter.scoped_interface_index);
9133 } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT) {
9134 return (necp_get_primary_direct_interface_index());
9135 }
9136
9137 return (0);
9138 }
9139
9140 u_int32_t
9141 necp_socket_get_effective_mtu(struct inpcb *inp, u_int32_t current_mtu)
9142 {
9143 if (inp == NULL) {
9144 return (current_mtu);
9145 }
9146
9147 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
9148 (inp->inp_flags & INP_BOUND_IF) &&
9149 inp->inp_boundifp) {
9150
9151 u_int bound_interface_index = inp->inp_boundifp->if_index;
9152 u_int tunnel_interface_index = inp->inp_policyresult.results.result_parameter.tunnel_interface_index;
9153
9154 // The result is IP Tunnel, and is rescoping from one interface to another. Recalculate MTU.
9155 if (bound_interface_index != tunnel_interface_index) {
9156 ifnet_t tunnel_interface = NULL;
9157
9158 ifnet_head_lock_shared();
9159 tunnel_interface = ifindex2ifnet[tunnel_interface_index];
9160 ifnet_head_done();
9161
9162 if (tunnel_interface != NULL) {
9163 u_int32_t direct_tunnel_mtu = tunnel_interface->if_mtu;
9164 u_int32_t delegate_tunnel_mtu = (tunnel_interface->if_delegated.ifp != NULL) ? tunnel_interface->if_delegated.ifp->if_mtu : 0;
9165 if (delegate_tunnel_mtu != 0 &&
9166 strncmp(tunnel_interface->if_name, "ipsec", strlen("ipsec")) == 0) {
9167 // For ipsec interfaces, calculate the overhead from the delegate interface
9168 u_int32_t tunnel_overhead = (u_int32_t)(esp_hdrsiz(NULL) + sizeof(struct ip6_hdr));
9169 if (delegate_tunnel_mtu > tunnel_overhead) {
9170 delegate_tunnel_mtu -= tunnel_overhead;
9171 }
9172
9173 if (delegate_tunnel_mtu < direct_tunnel_mtu) {
9174 // If the (delegate - overhead) < direct, return (delegate - overhead)
9175 return (delegate_tunnel_mtu);
9176 } else {
9177 // Otherwise return direct
9178 return (direct_tunnel_mtu);
9179 }
9180 } else {
9181 // For non-ipsec interfaces, just return the tunnel MTU
9182 return (direct_tunnel_mtu);
9183 }
9184 }
9185 }
9186 }
9187
9188 // By default, just return the MTU passed in
9189 return (current_mtu);
9190 }
9191
9192 ifnet_t
9193 necp_get_ifnet_from_result_parameter(necp_kernel_policy_result_parameter *result_parameter)
9194 {
9195 if (result_parameter == NULL) {
9196 return (NULL);
9197 }
9198
9199 return (ifindex2ifnet[result_parameter->tunnel_interface_index]);
9200 }
9201
9202 bool
9203 necp_packet_can_rebind_to_ifnet(struct mbuf *packet, struct ifnet *interface, struct route *new_route, int family)
9204 {
9205 bool found_match = FALSE;
9206 errno_t result = 0;
9207 ifaddr_t *addresses = NULL;
9208 union necp_sockaddr_union address_storage;
9209 int i;
9210
9211 if (packet == NULL || interface == NULL || new_route == NULL || (family != AF_INET && family != AF_INET6)) {
9212 return (FALSE);
9213 }
9214
9215 result = ifnet_get_address_list_family(interface, &addresses, family);
9216 if (result != 0) {
9217 NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
9218 return (FALSE);
9219 }
9220
9221 for (i = 0; addresses[i] != NULL; i++) {
9222 ROUTE_RELEASE(new_route);
9223 if (ifaddr_address(addresses[i], &address_storage.sa, sizeof(address_storage)) == 0) {
9224 if (family == AF_INET) {
9225 struct ip *ip = mtod(packet, struct ip *);
9226 if (memcmp(&address_storage.sin.sin_addr, &ip->ip_src, sizeof(ip->ip_src)) == 0) {
9227 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)&new_route->ro_dst;
9228 dst4->sin_family = AF_INET;
9229 dst4->sin_len = sizeof(struct sockaddr_in);
9230 dst4->sin_addr = ip->ip_dst;
9231 rtalloc_scoped(new_route, interface->if_index);
9232 if (!ROUTE_UNUSABLE(new_route)) {
9233 found_match = TRUE;
9234 goto done;
9235 }
9236 }
9237 } else if (family == AF_INET6) {
9238 struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
9239 if (memcmp(&address_storage.sin6.sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src)) == 0) {
9240 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)&new_route->ro_dst;
9241 dst6->sin6_family = AF_INET6;
9242 dst6->sin6_len = sizeof(struct sockaddr_in6);
9243 dst6->sin6_addr = ip6->ip6_dst;
9244 rtalloc_scoped(new_route, interface->if_index);
9245 if (!ROUTE_UNUSABLE(new_route)) {
9246 found_match = TRUE;
9247 goto done;
9248 }
9249 }
9250 }
9251 }
9252 }
9253
9254 done:
9255 ifnet_free_address_list(addresses);
9256 addresses = NULL;
9257 return (found_match);
9258 }
9259
9260 static bool
9261 necp_addr_is_loopback(struct sockaddr *address)
9262 {
9263 if (address == NULL) {
9264 return (FALSE);
9265 }
9266
9267 if (address->sa_family == AF_INET) {
9268 return (ntohl(((struct sockaddr_in *)(void *)address)->sin_addr.s_addr) == INADDR_LOOPBACK);
9269 } else if (address->sa_family == AF_INET6) {
9270 return IN6_IS_ADDR_LOOPBACK(&((struct sockaddr_in6 *)(void *)address)->sin6_addr);
9271 }
9272
9273 return (FALSE);
9274 }
9275
9276 static bool
9277 necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet)
9278 {
9279 // Note: This function only checks for the loopback addresses.
9280 // In the future, we may want to expand to also allow any traffic
9281 // going through the loopback interface, but until then, this
9282 // check is cheaper.
9283
9284 if (local_addr != NULL && necp_addr_is_loopback(local_addr)) {
9285 return (TRUE);
9286 }
9287
9288 if (remote_addr != NULL && necp_addr_is_loopback(remote_addr)) {
9289 return (TRUE);
9290 }
9291
9292 if (inp != NULL) {
9293 if ((inp->inp_flags & INP_BOUND_IF) && inp->inp_boundifp && (inp->inp_boundifp->if_flags & IFF_LOOPBACK)) {
9294 return (TRUE);
9295 }
9296 if (inp->inp_vflag & INP_IPV4) {
9297 if (ntohl(inp->inp_laddr.s_addr) == INADDR_LOOPBACK ||
9298 ntohl(inp->inp_faddr.s_addr) == INADDR_LOOPBACK) {
9299 return (TRUE);
9300 }
9301 } else if (inp->inp_vflag & INP_IPV6) {
9302 if (IN6_IS_ADDR_LOOPBACK(&inp->in6p_laddr) ||
9303 IN6_IS_ADDR_LOOPBACK(&inp->in6p_faddr)) {
9304 return (TRUE);
9305 }
9306 }
9307 }
9308
9309 if (packet != NULL) {
9310 struct ip *ip = mtod(packet, struct ip *);
9311 if (ip->ip_v == 4) {
9312 if (ntohl(ip->ip_src.s_addr) == INADDR_LOOPBACK) {
9313 return (TRUE);
9314 }
9315 if (ntohl(ip->ip_dst.s_addr) == INADDR_LOOPBACK) {
9316 return (TRUE);
9317 }
9318 } else if (ip->ip_v == 6) {
9319 struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
9320 if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src)) {
9321 return (TRUE);
9322 }
9323 if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
9324 return (TRUE);
9325 }
9326 }
9327 }
9328
9329 return (FALSE);
9330 }
9331
9332 static bool
9333 necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet)
9334 {
9335
9336 if (inp != NULL) {
9337 return (sflt_permission_check(inp) ? true : false);
9338 }
9339 if (packet != NULL) {
9340 struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
9341 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION &&
9342 IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst) &&
9343 ip6->ip6_dst.s6_addr32[2] == ntohl(0xaede48ff) &&
9344 ip6->ip6_dst.s6_addr32[3] == ntohl(0xfe334455)) {
9345 return (true);
9346 }
9347 }
9348
9349 return (false);
9350 }
mirror of XNU