]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_guarded.c
xnu-2782.30.5.tar.gz
[apple/xnu.git] / bsd / kern / kern_guarded.c
1 /*
2 * Copyright (c) 2012 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <sys/param.h>
30 #include <sys/systm.h>
31 #include <sys/filedesc.h>
32 #include <sys/kernel.h>
33 #include <sys/file_internal.h>
34 #include <sys/guarded.h>
35 #include <kern/kalloc.h>
36 #include <sys/sysproto.h>
37 #include <sys/vnode.h>
38 #include <sys/vnode_internal.h>
39 #include <sys/uio_internal.h>
40 #include <sys/ubc_internal.h>
41 #include <vfs/vfs_support.h>
42 #include <security/audit/audit.h>
43 #include <sys/syscall.h>
44 #include <sys/kauth.h>
45 #include <sys/kdebug.h>
46 #include <stdbool.h>
47 #include <vm/vm_protos.h>
48 #if CONFIG_PROTECT
49 #include <sys/cprotect.h>
50 #endif
51
52
53 #define f_flag f_fglob->fg_flag
54 #define f_type f_fglob->fg_ops->fo_type
55 extern int dofilewrite(vfs_context_t ctx, struct fileproc *fp,
56 user_addr_t bufp, user_size_t nbyte, off_t offset,
57 int flags, user_ssize_t *retval );
58 extern int wr_uio(struct proc *p, struct fileproc *fp, uio_t uio, user_ssize_t *retval);
59
60 /*
61 * Experimental guarded file descriptor support.
62 */
63
64 kern_return_t task_exception_notify(exception_type_t exception,
65 mach_exception_data_type_t code, mach_exception_data_type_t subcode);
66
67 /*
68 * Most fd's have an underlying fileproc struct; but some may be
69 * guarded_fileproc structs which implement guarded fds. The latter
70 * struct (below) embeds the former.
71 *
72 * The two types should be distinguished by the "type" portion of f_flags.
73 * There's also a magic number to help catch misuse and bugs.
74 *
75 * This is a bit unpleasant, but results from the desire to allow
76 * alternate file behaviours for a few file descriptors without
77 * growing the fileproc data structure.
78 */
79
80 struct guarded_fileproc {
81 struct fileproc gf_fileproc;
82 u_int gf_magic;
83 u_int gf_attrs;
84 thread_t gf_thread;
85 guardid_t gf_guard;
86 int gf_exc_fd;
87 u_int gf_exc_code;
88 };
89
90 const size_t sizeof_guarded_fileproc = sizeof (struct guarded_fileproc);
91
92 #define FP_TO_GFP(fp) ((struct guarded_fileproc *)(fp))
93 #define GFP_TO_FP(gfp) (&(gfp)->gf_fileproc)
94
95 #define GUARDED_FILEPROC_MAGIC 0x29083
96
97 struct gfp_crarg {
98 guardid_t gca_guard;
99 u_int gca_attrs;
100 };
101
102 static struct fileproc *
103 guarded_fileproc_alloc_init(void *crarg)
104 {
105 struct gfp_crarg *aarg = crarg;
106 struct guarded_fileproc *gfp;
107
108 if ((gfp = kalloc(sizeof (*gfp))) == NULL)
109 return (NULL);
110
111 bzero(gfp, sizeof (*gfp));
112 gfp->gf_fileproc.f_flags = FTYPE_GUARDED;
113 gfp->gf_magic = GUARDED_FILEPROC_MAGIC;
114 gfp->gf_guard = aarg->gca_guard;
115 gfp->gf_attrs = aarg->gca_attrs;
116
117 return (GFP_TO_FP(gfp));
118 }
119
120 void
121 guarded_fileproc_free(struct fileproc *fp)
122 {
123 struct guarded_fileproc *gfp = FP_TO_GFP(fp);
124
125 if (FILEPROC_TYPE(fp) != FTYPE_GUARDED ||
126 GUARDED_FILEPROC_MAGIC != gfp->gf_magic)
127 panic("%s: corrupt fp %p flags %x", __func__, fp, fp->f_flags);
128
129 kfree(gfp, sizeof (*gfp));
130 }
131
132 static int
133 fp_lookup_guarded(proc_t p, int fd, guardid_t guard,
134 struct guarded_fileproc **gfpp)
135 {
136 struct fileproc *fp;
137 int error;
138
139 if ((error = fp_lookup(p, fd, &fp, 1)) != 0)
140 return (error);
141 if (FILEPROC_TYPE(fp) != FTYPE_GUARDED) {
142 (void) fp_drop(p, fd, fp, 1);
143 return (EINVAL);
144 }
145 struct guarded_fileproc *gfp = FP_TO_GFP(fp);
146
147 if (GUARDED_FILEPROC_MAGIC != gfp->gf_magic)
148 panic("%s: corrupt fp %p", __func__, fp);
149
150 if (guard != gfp->gf_guard) {
151 (void) fp_drop(p, fd, fp, 1);
152 return (EPERM); /* *not* a mismatch exception */
153 }
154 if (gfpp)
155 *gfpp = gfp;
156 return (0);
157 }
158
159 /*
160 * Expected use pattern:
161 *
162 * if (FP_ISGUARDED(fp, GUARD_CLOSE)) {
163 * error = fp_guard_exception(p, fd, fp, kGUARD_EXC_CLOSE);
164 * proc_fdunlock(p);
165 * return (error);
166 * }
167 */
168
169 int
170 fp_isguarded(struct fileproc *fp, u_int attrs)
171 {
172 if (FILEPROC_TYPE(fp) == FTYPE_GUARDED) {
173 struct guarded_fileproc *gfp = FP_TO_GFP(fp);
174
175 if (GUARDED_FILEPROC_MAGIC != gfp->gf_magic)
176 panic("%s: corrupt gfp %p flags %x",
177 __func__, gfp, fp->f_flags);
178 return ((attrs & gfp->gf_attrs) ? 1 : 0);
179 }
180 return (0);
181 }
182
183 extern char *proc_name_address(void *p);
184
185 int
186 fp_guard_exception(proc_t p, int fd, struct fileproc *fp, u_int code)
187 {
188 if (FILEPROC_TYPE(fp) != FTYPE_GUARDED)
189 panic("%s corrupt fp %p flags %x", __func__, fp, fp->f_flags);
190
191 struct guarded_fileproc *gfp = FP_TO_GFP(fp);
192
193 /* all gfd fields protected via proc_fdlock() */
194 proc_fdlock_assert(p, LCK_MTX_ASSERT_OWNED);
195
196 if (NULL == gfp->gf_thread) {
197 thread_t t = current_thread();
198 gfp->gf_thread = t;
199 gfp->gf_exc_fd = fd;
200 gfp->gf_exc_code = code;
201
202 /*
203 * This thread was the first to attempt the
204 * operation that violated the guard on this fd;
205 * generate an exception.
206 */
207 printf("%s: guarded fd exception: "
208 "fd %d code 0x%x guard 0x%llx\n",
209 proc_name_address(p), gfp->gf_exc_fd,
210 gfp->gf_exc_code, gfp->gf_guard);
211
212 thread_guard_violation(t, GUARD_TYPE_FD);
213 } else {
214 /*
215 * We already recorded a violation on this fd for a
216 * different thread, so posting an exception is
217 * already in progress. We could pause for a bit
218 * and check again, or we could panic (though that seems
219 * heavy handed), or we could just press on with the
220 * error return alone. For now, resort to printf.
221 */
222 printf("%s: guarded fd exception+: "
223 "fd %d code 0x%x guard 0x%llx\n",
224 proc_name_address(p), gfp->gf_exc_fd,
225 gfp->gf_exc_code, gfp->gf_guard);
226 }
227
228 return (EPERM);
229 }
230
231 /*
232 * (Invoked before returning to userland from the syscall handler.)
233 */
234 void
235 fd_guard_ast(thread_t t)
236 {
237 proc_t p = current_proc();
238 struct filedesc *fdp = p->p_fd;
239 int i;
240
241 proc_fdlock(p);
242 for (i = fdp->fd_lastfile; i >= 0; i--) {
243 struct fileproc *fp = fdp->fd_ofiles[i];
244
245 if (fp == NULL ||
246 FILEPROC_TYPE(fp) != FTYPE_GUARDED)
247 continue;
248
249 struct guarded_fileproc *gfp = FP_TO_GFP(fp);
250
251 if (GUARDED_FILEPROC_MAGIC != gfp->gf_magic)
252 panic("%s: corrupt gfp %p flags %x",
253 __func__, gfp, fp->f_flags);
254
255 if (gfp->gf_thread == t) {
256 mach_exception_data_type_t code, subcode;
257
258 gfp->gf_thread = NULL;
259
260 /*
261 * EXC_GUARD exception code namespace.
262 *
263 * code:
264 * +-------------------------------------------------+
265 * | [63:61] guard type | [60:0] guard-specific data |
266 * +-------------------------------------------------+
267 *
268 * subcode:
269 * +-------------------------------------------------+
270 * | [63:0] guard-specific data |
271 * +-------------------------------------------------+
272 *
273 * At the moment, we have just one guard type: file
274 * descriptor guards.
275 *
276 * File descriptor guards use the exception codes like
277 * so:
278 *
279 * code:
280 * +--------------------------------------------------+
281 * |[63:61] GUARD_TYPE_FD | [60:32] flavor | [31:0] fd|
282 * +--------------------------------------------------+
283 *
284 * subcode:
285 * +--------------------------------------------------+
286 * | [63:0] guard value |
287 * +--------------------------------------------------+
288 */
289 code = (((uint64_t)GUARD_TYPE_FD) << 61) |
290 (((uint64_t)gfp->gf_exc_code) << 32) |
291 ((uint64_t)gfp->gf_exc_fd);
292 subcode = gfp->gf_guard;
293 proc_fdunlock(p);
294
295 (void) task_exception_notify(EXC_GUARD, code, subcode);
296 psignal(p, SIGKILL);
297
298 return;
299 }
300 }
301 proc_fdunlock(p);
302 }
303
304 /*
305 * Experimental guarded file descriptor SPIs
306 */
307
308 /*
309 * int guarded_open_np(const char *pathname, int flags,
310 * const guardid_t *guard, u_int guardflags, ...);
311 *
312 * In this initial implementation, GUARD_DUP must be specified.
313 * GUARD_CLOSE, GUARD_SOCKET_IPC and GUARD_FILEPORT are optional.
314 *
315 * If GUARD_DUP wasn't specified, then we'd have to do the (extra) work
316 * to allow dup-ing a descriptor to inherit the guard onto the new
317 * descriptor. (Perhaps GUARD_DUP behaviours should just always be true
318 * for a guarded fd? Or, more sanely, all the dup operations should
319 * just always propagate the guard?)
320 *
321 * Guarded descriptors are always close-on-exec, and GUARD_CLOSE
322 * requires close-on-fork; O_CLOEXEC must be set in flags.
323 * This setting is immutable; attempts to clear the flag will
324 * cause a guard exception.
325 */
326 int
327 guarded_open_np(proc_t p, struct guarded_open_np_args *uap, int32_t *retval)
328 {
329 if ((uap->flags & O_CLOEXEC) == 0)
330 return (EINVAL);
331
332 #define GUARD_REQUIRED (GUARD_DUP)
333 #define GUARD_ALL (GUARD_REQUIRED | \
334 (GUARD_CLOSE | GUARD_SOCKET_IPC | GUARD_FILEPORT | GUARD_WRITE))
335
336 if (((uap->guardflags & GUARD_REQUIRED) != GUARD_REQUIRED) ||
337 ((uap->guardflags & ~GUARD_ALL) != 0))
338 return (EINVAL);
339
340 int error;
341 struct gfp_crarg crarg = {
342 .gca_attrs = uap->guardflags
343 };
344
345 if ((error = copyin(uap->guard,
346 &(crarg.gca_guard), sizeof (crarg.gca_guard))) != 0)
347 return (error);
348
349 /*
350 * Disallow certain guard values -- is zero enough?
351 */
352 if (crarg.gca_guard == 0)
353 return (EINVAL);
354
355 struct filedesc *fdp = p->p_fd;
356 struct vnode_attr va;
357 struct nameidata nd;
358 vfs_context_t ctx = vfs_context_current();
359 int cmode;
360
361 VATTR_INIT(&va);
362 cmode = ((uap->mode & ~fdp->fd_cmask) & ALLPERMS) & ~S_ISTXT;
363 VATTR_SET(&va, va_mode, cmode & ACCESSPERMS);
364
365 NDINIT(&nd, LOOKUP, OP_OPEN, FOLLOW | AUDITVNPATH1, UIO_USERSPACE,
366 uap->path, ctx);
367
368 return (open1(ctx, &nd, uap->flags | O_CLOFORK, &va,
369 guarded_fileproc_alloc_init, &crarg, retval));
370 }
371
372 /*
373 * int guarded_open_dprotected_np(const char *pathname, int flags,
374 * const guardid_t *guard, u_int guardflags, int dpclass, int dpflags, ...);
375 *
376 * This SPI is extension of guarded_open_np() to include dataprotection class on creation
377 * in "dpclass" and dataprotection flags 'dpflags'. Otherwise behaviors are same as in
378 * guarded_open_np()
379 */
380 int
381 guarded_open_dprotected_np(proc_t p, struct guarded_open_dprotected_np_args *uap, int32_t *retval)
382 {
383 if ((uap->flags & O_CLOEXEC) == 0)
384 return (EINVAL);
385
386 #define GUARD_REQUIRED (GUARD_DUP)
387 #define GUARD_ALL (GUARD_REQUIRED | \
388 (GUARD_CLOSE | GUARD_SOCKET_IPC | GUARD_FILEPORT | GUARD_WRITE))
389
390 if (((uap->guardflags & GUARD_REQUIRED) != GUARD_REQUIRED) ||
391 ((uap->guardflags & ~GUARD_ALL) != 0))
392 return (EINVAL);
393
394 int error;
395 struct gfp_crarg crarg = {
396 .gca_attrs = uap->guardflags
397 };
398
399 if ((error = copyin(uap->guard,
400 &(crarg.gca_guard), sizeof (crarg.gca_guard))) != 0)
401 return (error);
402
403 /*
404 * Disallow certain guard values -- is zero enough?
405 */
406 if (crarg.gca_guard == 0)
407 return (EINVAL);
408
409 struct filedesc *fdp = p->p_fd;
410 struct vnode_attr va;
411 struct nameidata nd;
412 vfs_context_t ctx = vfs_context_current();
413 int cmode;
414
415 VATTR_INIT(&va);
416 cmode = ((uap->mode & ~fdp->fd_cmask) & ALLPERMS) & ~S_ISTXT;
417 VATTR_SET(&va, va_mode, cmode & ACCESSPERMS);
418
419 NDINIT(&nd, LOOKUP, OP_OPEN, FOLLOW | AUDITVNPATH1, UIO_USERSPACE,
420 uap->path, ctx);
421
422 /*
423 * Initialize the extra fields in vnode_attr to pass down dataprotection
424 * extra fields.
425 * 1. target cprotect class.
426 * 2. set a flag to mark it as requiring open-raw-encrypted semantics.
427 */
428 if (uap->flags & O_CREAT) {
429 VATTR_SET(&va, va_dataprotect_class, uap->dpclass);
430 }
431
432 if (uap->dpflags & O_DP_GETRAWENCRYPTED) {
433 if ( uap->flags & (O_RDWR | O_WRONLY)) {
434 /* Not allowed to write raw encrypted bytes */
435 return EINVAL;
436 }
437 VATTR_SET(&va, va_dataprotect_flags, VA_DP_RAWENCRYPTED);
438 }
439
440 return (open1(ctx, &nd, uap->flags | O_CLOFORK, &va,
441 guarded_fileproc_alloc_init, &crarg, retval));
442 }
443
444 /*
445 * int guarded_kqueue_np(const guardid_t *guard, u_int guardflags);
446 *
447 * Create a guarded kqueue descriptor with guardid and guardflags.
448 *
449 * Same restrictions on guardflags as for guarded_open_np().
450 * All kqueues are -always- close-on-exec and close-on-fork by themselves.
451 *
452 * XXX Is it ever sensible to allow a kqueue fd (guarded or not) to
453 * be sent to another process via a fileport or socket?
454 */
455 int
456 guarded_kqueue_np(proc_t p, struct guarded_kqueue_np_args *uap, int32_t *retval)
457 {
458 if (((uap->guardflags & GUARD_REQUIRED) != GUARD_REQUIRED) ||
459 ((uap->guardflags & ~GUARD_ALL) != 0))
460 return (EINVAL);
461
462 int error;
463 struct gfp_crarg crarg = {
464 .gca_attrs = uap->guardflags
465 };
466
467 if ((error = copyin(uap->guard,
468 &(crarg.gca_guard), sizeof (crarg.gca_guard))) != 0)
469 return (error);
470
471 if (crarg.gca_guard == 0)
472 return (EINVAL);
473
474 return (kqueue_body(p, guarded_fileproc_alloc_init, &crarg, retval));
475 }
476
477 /*
478 * int guarded_close_np(int fd, const guardid_t *guard);
479 */
480 int
481 guarded_close_np(proc_t p, struct guarded_close_np_args *uap,
482 __unused int32_t *retval)
483 {
484 struct guarded_fileproc *gfp;
485 int fd = uap->fd;
486 int error;
487 guardid_t uguard;
488
489 AUDIT_SYSCLOSE(p, fd);
490
491 if ((error = copyin(uap->guard, &uguard, sizeof (uguard))) != 0)
492 return (error);
493
494 proc_fdlock(p);
495 if ((error = fp_lookup_guarded(p, fd, uguard, &gfp)) != 0) {
496 proc_fdunlock(p);
497 return (error);
498 }
499 error = close_internal_locked(p, fd, GFP_TO_FP(gfp), 0);
500 proc_fdunlock(p);
501 return (error);
502 }
503
504 /*
505 * int
506 * change_fdguard_np(int fd, const guardid_t *guard, u_int guardflags,
507 * const guardid_t *nguard, u_int nguardflags, int *fdflagsp);
508 *
509 * Given a file descriptor, atomically exchange <guard, guardflags> for
510 * a new guard <nguard, nguardflags>, returning the previous fd
511 * flags (see fcntl:F_SETFD) in *fdflagsp.
512 *
513 * This syscall can be used to either (a) add a new guard to an existing
514 * unguarded file descriptor (b) remove the old guard from an existing
515 * guarded file descriptor or (c) change the guard (guardid and/or
516 * guardflags) on a guarded file descriptor.
517 *
518 * If 'guard' is NULL, fd must be unguarded at entry. If the call completes
519 * successfully the fd will be guarded with <nguard, nguardflags>.
520 *
521 * Guarding a file descriptor has some side-effects on the "fdflags"
522 * associated with the descriptor - in particular FD_CLOEXEC is
523 * forced ON unconditionally, and FD_CLOFORK is forced ON by GUARD_CLOSE.
524 * Callers who wish to subsequently restore the state of the fd should save
525 * the value of *fdflagsp after a successful invocation.
526 *
527 * If 'nguard' is NULL, fd must be guarded at entry, <guard, guardflags>
528 * must match with what's already guarding the descriptor, and the
529 * result will be to completely remove the guard. Note also that the
530 * fdflags are copied to the descriptor from the incoming *fdflagsp argument.
531 *
532 * If the descriptor is guarded, and neither 'guard' nor 'nguard' is NULL
533 * and <guard, guardflags> matches what's already guarding the descriptor,
534 * then <nguard, nguardflags> becomes the new guard. In this case, even if
535 * the GUARD_CLOSE flag is being cleared, it is still possible to continue
536 * to keep FD_CLOFORK on the descriptor by passing FD_CLOFORK via fdflagsp.
537 *
538 * Example 1: Guard an unguarded descriptor during a set of operations,
539 * then restore the original state of the descriptor.
540 *
541 * int sav_flags = 0;
542 * change_fdguard_np(fd, NULL, 0, &myguard, GUARD_CLOSE, &sav_flags);
543 * // do things with now guarded 'fd'
544 * change_fdguard_np(fd, &myguard, GUARD_CLOSE, NULL, 0, &sav_flags);
545 * // fd now unguarded.
546 *
547 * Example 2: Change the guard of a guarded descriptor during a set of
548 * operations, then restore the original state of the descriptor.
549 *
550 * int sav_flags = (gdflags & GUARD_CLOSE) ? FD_CLOFORK : 0;
551 * change_fdguard_np(fd, &gd, gdflags, &myguard, GUARD_CLOSE, &sav_flags);
552 * // do things with 'fd' with a different guard
553 * change_fdguard_np(fd, &myg, GUARD_CLOSE, &gd, gdflags, &sav_flags);
554 * // back to original guarded state
555 */
556
557 #define FDFLAGS_GET(p, fd) (*fdflags(p, fd) & (UF_EXCLOSE|UF_FORKCLOSE))
558 #define FDFLAGS_SET(p, fd, bits) \
559 (*fdflags(p, fd) |= ((bits) & (UF_EXCLOSE|UF_FORKCLOSE)))
560 #define FDFLAGS_CLR(p, fd, bits) \
561 (*fdflags(p, fd) &= ~((bits) & (UF_EXCLOSE|UF_FORKCLOSE)))
562
563 int
564 change_fdguard_np(proc_t p, struct change_fdguard_np_args *uap,
565 __unused int32_t *retval)
566 {
567 struct fileproc *fp;
568 int fd = uap->fd;
569 int error;
570 guardid_t oldg = 0, newg = 0;
571 int nfdflags = 0;
572
573 if (0 != uap->guard &&
574 0 != (error = copyin(uap->guard, &oldg, sizeof (oldg))))
575 return (error); /* can't copyin current guard */
576
577 if (0 != uap->nguard &&
578 0 != (error = copyin(uap->nguard, &newg, sizeof (newg))))
579 return (error); /* can't copyin new guard */
580
581 if (0 != uap->fdflagsp &&
582 0 != (error = copyin(uap->fdflagsp, &nfdflags, sizeof (nfdflags))))
583 return (error); /* can't copyin new fdflags */
584
585 proc_fdlock(p);
586 restart:
587 if ((error = fp_lookup(p, fd, &fp, 1)) != 0) {
588 proc_fdunlock(p);
589 return (error);
590 }
591
592 if (0 != uap->fdflagsp) {
593 int ofdflags = FDFLAGS_GET(p, fd);
594 int ofl = ((ofdflags & UF_EXCLOSE) ? FD_CLOEXEC : 0) |
595 ((ofdflags & UF_FORKCLOSE) ? FD_CLOFORK : 0);
596 proc_fdunlock(p);
597 if (0 != (error = copyout(&ofl, uap->fdflagsp, sizeof (ofl)))) {
598 proc_fdlock(p);
599 goto dropout; /* can't copyout old fdflags */
600 }
601 proc_fdlock(p);
602 }
603
604 if (FILEPROC_TYPE(fp) == FTYPE_GUARDED) {
605 if (0 == uap->guard || 0 == uap->guardflags)
606 error = EINVAL; /* missing guard! */
607 else if (0 == oldg)
608 error = EPERM; /* guardids cannot be zero */
609 } else {
610 if (0 != uap->guard || 0 != uap->guardflags)
611 error = EINVAL; /* guard provided, but none needed! */
612 }
613
614 if (0 != error)
615 goto dropout;
616
617 if (0 != uap->nguard) {
618 /*
619 * There's a new guard in town.
620 */
621 if (0 == newg)
622 error = EINVAL; /* guards cannot contain zero */
623 else if (0 == uap->nguardflags)
624 error = EINVAL; /* attributes cannot be zero */
625 else if (((uap->nguardflags & GUARD_REQUIRED) != GUARD_REQUIRED) ||
626 ((uap->guardflags & ~GUARD_ALL) != 0))
627 error = EINVAL; /* must have valid attributes too */
628
629 if (0 != error)
630 goto dropout;
631
632 if (FILEPROC_TYPE(fp) == FTYPE_GUARDED) {
633 /*
634 * Replace old guard with new guard
635 */
636 struct guarded_fileproc *gfp = FP_TO_GFP(fp);
637
638 if (GUARDED_FILEPROC_MAGIC != gfp->gf_magic)
639 panic("%s: corrupt gfp %p flags %x",
640 __func__, gfp, fp->f_flags);
641
642 if (oldg == gfp->gf_guard &&
643 uap->guardflags == gfp->gf_attrs) {
644 /*
645 * Must match existing guard + attributes
646 * before we'll swap them to new ones, managing
647 * fdflags "side-effects" as we go. Note that
648 * userland can request FD_CLOFORK semantics.
649 */
650 if (gfp->gf_attrs & GUARD_CLOSE)
651 FDFLAGS_CLR(p, fd, UF_FORKCLOSE);
652 gfp->gf_guard = newg;
653 gfp->gf_attrs = uap->nguardflags;
654 if (gfp->gf_attrs & GUARD_CLOSE)
655 FDFLAGS_SET(p, fd, UF_FORKCLOSE);
656 FDFLAGS_SET(p, fd,
657 (nfdflags & FD_CLOFORK) ? UF_FORKCLOSE : 0);
658 } else {
659 error = EPERM;
660 }
661 goto dropout;
662 } else {
663 /*
664 * Add a guard to a previously unguarded descriptor
665 */
666 switch (FILEGLOB_DTYPE(fp->f_fglob)) {
667 case DTYPE_VNODE:
668 case DTYPE_PIPE:
669 case DTYPE_SOCKET:
670 case DTYPE_KQUEUE:
671 break;
672 default:
673 error = ENOTSUP;
674 goto dropout;
675 }
676
677 proc_fdunlock(p);
678
679 struct gfp_crarg crarg = {
680 .gca_guard = newg,
681 .gca_attrs = uap->nguardflags
682 };
683 struct fileproc *nfp =
684 guarded_fileproc_alloc_init(&crarg);
685 struct guarded_fileproc *gfp;
686
687 proc_fdlock(p);
688
689 switch (error = fp_tryswap(p, fd, nfp)) {
690 case 0: /* guarded-ness comes with side-effects */
691 gfp = FP_TO_GFP(nfp);
692 if (gfp->gf_attrs & GUARD_CLOSE)
693 FDFLAGS_SET(p, fd, UF_FORKCLOSE);
694 FDFLAGS_SET(p, fd, UF_EXCLOSE);
695 (void) fp_drop(p, fd, nfp, 1);
696 fileproc_free(fp);
697 break;
698 case EKEEPLOOKING: /* f_iocount indicates a collision */
699 (void) fp_drop(p, fd, fp, 1);
700 fileproc_free(nfp);
701 goto restart;
702 default:
703 (void) fp_drop(p, fd, fp, 1);
704 fileproc_free(nfp);
705 break;
706 }
707 proc_fdunlock(p);
708 return (error);
709 }
710 } else {
711 /*
712 * No new guard.
713 */
714 if (FILEPROC_TYPE(fp) == FTYPE_GUARDED) {
715 /*
716 * Remove the guard altogether.
717 */
718 struct guarded_fileproc *gfp = FP_TO_GFP(fp);
719
720 if (0 != uap->nguardflags) {
721 error = EINVAL;
722 goto dropout;
723 }
724
725 if (GUARDED_FILEPROC_MAGIC != gfp->gf_magic)
726 panic("%s: corrupt gfp %p flags %x",
727 __func__, gfp, fp->f_flags);
728
729 if (oldg != gfp->gf_guard ||
730 uap->guardflags != gfp->gf_attrs) {
731 error = EPERM;
732 goto dropout;
733 }
734
735 proc_fdunlock(p);
736 struct fileproc *nfp = fileproc_alloc_init(NULL);
737 proc_fdlock(p);
738
739 switch (error = fp_tryswap(p, fd, nfp)) {
740 case 0: /* undo side-effects of guarded-ness */
741 FDFLAGS_CLR(p, fd, UF_FORKCLOSE | UF_EXCLOSE);
742 FDFLAGS_SET(p, fd,
743 (nfdflags & FD_CLOFORK) ? UF_FORKCLOSE : 0);
744 FDFLAGS_SET(p, fd,
745 (nfdflags & FD_CLOEXEC) ? UF_EXCLOSE : 0);
746 (void) fp_drop(p, fd, nfp, 1);
747 fileproc_free(fp);
748 break;
749 case EKEEPLOOKING: /* f_iocount indicates collision */
750 (void) fp_drop(p, fd, fp, 1);
751 fileproc_free(nfp);
752 goto restart;
753 default:
754 (void) fp_drop(p, fd, fp, 1);
755 fileproc_free(nfp);
756 break;
757 }
758 proc_fdunlock(p);
759 return (error);
760 } else {
761 /*
762 * Not already guarded, and no new guard?
763 */
764 error = EINVAL;
765 }
766 }
767
768 dropout:
769 (void) fp_drop(p, fd, fp, 1);
770 proc_fdunlock(p);
771 return (error);
772 }
773
774 /*
775 * user_ssize_t guarded_write_np(int fd, const guardid_t *guard,
776 * user_addr_t cbuf, user_ssize_t nbyte);
777 *
778 * Initial implementation of guarded writes.
779 */
780 int
781 guarded_write_np(struct proc *p, struct guarded_write_np_args *uap, user_ssize_t *retval)
782 {
783 int error;
784 int fd = uap->fd;
785 guardid_t uguard;
786 struct fileproc *fp;
787 struct guarded_fileproc *gfp;
788 bool wrote_some = false;
789
790 AUDIT_ARG(fd, fd);
791
792 if ((error = copyin(uap->guard, &uguard, sizeof (uguard))) != 0)
793 return (error);
794
795 error = fp_lookup_guarded(p, fd, uguard, &gfp);
796 if (error)
797 return(error);
798
799 fp = GFP_TO_FP(gfp);
800 if ((fp->f_flag & FWRITE) == 0) {
801 error = EBADF;
802 } else {
803
804 struct vfs_context context = *(vfs_context_current());
805 context.vc_ucred = fp->f_fglob->fg_cred;
806
807 error = dofilewrite(&context, fp, uap->cbuf, uap->nbyte,
808 (off_t)-1, 0, retval);
809 wrote_some = *retval > 0;
810 }
811 if (wrote_some)
812 fp_drop_written(p, fd, fp);
813 else
814 fp_drop(p, fd, fp, 0);
815 return(error);
816 }
817
818 /*
819 * user_ssize_t guarded_pwrite_np(int fd, const guardid_t *guard,
820 * user_addr_t buf, user_size_t nbyte, off_t offset);
821 *
822 * Initial implementation of guarded pwrites.
823 */
824 int
825 guarded_pwrite_np(struct proc *p, struct guarded_pwrite_np_args *uap, user_ssize_t *retval)
826 {
827 struct fileproc *fp;
828 int error;
829 int fd = uap->fd;
830 vnode_t vp = (vnode_t)0;
831 guardid_t uguard;
832 struct guarded_fileproc *gfp;
833 bool wrote_some = false;
834
835 AUDIT_ARG(fd, fd);
836
837 if ((error = copyin(uap->guard, &uguard, sizeof (uguard))) != 0)
838 return (error);
839
840 error = fp_lookup_guarded(p, fd, uguard, &gfp);
841 if (error)
842 return(error);
843
844 fp = GFP_TO_FP(gfp);
845 if ((fp->f_flag & FWRITE) == 0) {
846 error = EBADF;
847 } else {
848 struct vfs_context context = *vfs_context_current();
849 context.vc_ucred = fp->f_fglob->fg_cred;
850
851 if (fp->f_type != DTYPE_VNODE) {
852 error = ESPIPE;
853 goto errout;
854 }
855 vp = (vnode_t)fp->f_fglob->fg_data;
856 if (vnode_isfifo(vp)) {
857 error = ESPIPE;
858 goto errout;
859 }
860 if ((vp->v_flag & VISTTY)) {
861 error = ENXIO;
862 goto errout;
863 }
864 if (uap->offset == (off_t)-1) {
865 error = EINVAL;
866 goto errout;
867 }
868
869 error = dofilewrite(&context, fp, uap->buf, uap->nbyte,
870 uap->offset, FOF_OFFSET, retval);
871 wrote_some = *retval > 0;
872 }
873 errout:
874 if (wrote_some)
875 fp_drop_written(p, fd, fp);
876 else
877 fp_drop(p, fd, fp, 0);
878
879 KERNEL_DEBUG_CONSTANT((BSDDBG_CODE(DBG_BSD_SC_EXTENDED_INFO, SYS_guarded_pwrite_np) | DBG_FUNC_NONE),
880 uap->fd, uap->nbyte, (unsigned int)((uap->offset >> 32)), (unsigned int)(uap->offset), 0);
881
882 return(error);
883 }
884
885 /*
886 * user_ssize_t guarded_writev_np(int fd, const guardid_t *guard,
887 * struct iovec *iovp, u_int iovcnt);
888 *
889 * Initial implementation of guarded writev.
890 *
891 */
892 int
893 guarded_writev_np(struct proc *p, struct guarded_writev_np_args *uap, user_ssize_t *retval)
894 {
895 uio_t auio = NULL;
896 int error;
897 struct fileproc *fp;
898 struct user_iovec *iovp;
899 guardid_t uguard;
900 struct guarded_fileproc *gfp;
901 bool wrote_some = false;
902
903 AUDIT_ARG(fd, uap->fd);
904
905 /* Verify range bedfore calling uio_create() */
906 if (uap->iovcnt <= 0 || uap->iovcnt > UIO_MAXIOV)
907 return (EINVAL);
908
909 /* allocate a uio large enough to hold the number of iovecs passed */
910 auio = uio_create(uap->iovcnt, 0,
911 (IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32),
912 UIO_WRITE);
913
914 /* get location of iovecs within the uio. then copyin the iovecs from
915 * user space.
916 */
917 iovp = uio_iovsaddr(auio);
918 if (iovp == NULL) {
919 error = ENOMEM;
920 goto ExitThisRoutine;
921 }
922 error = copyin_user_iovec_array(uap->iovp,
923 IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32,
924 uap->iovcnt, iovp);
925 if (error) {
926 goto ExitThisRoutine;
927 }
928
929 /* finalize uio_t for use and do the IO
930 */
931 uio_calculateresid(auio);
932
933 if ((error = copyin(uap->guard, &uguard, sizeof (uguard))) != 0)
934 goto ExitThisRoutine;
935
936 error = fp_lookup_guarded(p, uap->fd, uguard, &gfp);
937 if (error)
938 goto ExitThisRoutine;
939
940 fp = GFP_TO_FP(gfp);
941 if ((fp->f_flag & FWRITE) == 0) {
942 error = EBADF;
943 } else {
944 error = wr_uio(p, fp, auio, retval);
945 wrote_some = *retval > 0;
946 }
947
948 if (wrote_some)
949 fp_drop_written(p, uap->fd, fp);
950 else
951 fp_drop(p, uap->fd, fp, 0);
952 ExitThisRoutine:
953 if (auio != NULL) {
954 uio_free(auio);
955 }
956 return (error);
957 }