]> git.saurik.com Git - apple/xnu.git/blob - bsd/net/necp.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-6153.81.5.tar.gz
[apple/xnu.git] / bsd / net / necp.c
1 /*
2 * Copyright (c) 2013-2019 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <string.h>
30 #include <sys/systm.h>
31 #include <sys/types.h>
32 #include <sys/queue.h>
33 #include <sys/malloc.h>
34 #include <libkern/OSMalloc.h>
35 #include <sys/kernel.h>
36 #include <sys/kern_control.h>
37 #include <sys/mbuf.h>
38 #include <sys/kpi_mbuf.h>
39 #include <sys/proc_uuid_policy.h>
40 #include <net/if.h>
41 #include <sys/domain.h>
42 #include <sys/protosw.h>
43 #include <sys/socket.h>
44 #include <sys/socketvar.h>
45 #include <sys/coalition.h>
46 #include <sys/ubc.h>
47 #include <sys/codesign.h>
48 #include <kern/cs_blobs.h>
49 #include <netinet/ip.h>
50 #include <netinet/ip6.h>
51 #include <netinet/tcp.h>
52 #include <netinet/tcp_var.h>
53 #include <netinet/tcp_cache.h>
54 #include <netinet/udp.h>
55 #include <netinet/in_pcb.h>
56 #include <netinet/in_tclass.h>
57 #include <netinet6/esp.h>
58 #include <net/flowhash.h>
59 #include <net/if_var.h>
60 #include <sys/kauth.h>
61 #include <sys/sysctl.h>
62 #include <sys/sysproto.h>
63 #include <sys/priv.h>
64 #include <sys/kern_event.h>
65 #include <sys/file_internal.h>
66 #include <IOKit/IOBSD.h>
67 #include <libkern/crypto/rand.h>
68 #include <corecrypto/cchmac.h>
69 #include <corecrypto/ccsha2.h>
70 #include <os/refcnt.h>
71 #include <net/network_agent.h>
72 #include <net/necp.h>
73
74 /*
75 * NECP - Network Extension Control Policy database
76 * ------------------------------------------------
77 * The goal of this module is to allow clients connecting via a
78 * policy file descriptor to create high-level policy sessions, which
79 * are ingested into low-level kernel policies that control and tag
80 * traffic at the application, socket, and IP layers.
81 *
82 * ------------------------------------------------
83 * Sessions
84 * ------------------------------------------------
85 * Each session owns a list of session policies, each of which can
86 * specify any combination of conditions and a single result. Each
87 * session also has a priority level (such as High, Default, or Low)
88 * which is requested by the client. Based on the requested level,
89 * a session order value is assigned to the session, which will be used
90 * to sort kernel policies generated by the session. The session client
91 * can specify the sub-order for each policy it creates which will be
92 * used to further sort the kernel policies.
93 *
94 * Policy fd --> 1 necp_session --> list of necp_session_policy structs
95 *
96 * ------------------------------------------------
97 * Kernel Policies
98 * ------------------------------------------------
99 * Whenever a session send the Apply command, its policies are ingested
100 * and generate kernel policies. There are two phases of kernel policy
101 * ingestion.
102 *
103 * 1. The session policy is parsed to create kernel policies at the socket
104 * and IP layers, when applicable. For example, a policy that requires
105 * all traffic from App1 to Pass will generate a socket kernel policy to
106 * match App1 and mark packets with ID1, and also an IP policy to match
107 * ID1 and let the packet pass. This is handled in necp_apply_policy. The
108 * resulting kernel policies are added to the global socket and IP layer
109 * policy lists.
110 * necp_session_policy --> necp_kernel_socket_policy and necp_kernel_ip_output_policy
111 * || ||
112 * \/ \/
113 * necp_kernel_socket_policies necp_kernel_ip_output_policies
114 *
115 * 2. Once the global lists of kernel policies have been filled out, each
116 * list is traversed to create optimized sub-lists ("Maps") which are used during
117 * data-path evaluation. IP policies are sent into necp_kernel_ip_output_policies_map,
118 * which hashes incoming packets based on marked socket-layer policies, and removes
119 * duplicate or overlapping policies. Socket policies are sent into two maps,
120 * necp_kernel_socket_policies_map and necp_kernel_socket_policies_app_layer_map.
121 * The app layer map is used for policy checks coming in from user space, and is one
122 * list with duplicate and overlapping policies removed. The socket map hashes based
123 * on app UUID, and removes duplicate and overlapping policies.
124 * necp_kernel_socket_policy --> necp_kernel_socket_policies_app_layer_map
125 * |-> necp_kernel_socket_policies_map
126 *
127 * necp_kernel_ip_output_policies --> necp_kernel_ip_output_policies_map
128 *
129 * ------------------------------------------------
130 * Drop All Level
131 * ------------------------------------------------
132 * The Drop All Level is a sysctl that controls the level at which policies are allowed
133 * to override a global drop rule. If the value is 0, no drop rule is applied. If the value
134 * is 1, all traffic is dropped. If the value is greater than 1, all kernel policies created
135 * by a session with a priority level better than (numerically less than) the
136 * Drop All Level will allow matching traffic to not be dropped. The Drop All Level is
137 * dynamically interpreted into necp_drop_all_order, which specifies the equivalent assigned
138 * session orders to be dropped.
139 */
140
141 u_int32_t necp_drop_all_order = 0;
142 u_int32_t necp_drop_all_level = 0;
143
144 u_int32_t necp_pass_loopback = 1; // 0=Off, 1=On
145 u_int32_t necp_pass_keepalives = 1; // 0=Off, 1=On
146 u_int32_t necp_pass_interpose = 1; // 0=Off, 1=On
147
148 u_int32_t necp_drop_unentitled_order = 0;
149 #ifdef XNU_TARGET_OS_WATCH
150 u_int32_t necp_drop_unentitled_level = NECP_SESSION_PRIORITY_CONTROL + 1; // Block all unentitled traffic from policies below control level
151 #else // XNU_TARGET_OS_WATCH
152 u_int32_t necp_drop_unentitled_level = 0;
153 #endif // XNU_TARGET_OS_WATCH
154
155 u_int32_t necp_debug = 0; // 0=None, 1=Basic, 2=EveryMatch
156
157 u_int32_t necp_session_count = 0;
158
159 #define LIST_INSERT_SORTED_ASCENDING(head, elm, field, sortfield, tmpelm) do { \
160 if (LIST_EMPTY((head)) || (LIST_FIRST(head)->sortfield >= (elm)->sortfield)) { \
161 LIST_INSERT_HEAD((head), elm, field); \
162 } else { \
163 LIST_FOREACH(tmpelm, head, field) { \
164 if (LIST_NEXT(tmpelm, field) == NULL || LIST_NEXT(tmpelm, field)->sortfield >= (elm)->sortfield) { \
165 LIST_INSERT_AFTER(tmpelm, elm, field); \
166 break; \
167 } \
168 } \
169 } \
170 } while (0)
171
172 #define LIST_INSERT_SORTED_TWICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, tmpelm) do { \
173 if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield))) { \
174 LIST_INSERT_HEAD((head), elm, field); \
175 } else { \
176 LIST_FOREACH(tmpelm, head, field) { \
177 if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield))) { \
178 LIST_INSERT_AFTER(tmpelm, elm, field); \
179 break; \
180 } \
181 } \
182 } \
183 } while (0)
184
185 #define LIST_INSERT_SORTED_THRICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, thirdsortfield, tmpelm) do { \
186 if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield == (elm)->secondsortfield) && (LIST_FIRST(head)->thirdsortfield >= (elm)->thirdsortfield))) { \
187 LIST_INSERT_HEAD((head), elm, field); \
188 } else { \
189 LIST_FOREACH(tmpelm, head, field) { \
190 if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield == (elm)->secondsortfield) && (LIST_NEXT(tmpelm, field)->thirdsortfield >= (elm)->thirdsortfield))) { \
191 LIST_INSERT_AFTER(tmpelm, elm, field); \
192 break; \
193 } \
194 } \
195 } \
196 } while (0)
197
198 #define IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(x) ((x) == NECP_ROUTE_RULE_DENY_INTERFACE || (x) == NECP_ROUTE_RULE_ALLOW_INTERFACE)
199
200 #define IS_NECP_DEST_IN_LOCAL_NETWORKS(rt) \
201 ((rt) != NULL && !((rt)->rt_flags & RTF_GATEWAY) && ((rt)->rt_ifa && (rt)->rt_ifa->ifa_ifp && !((rt)->rt_ifa->ifa_ifp->if_flags & IFF_POINTOPOINT)))
202
203 #define NECP_KERNEL_CONDITION_ALL_INTERFACES 0x000001
204 #define NECP_KERNEL_CONDITION_BOUND_INTERFACE 0x000002
205 #define NECP_KERNEL_CONDITION_PROTOCOL 0x000004
206 #define NECP_KERNEL_CONDITION_LOCAL_START 0x000008
207 #define NECP_KERNEL_CONDITION_LOCAL_END 0x000010
208 #define NECP_KERNEL_CONDITION_LOCAL_PREFIX 0x000020
209 #define NECP_KERNEL_CONDITION_REMOTE_START 0x000040
210 #define NECP_KERNEL_CONDITION_REMOTE_END 0x000080
211 #define NECP_KERNEL_CONDITION_REMOTE_PREFIX 0x000100
212 #define NECP_KERNEL_CONDITION_APP_ID 0x000200
213 #define NECP_KERNEL_CONDITION_REAL_APP_ID 0x000400
214 #define NECP_KERNEL_CONDITION_DOMAIN 0x000800
215 #define NECP_KERNEL_CONDITION_ACCOUNT_ID 0x001000
216 #define NECP_KERNEL_CONDITION_POLICY_ID 0x002000
217 #define NECP_KERNEL_CONDITION_PID 0x004000
218 #define NECP_KERNEL_CONDITION_UID 0x008000
219 #define NECP_KERNEL_CONDITION_LAST_INTERFACE 0x010000 // Only set from packets looping between interfaces
220 #define NECP_KERNEL_CONDITION_TRAFFIC_CLASS 0x020000
221 #define NECP_KERNEL_CONDITION_ENTITLEMENT 0x040000
222 #define NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT 0x080000
223 #define NECP_KERNEL_CONDITION_AGENT_TYPE 0x100000
224 #define NECP_KERNEL_CONDITION_HAS_CLIENT 0x200000
225 #define NECP_KERNEL_CONDITION_LOCAL_NETWORKS 0x400000
226 #define NECP_KERNEL_CONDITION_CLIENT_FLAGS 0x800000
227 #define NECP_KERNEL_CONDITION_LOCAL_EMPTY 0x1000000
228 #define NECP_KERNEL_CONDITION_REMOTE_EMPTY 0x2000000
229 #define NECP_KERNEL_CONDITION_PLATFORM_BINARY 0x4000000
230
231 #define NECP_MAX_POLICY_RESULT_SIZE 512
232 #define NECP_MAX_ROUTE_RULES_ARRAY_SIZE 1024
233 #define NECP_MAX_CONDITIONS_ARRAY_SIZE 4096
234 #define NECP_MAX_POLICY_LIST_COUNT 1024
235
236 // Cap the policy size at the max result + conditions size, with room for extra TLVs
237 #define NECP_MAX_POLICY_SIZE (1024 + NECP_MAX_POLICY_RESULT_SIZE + NECP_MAX_CONDITIONS_ARRAY_SIZE)
238
239 struct necp_service_registration {
240 LIST_ENTRY(necp_service_registration) session_chain;
241 LIST_ENTRY(necp_service_registration) kernel_chain;
242 u_int32_t service_id;
243 };
244
245 struct necp_session {
246 u_int8_t necp_fd_type;
247 u_int32_t control_unit;
248 u_int32_t session_priority; // Descriptive priority rating
249 u_int32_t session_order;
250
251 necp_policy_id last_policy_id;
252
253 decl_lck_mtx_data(, lock);
254
255 bool proc_locked; // Messages must come from proc_uuid
256 uuid_t proc_uuid;
257 int proc_pid;
258
259 bool dirty;
260 LIST_HEAD(_policies, necp_session_policy) policies;
261
262 LIST_HEAD(_services, necp_service_registration) services;
263
264 TAILQ_ENTRY(necp_session) chain;
265 };
266
267 #define NECP_SESSION_LOCK(_s) lck_mtx_lock(&_s->lock)
268 #define NECP_SESSION_UNLOCK(_s) lck_mtx_unlock(&_s->lock)
269
270 static TAILQ_HEAD(_necp_session_list, necp_session) necp_session_list;
271
272 struct necp_socket_info {
273 pid_t pid;
274 uid_t uid;
275 union necp_sockaddr_union local_addr;
276 union necp_sockaddr_union remote_addr;
277 u_int32_t bound_interface_index;
278 u_int32_t traffic_class;
279 u_int16_t protocol;
280 u_int32_t application_id;
281 u_int32_t real_application_id;
282 u_int32_t account_id;
283 u_int32_t drop_order;
284 u_int32_t client_flags;
285 char *domain;
286 errno_t cred_result;
287 unsigned has_client : 1;
288 unsigned is_platform_binary : 1;
289 unsigned __pad_bits : 6;
290 };
291
292 static lck_grp_attr_t *necp_kernel_policy_grp_attr = NULL;
293 static lck_attr_t *necp_kernel_policy_mtx_attr = NULL;
294 static lck_grp_t *necp_kernel_policy_mtx_grp = NULL;
295 decl_lck_rw_data(static, necp_kernel_policy_lock);
296
297 static lck_grp_attr_t *necp_route_rule_grp_attr = NULL;
298 static lck_attr_t *necp_route_rule_mtx_attr = NULL;
299 static lck_grp_t *necp_route_rule_mtx_grp = NULL;
300 decl_lck_rw_data(static, necp_route_rule_lock);
301
302 os_refgrp_decl(static, necp_refgrp, "NECPRefGroup", NULL);
303
304 /*
305 * On modification, invalidate cached lookups by bumping the generation count.
306 * Other calls will need to take the slowpath of taking
307 * the subsystem lock.
308 */
309 static volatile int32_t necp_kernel_socket_policies_gencount;
310 #define BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT() do { \
311 if (OSIncrementAtomic(&necp_kernel_socket_policies_gencount) == (INT32_MAX - 1)) { \
312 necp_kernel_socket_policies_gencount = 1; \
313 } \
314 } while (0)
315
316 /*
317 * Drop-all Bypass:
318 * Allow priviledged processes to bypass the default drop-all
319 * via entitlement check. For OSX, since entitlement check is
320 * not supported for configd, configd signing identity is checked
321 * instead.
322 */
323 #define SIGNING_ID_CONFIGD "com.apple.configd"
324 #define SIGNING_ID_CONFIGD_LEN (sizeof(SIGNING_ID_CONFIGD) - 1)
325
326 typedef enum {
327 NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE = 0,
328 NECP_DROP_ALL_BYPASS_CHECK_RESULT_TRUE = 1,
329 NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE = 2,
330 } necp_drop_all_bypass_check_result_t;
331
332 static u_int32_t necp_kernel_application_policies_condition_mask;
333 static size_t necp_kernel_application_policies_count;
334 static u_int32_t necp_kernel_socket_policies_condition_mask;
335 static size_t necp_kernel_socket_policies_count;
336 static size_t necp_kernel_socket_policies_non_app_count;
337 static LIST_HEAD(_necpkernelsocketconnectpolicies, necp_kernel_socket_policy) necp_kernel_socket_policies;
338 #define NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS 5
339 #define NECP_SOCKET_MAP_APP_ID_TO_BUCKET(appid) (appid ? (appid%(NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS - 1) + 1) : 0)
340 static struct necp_kernel_socket_policy **necp_kernel_socket_policies_map[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
341 static struct necp_kernel_socket_policy **necp_kernel_socket_policies_app_layer_map;
342 /*
343 * A note on policy 'maps': these are used for boosting efficiency when matching policies. For each dimension of the map,
344 * such as an ID, the 0 bucket is reserved for sockets/packets that do not have this parameter, while the other
345 * buckets lead to an array of policy pointers that form the list applicable when the (parameter%(NUM_BUCKETS - 1) + 1) == bucket_index.
346 *
347 * For example, a packet with policy ID of 7, when there are 4 ID buckets, will map to bucket (7%3 + 1) = 2.
348 */
349
350 static u_int32_t necp_kernel_ip_output_policies_condition_mask;
351 static size_t necp_kernel_ip_output_policies_count;
352 static size_t necp_kernel_ip_output_policies_non_id_count;
353 static LIST_HEAD(_necpkernelipoutputpolicies, necp_kernel_ip_output_policy) necp_kernel_ip_output_policies;
354 #define NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS 5
355 #define NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(id) (id ? (id%(NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS - 1) + 1) : 0)
356 static struct necp_kernel_ip_output_policy **necp_kernel_ip_output_policies_map[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
357 static struct necp_kernel_socket_policy pass_policy =
358 {
359 .id = NECP_KERNEL_POLICY_ID_NO_MATCH,
360 .result = NECP_KERNEL_POLICY_RESULT_PASS,
361 };
362
363 static struct necp_session *necp_create_session(void);
364 static void necp_delete_session(struct necp_session *session);
365
366 static necp_policy_id necp_handle_policy_add(struct necp_session *session,
367 u_int8_t *tlv_buffer, size_t tlv_buffer_length, int offset, int *error);
368 static int necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length);
369
370 #define MAX_RESULT_STRING_LEN 64
371 static inline const char * necp_get_result_description(char *result_string, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
372
373 static struct necp_session_policy *necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8_t *conditions_array, u_int32_t conditions_array_size, u_int8_t *route_rules_array, u_int32_t route_rules_array_size, u_int8_t *result, u_int32_t result_size);
374 static struct necp_session_policy *necp_policy_find(struct necp_session *session, necp_policy_id policy_id);
375 static bool necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_policy *policy);
376 static bool necp_policy_mark_all_for_deletion(struct necp_session *session);
377 static bool necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy);
378 static void necp_policy_apply_all(struct necp_session *session);
379
380 static necp_kernel_policy_id necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, u_int32_t cond_client_flags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
381 static bool necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id);
382 static bool necp_kernel_socket_policies_reprocess(void);
383 static bool necp_kernel_socket_policies_update_uuid_table(void);
384 static inline struct necp_kernel_socket_policy *necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id_array, size_t *return_route_rule_id_array_count, size_t route_rule_id_array_count, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, proc_t proc, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass);
385
386 static necp_kernel_policy_id necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
387 static bool necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id);
388 static bool necp_kernel_ip_output_policies_reprocess(void);
389
390 static bool necp_is_addr_in_range(struct sockaddr *addr, struct sockaddr *range_start, struct sockaddr *range_end);
391 static bool necp_is_range_in_range(struct sockaddr *inner_range_start, struct sockaddr *inner_range_end, struct sockaddr *range_start, struct sockaddr *range_end);
392 static bool necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix);
393 static int necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port);
394 static bool necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits);
395 static bool necp_addr_is_empty(struct sockaddr *addr);
396 static bool necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet, u_int32_t bound_interface_index);
397 static bool necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet);
398
399 struct necp_uuid_id_mapping {
400 LIST_ENTRY(necp_uuid_id_mapping) chain;
401 uuid_t uuid;
402 u_int32_t id;
403 os_refcnt_t refcount;
404 u_int32_t table_usecount; // Add to UUID policy table count
405 };
406 static size_t necp_num_uuid_app_id_mappings;
407 static bool necp_uuid_app_id_mappings_dirty;
408 #define NECP_UUID_APP_ID_HASH_SIZE 64
409 static u_long necp_uuid_app_id_hash_mask;
410 static u_long necp_uuid_app_id_hash_num_buckets;
411 static LIST_HEAD(necp_uuid_id_mapping_head, necp_uuid_id_mapping) * necp_uuid_app_id_hashtbl, necp_uuid_service_id_list; // App map is real hash table, service map is just mapping
412 #define APPUUIDHASH(uuid) (&necp_uuid_app_id_hashtbl[uuid[0] & necp_uuid_app_id_hash_mask]) // Assume first byte of UUIDs are evenly distributed
413 static u_int32_t necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_policy_table);
414 static bool necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_policy_table);
415 static struct necp_uuid_id_mapping *necp_uuid_lookup_uuid_with_app_id_locked(u_int32_t local_id);
416
417 static struct necp_uuid_id_mapping *necp_uuid_lookup_service_id_locked(uuid_t uuid);
418 static struct necp_uuid_id_mapping *necp_uuid_lookup_uuid_with_service_id_locked(u_int32_t local_id);
419 static u_int32_t necp_create_uuid_service_id_mapping(uuid_t uuid);
420 static bool necp_remove_uuid_service_id_mapping(uuid_t uuid);
421
422 struct necp_string_id_mapping {
423 LIST_ENTRY(necp_string_id_mapping) chain;
424 char *string;
425 necp_app_id id;
426 os_refcnt_t refcount;
427 };
428 static LIST_HEAD(necp_string_id_mapping_list, necp_string_id_mapping) necp_account_id_list;
429 static u_int32_t necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
430 static bool necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
431 static struct necp_string_id_mapping *necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_int32_t local_id);
432
433 static struct necp_kernel_socket_policy *necp_kernel_socket_policy_find(necp_kernel_policy_id policy_id);
434 static struct necp_kernel_ip_output_policy *necp_kernel_ip_output_policy_find(necp_kernel_policy_id policy_id);
435
436 static LIST_HEAD(_necp_kernel_service_list, necp_service_registration) necp_registered_service_list;
437
438 static char *necp_create_trimmed_domain(char *string, size_t length);
439 static inline int necp_count_dots(char *string, size_t length);
440
441 static char *necp_copy_string(char *string, size_t length);
442 static bool necp_update_qos_marking(struct ifnet *ifp, u_int32_t route_rule_id);
443
444 #define ROUTE_RULE_IS_AGGREGATE(ruleid) (ruleid > UINT16_MAX)
445
446 #define MAX_ROUTE_RULE_INTERFACES 10
447 struct necp_route_rule {
448 LIST_ENTRY(necp_route_rule) chain;
449 u_int32_t id;
450 u_int32_t default_action;
451 u_int8_t cellular_action;
452 u_int8_t wifi_action;
453 u_int8_t wired_action;
454 u_int8_t expensive_action;
455 u_int8_t constrained_action;
456 u_int exception_if_indices[MAX_ROUTE_RULE_INTERFACES];
457 u_int8_t exception_if_actions[MAX_ROUTE_RULE_INTERFACES];
458 os_refcnt_t refcount;
459 };
460 static LIST_HEAD(necp_route_rule_list, necp_route_rule) necp_route_rules;
461 static u_int32_t necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_array, u_int32_t route_rules_array_size);
462 static bool necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_id);
463 static bool necp_route_is_allowed(struct rtentry *route, ifnet_t interface, u_int32_t route_rule_id, u_int32_t *interface_type_denied);
464 static struct necp_route_rule *necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route_rule_id);
465 static inline void necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info);
466
467 #define MAX_AGGREGATE_ROUTE_RULES 16
468 struct necp_aggregate_route_rule {
469 LIST_ENTRY(necp_aggregate_route_rule) chain;
470 u_int32_t id;
471 u_int32_t rule_ids[MAX_AGGREGATE_ROUTE_RULES];
472 };
473 static LIST_HEAD(necp_aggregate_route_rule_list, necp_aggregate_route_rule) necp_aggregate_route_rules;
474 static u_int32_t necp_create_aggregate_route_rule(u_int32_t *rule_ids);
475
476 // Sysctl definitions
477 static int sysctl_handle_necp_level SYSCTL_HANDLER_ARGS;
478 static int sysctl_handle_necp_unentitled_level SYSCTL_HANDLER_ARGS;
479
480 SYSCTL_NODE(_net, OID_AUTO, necp, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "NECP");
481 SYSCTL_INT(_net_necp, NECPCTL_PASS_LOOPBACK, pass_loopback, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_loopback, 0, "");
482 SYSCTL_INT(_net_necp, NECPCTL_PASS_KEEPALIVES, pass_keepalives, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_keepalives, 0, "");
483 SYSCTL_INT(_net_necp, NECPCTL_PASS_INTERPOSE, pass_interpose, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_interpose, 0, "");
484 SYSCTL_INT(_net_necp, NECPCTL_DEBUG, debug, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_debug, 0, "");
485 SYSCTL_PROC(_net_necp, NECPCTL_DROP_UNENTITLED_LEVEL, drop_unentitled_level, CTLTYPE_INT | CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_unentitled_level, 0, &sysctl_handle_necp_unentitled_level, "IU", "");
486 SYSCTL_PROC(_net_necp, NECPCTL_DROP_ALL_LEVEL, drop_all_level, CTLTYPE_INT | CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_all_level, 0, &sysctl_handle_necp_level, "IU", "");
487 SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_POLICY_COUNT, socket_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_count, "");
488 SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_NON_APP_POLICY_COUNT, socket_non_app_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_non_app_count, "");
489 SYSCTL_LONG(_net_necp, NECPCTL_IP_POLICY_COUNT, ip_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_ip_output_policies_count, "");
490 SYSCTL_INT(_net_necp, NECPCTL_SESSION_COUNT, session_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_session_count, 0, "");
491
492 static struct necp_drop_dest_policy necp_drop_dest_policy;
493 static int necp_drop_dest_debug = 0; // 0: off, 1: match, >1: every evaluation
494 SYSCTL_INT(_net_necp, OID_AUTO, drop_dest_debug, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_dest_debug, 0, "");
495
496 static int sysctl_handle_necp_drop_dest_level SYSCTL_HANDLER_ARGS;
497 SYSCTL_PROC(_net_necp, OID_AUTO, drop_dest_level, CTLTYPE_STRUCT | CTLFLAG_LOCKED | CTLFLAG_ANYBODY | CTLFLAG_RW,
498 0, 0, &sysctl_handle_necp_drop_dest_level, "S,necp_drop_dest_level", "");
499
500 static bool necp_address_matches_drop_dest_policy(union necp_sockaddr_union *, u_int32_t);
501
502 // Session order allocation
503 static u_int32_t
504 necp_allocate_new_session_order(u_int32_t priority, u_int32_t control_unit)
505 {
506 u_int32_t new_order = 0;
507
508 // For now, just allocate 1000 orders for each priority
509 if (priority == NECP_SESSION_PRIORITY_UNKNOWN || priority > NECP_SESSION_NUM_PRIORITIES) {
510 priority = NECP_SESSION_PRIORITY_DEFAULT;
511 }
512
513 // Use the control unit to decide the offset into the priority list
514 new_order = (control_unit) + ((priority - 1) * 1000);
515
516 return new_order;
517 }
518
519 static inline u_int32_t
520 necp_get_first_order_for_priority(u_int32_t priority)
521 {
522 if (priority == 0) {
523 return 0;
524 }
525 return ((priority - 1) * 1000) + 1;
526 }
527
528 // Sysctl handler
529 static int
530 sysctl_handle_necp_level SYSCTL_HANDLER_ARGS
531 {
532 #pragma unused(arg1, arg2)
533 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
534 necp_drop_all_order = necp_get_first_order_for_priority(necp_drop_all_level);
535 return error;
536 }
537
538 static int
539 sysctl_handle_necp_unentitled_level SYSCTL_HANDLER_ARGS
540 {
541 #pragma unused(arg1, arg2)
542 int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
543 necp_drop_unentitled_order = necp_get_first_order_for_priority(necp_drop_unentitled_level);
544 return error;
545 }
546
547 // Use a macro here to avoid computing the kauth_cred_t when necp_drop_unentitled_level is 0
548 static inline u_int32_t
549 _necp_process_drop_order_inner(kauth_cred_t cred)
550 {
551 if (priv_check_cred(cred, PRIV_NET_PRIVILEGED_CLIENT_ACCESS, 0) != 0 &&
552 priv_check_cred(cred, PRIV_NET_PRIVILEGED_SERVER_ACCESS, 0) != 0) {
553 return necp_drop_unentitled_order;
554 } else {
555 return 0;
556 }
557 }
558
559 #define necp_process_drop_order(_cred) (necp_drop_unentitled_order != 0 ? _necp_process_drop_order_inner(_cred) : necp_drop_unentitled_order)
560 #pragma GCC poison _necp_process_drop_order_inner
561
562 // Session fd
563
564 static int necp_session_op_close(struct fileglob *, vfs_context_t);
565
566 static const struct fileops necp_session_fd_ops = {
567 .fo_type = DTYPE_NETPOLICY,
568 .fo_read = fo_no_read,
569 .fo_write = fo_no_write,
570 .fo_ioctl = fo_no_ioctl,
571 .fo_select = fo_no_select,
572 .fo_close = necp_session_op_close,
573 .fo_drain = fo_no_drain,
574 .fo_kqfilter = fo_no_kqfilter,
575 };
576
577 static inline necp_drop_all_bypass_check_result_t
578 necp_check_drop_all_bypass_result(proc_t proc)
579 {
580 if (proc == NULL) {
581 proc = current_proc();
582 if (proc == NULL) {
583 return NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE;
584 }
585 }
586
587 #if defined(XNU_TARGET_OS_OSX)
588 const char *signing_id = NULL;
589 const bool isConfigd = (csproc_get_platform_binary(proc) &&
590 (signing_id = cs_identity_get(proc)) &&
591 (strlen(signing_id) == SIGNING_ID_CONFIGD_LEN) &&
592 (memcmp(signing_id, SIGNING_ID_CONFIGD, SIGNING_ID_CONFIGD_LEN) == 0));
593 if (isConfigd) {
594 return NECP_DROP_ALL_BYPASS_CHECK_RESULT_TRUE;
595 }
596 #endif
597
598 const task_t task = proc_task(proc);
599 if (task == NULL || !IOTaskHasEntitlement(task, "com.apple.private.necp.drop_all_bypass")) {
600 return NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE;
601 } else {
602 return NECP_DROP_ALL_BYPASS_CHECK_RESULT_TRUE;
603 }
604 }
605
606 int
607 necp_session_open(struct proc *p, struct necp_session_open_args *uap, int *retval)
608 {
609 #pragma unused(uap)
610 int error = 0;
611 struct necp_session *session = NULL;
612 struct fileproc *fp = NULL;
613 int fd = -1;
614
615 uid_t uid = kauth_cred_getuid(proc_ucred(p));
616 if (uid != 0 && priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0) != 0) {
617 NECPLOG0(LOG_ERR, "Process does not hold necessary entitlement to open NECP session");
618 error = EACCES;
619 goto done;
620 }
621
622 error = falloc(p, &fp, &fd, vfs_context_current());
623 if (error != 0) {
624 goto done;
625 }
626
627 session = necp_create_session();
628 if (session == NULL) {
629 error = ENOMEM;
630 goto done;
631 }
632
633 fp->f_fglob->fg_flag = 0;
634 fp->f_fglob->fg_ops = &necp_session_fd_ops;
635 fp->f_fglob->fg_data = session;
636
637 proc_fdlock(p);
638 FDFLAGS_SET(p, fd, (UF_EXCLOSE | UF_FORKCLOSE));
639 procfdtbl_releasefd(p, fd, NULL);
640 fp_drop(p, fd, fp, 1);
641 proc_fdunlock(p);
642
643 *retval = fd;
644 done:
645 if (error != 0) {
646 if (fp != NULL) {
647 fp_free(p, fd, fp);
648 fp = NULL;
649 }
650 }
651
652 return error;
653 }
654
655 static int
656 necp_session_op_close(struct fileglob *fg, vfs_context_t ctx)
657 {
658 #pragma unused(ctx)
659 struct necp_session *session = (struct necp_session *)fg->fg_data;
660 fg->fg_data = NULL;
661
662 if (session != NULL) {
663 necp_policy_mark_all_for_deletion(session);
664 necp_policy_apply_all(session);
665 necp_delete_session(session);
666 return 0;
667 } else {
668 return ENOENT;
669 }
670 }
671
672 static int
673 necp_session_find_from_fd(int fd, struct necp_session **session)
674 {
675 proc_t p = current_proc();
676 struct fileproc *fp = NULL;
677 int error = 0;
678
679 proc_fdlock_spin(p);
680 if ((error = fp_lookup(p, fd, &fp, 1)) != 0) {
681 goto done;
682 }
683 if (fp->f_fglob->fg_ops->fo_type != DTYPE_NETPOLICY) {
684 fp_drop(p, fd, fp, 1);
685 error = ENODEV;
686 goto done;
687 }
688 *session = (struct necp_session *)fp->f_fglob->fg_data;
689
690 if ((*session)->necp_fd_type != necp_fd_type_session) {
691 // Not a client fd, ignore
692 fp_drop(p, fd, fp, 1);
693 error = EINVAL;
694 goto done;
695 }
696
697 done:
698 proc_fdunlock(p);
699 return error;
700 }
701
702 static int
703 necp_session_add_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
704 {
705 int error = 0;
706 u_int8_t *tlv_buffer = NULL;
707
708 if (uap->in_buffer_length == 0 || uap->in_buffer_length > NECP_MAX_POLICY_SIZE || uap->in_buffer == 0) {
709 NECPLOG(LOG_ERR, "necp_session_add_policy invalid input (%zu)", uap->in_buffer_length);
710 error = EINVAL;
711 goto done;
712 }
713
714 if (uap->out_buffer_length < sizeof(necp_policy_id) || uap->out_buffer == 0) {
715 NECPLOG(LOG_ERR, "necp_session_add_policy invalid output buffer (%zu)", uap->out_buffer_length);
716 error = EINVAL;
717 goto done;
718 }
719
720 if ((tlv_buffer = _MALLOC(uap->in_buffer_length, M_NECP, M_WAITOK | M_ZERO)) == NULL) {
721 error = ENOMEM;
722 goto done;
723 }
724
725 error = copyin(uap->in_buffer, tlv_buffer, uap->in_buffer_length);
726 if (error != 0) {
727 NECPLOG(LOG_ERR, "necp_session_add_policy tlv copyin error (%d)", error);
728 goto done;
729 }
730
731 necp_policy_id new_policy_id = necp_handle_policy_add(session, tlv_buffer, uap->in_buffer_length, 0, &error);
732 if (error != 0) {
733 NECPLOG(LOG_ERR, "necp_session_add_policy failed to add policy (%d)", error);
734 goto done;
735 }
736
737 error = copyout(&new_policy_id, uap->out_buffer, sizeof(new_policy_id));
738 if (error != 0) {
739 NECPLOG(LOG_ERR, "necp_session_add_policy policy_id copyout error (%d)", error);
740 goto done;
741 }
742
743 done:
744 if (tlv_buffer != NULL) {
745 FREE(tlv_buffer, M_NECP);
746 tlv_buffer = NULL;
747 }
748 *retval = error;
749
750 return error;
751 }
752
753 static int
754 necp_session_get_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
755 {
756 int error = 0;
757 u_int8_t *response = NULL;
758
759 if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
760 NECPLOG(LOG_ERR, "necp_session_get_policy invalid input (%zu)", uap->in_buffer_length);
761 error = EINVAL;
762 goto done;
763 }
764
765 necp_policy_id policy_id = 0;
766 error = copyin(uap->in_buffer, &policy_id, sizeof(policy_id));
767 if (error != 0) {
768 NECPLOG(LOG_ERR, "necp_session_get_policy policy_id copyin error (%d)", error);
769 goto done;
770 }
771
772 struct necp_session_policy *policy = necp_policy_find(session, policy_id);
773 if (policy == NULL || policy->pending_deletion) {
774 NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
775 error = ENOENT;
776 goto done;
777 }
778
779 u_int32_t order_tlv_size = sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_order);
780 u_int32_t result_tlv_size = (policy->result_size ? (sizeof(u_int8_t) + sizeof(u_int32_t) + policy->result_size) : 0);
781 u_int32_t response_size = order_tlv_size + result_tlv_size + policy->conditions_size;
782
783 if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
784 NECPLOG(LOG_ERR, "necp_session_get_policy buffer not large enough (%u < %u)", uap->out_buffer_length, response_size);
785 error = EINVAL;
786 goto done;
787 }
788
789 if (response_size > NECP_MAX_POLICY_SIZE) {
790 NECPLOG(LOG_ERR, "necp_session_get_policy size too large to copy (%u)", response_size);
791 error = EINVAL;
792 goto done;
793 }
794
795 MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK | M_ZERO);
796 if (response == NULL) {
797 error = ENOMEM;
798 goto done;
799 }
800
801 u_int8_t *cursor = response;
802 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order, response, response_size);
803 if (result_tlv_size) {
804 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT, policy->result_size, &policy->result, response, response_size);
805 }
806 if (policy->conditions_size) {
807 memcpy(((u_int8_t *)(void *)(cursor)), policy->conditions, policy->conditions_size);
808 }
809
810 error = copyout(response, uap->out_buffer, response_size);
811 if (error != 0) {
812 NECPLOG(LOG_ERR, "necp_session_get_policy TLV copyout error (%d)", error);
813 goto done;
814 }
815
816 done:
817 if (response != NULL) {
818 FREE(response, M_NECP);
819 response = NULL;
820 }
821 *retval = error;
822
823 return error;
824 }
825
826 static int
827 necp_session_delete_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
828 {
829 int error = 0;
830
831 if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
832 NECPLOG(LOG_ERR, "necp_session_delete_policy invalid input (%zu)", uap->in_buffer_length);
833 error = EINVAL;
834 goto done;
835 }
836
837 necp_policy_id delete_policy_id = 0;
838 error = copyin(uap->in_buffer, &delete_policy_id, sizeof(delete_policy_id));
839 if (error != 0) {
840 NECPLOG(LOG_ERR, "necp_session_delete_policy policy_id copyin error (%d)", error);
841 goto done;
842 }
843
844 struct necp_session_policy *policy = necp_policy_find(session, delete_policy_id);
845 if (policy == NULL || policy->pending_deletion) {
846 NECPLOG(LOG_ERR, "necp_session_delete_policy failed to find policy with id %u", delete_policy_id);
847 error = ENOENT;
848 goto done;
849 }
850
851 necp_policy_mark_for_deletion(session, policy);
852 done:
853 *retval = error;
854 return error;
855 }
856
857 static int
858 necp_session_apply_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
859 {
860 #pragma unused(uap)
861 necp_policy_apply_all(session);
862 *retval = 0;
863 return 0;
864 }
865
866 static int
867 necp_session_list_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
868 {
869 u_int32_t tlv_size = (sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_id));
870 u_int32_t response_size = 0;
871 u_int8_t *response = NULL;
872 int num_policies = 0;
873 int cur_policy_index = 0;
874 int error = 0;
875 struct necp_session_policy *policy;
876
877 LIST_FOREACH(policy, &session->policies, chain) {
878 if (!policy->pending_deletion) {
879 num_policies++;
880 }
881 }
882
883 if (num_policies > NECP_MAX_POLICY_LIST_COUNT) {
884 NECPLOG(LOG_ERR, "necp_session_list_all size too large to copy (%u policies)", num_policies);
885 error = EINVAL;
886 goto done;
887 }
888
889 response_size = num_policies * tlv_size;
890 if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
891 NECPLOG(LOG_ERR, "necp_session_list_all buffer not large enough (%u < %u)", uap->out_buffer_length, response_size);
892 error = EINVAL;
893 goto done;
894 }
895
896 // Create a response with one Policy ID TLV for each policy
897 MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK | M_ZERO);
898 if (response == NULL) {
899 error = ENOMEM;
900 goto done;
901 }
902
903 u_int8_t *cursor = response;
904 LIST_FOREACH(policy, &session->policies, chain) {
905 if (!policy->pending_deletion && cur_policy_index < num_policies) {
906 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(u_int32_t), &policy->local_id, response, response_size);
907 cur_policy_index++;
908 }
909 }
910
911 error = copyout(response, uap->out_buffer, response_size);
912 if (error != 0) {
913 NECPLOG(LOG_ERR, "necp_session_list_all TLV copyout error (%d)", error);
914 goto done;
915 }
916
917 done:
918 if (response != NULL) {
919 FREE(response, M_NECP);
920 response = NULL;
921 }
922 *retval = error;
923
924 return error;
925 }
926
927
928 static int
929 necp_session_delete_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
930 {
931 #pragma unused(uap)
932 necp_policy_mark_all_for_deletion(session);
933 *retval = 0;
934 return 0;
935 }
936
937 static int
938 necp_session_set_session_priority(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
939 {
940 int error = 0;
941 struct necp_session_policy *policy = NULL;
942 struct necp_session_policy *temp_policy = NULL;
943
944 if (uap->in_buffer_length < sizeof(necp_session_priority) || uap->in_buffer == 0) {
945 NECPLOG(LOG_ERR, "necp_session_set_session_priority invalid input (%zu)", uap->in_buffer_length);
946 error = EINVAL;
947 goto done;
948 }
949
950 necp_session_priority requested_session_priority = 0;
951 error = copyin(uap->in_buffer, &requested_session_priority, sizeof(requested_session_priority));
952 if (error != 0) {
953 NECPLOG(LOG_ERR, "necp_session_set_session_priority priority copyin error (%d)", error);
954 goto done;
955 }
956
957 // Enforce special session priorities with entitlements
958 if (requested_session_priority == NECP_SESSION_PRIORITY_CONTROL ||
959 requested_session_priority == NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL) {
960 errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
961 if (cred_result != 0) {
962 NECPLOG(LOG_ERR, "Session does not hold necessary entitlement to claim priority level %d", requested_session_priority);
963 error = EPERM;
964 goto done;
965 }
966 }
967
968 if (session->session_priority != requested_session_priority) {
969 session->session_priority = requested_session_priority;
970 session->session_order = necp_allocate_new_session_order(session->session_priority, session->control_unit);
971 session->dirty = TRUE;
972
973 // Mark all policies as needing updates
974 LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
975 policy->pending_update = TRUE;
976 }
977 }
978
979 done:
980 *retval = error;
981 return error;
982 }
983
984 static int
985 necp_session_lock_to_process(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
986 {
987 #pragma unused(uap)
988 session->proc_locked = TRUE;
989 *retval = 0;
990 return 0;
991 }
992
993 static int
994 necp_session_register_service(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
995 {
996 int error = 0;
997 struct necp_service_registration *new_service = NULL;
998
999 if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
1000 NECPLOG(LOG_ERR, "necp_session_register_service invalid input (%zu)", uap->in_buffer_length);
1001 error = EINVAL;
1002 goto done;
1003 }
1004
1005 uuid_t service_uuid;
1006 error = copyin(uap->in_buffer, service_uuid, sizeof(service_uuid));
1007 if (error != 0) {
1008 NECPLOG(LOG_ERR, "necp_session_register_service uuid copyin error (%d)", error);
1009 goto done;
1010 }
1011
1012 MALLOC(new_service, struct necp_service_registration *, sizeof(*new_service), M_NECP, M_WAITOK | M_ZERO);
1013 if (new_service == NULL) {
1014 NECPLOG0(LOG_ERR, "Failed to allocate service registration");
1015 error = ENOMEM;
1016 goto done;
1017 }
1018
1019 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
1020 new_service->service_id = necp_create_uuid_service_id_mapping(service_uuid);
1021 LIST_INSERT_HEAD(&session->services, new_service, session_chain);
1022 LIST_INSERT_HEAD(&necp_registered_service_list, new_service, kernel_chain);
1023 lck_rw_done(&necp_kernel_policy_lock);
1024
1025 done:
1026 *retval = error;
1027 return error;
1028 }
1029
1030 static int
1031 necp_session_unregister_service(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
1032 {
1033 int error = 0;
1034 struct necp_service_registration *service = NULL;
1035 struct necp_service_registration *temp_service = NULL;
1036 struct necp_uuid_id_mapping *mapping = NULL;
1037
1038 if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
1039 NECPLOG(LOG_ERR, "necp_session_unregister_service invalid input (%zu)", uap->in_buffer_length);
1040 error = EINVAL;
1041 goto done;
1042 }
1043
1044 uuid_t service_uuid;
1045 error = copyin(uap->in_buffer, service_uuid, sizeof(service_uuid));
1046 if (error != 0) {
1047 NECPLOG(LOG_ERR, "necp_session_unregister_service uuid copyin error (%d)", error);
1048 goto done;
1049 }
1050
1051 // Remove all matching services for this session
1052 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
1053 mapping = necp_uuid_lookup_service_id_locked(service_uuid);
1054 if (mapping != NULL) {
1055 LIST_FOREACH_SAFE(service, &session->services, session_chain, temp_service) {
1056 if (service->service_id == mapping->id) {
1057 LIST_REMOVE(service, session_chain);
1058 LIST_REMOVE(service, kernel_chain);
1059 FREE(service, M_NECP);
1060 }
1061 }
1062 necp_remove_uuid_service_id_mapping(service_uuid);
1063 }
1064 lck_rw_done(&necp_kernel_policy_lock);
1065
1066 done:
1067 *retval = error;
1068 return error;
1069 }
1070
1071 static int
1072 necp_session_dump_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
1073 {
1074 #pragma unused(session)
1075 int error = 0;
1076
1077 if (uap->out_buffer_length == 0 || uap->out_buffer == 0) {
1078 NECPLOG(LOG_ERR, "necp_session_dump_all invalid output buffer (%zu)", uap->out_buffer_length);
1079 error = EINVAL;
1080 goto done;
1081 }
1082
1083 error = necp_handle_policy_dump_all(uap->out_buffer, uap->out_buffer_length);
1084 done:
1085 *retval = error;
1086 return error;
1087 }
1088
1089 int
1090 necp_session_action(struct proc *p, struct necp_session_action_args *uap, int *retval)
1091 {
1092 #pragma unused(p)
1093 int error = 0;
1094 int return_value = 0;
1095 struct necp_session *session = NULL;
1096 error = necp_session_find_from_fd(uap->necp_fd, &session);
1097 if (error != 0) {
1098 NECPLOG(LOG_ERR, "necp_session_action find fd error (%d)", error);
1099 return error;
1100 }
1101
1102 NECP_SESSION_LOCK(session);
1103
1104 if (session->proc_locked) {
1105 // Verify that the calling process is allowed to do actions
1106 uuid_t proc_uuid;
1107 proc_getexecutableuuid(current_proc(), proc_uuid, sizeof(proc_uuid));
1108 if (uuid_compare(proc_uuid, session->proc_uuid) != 0) {
1109 error = EPERM;
1110 goto done;
1111 }
1112 } else {
1113 // If not locked, update the proc_uuid and proc_pid of the session
1114 proc_getexecutableuuid(current_proc(), session->proc_uuid, sizeof(session->proc_uuid));
1115 session->proc_pid = proc_pid(current_proc());
1116 }
1117
1118 u_int32_t action = uap->action;
1119 switch (action) {
1120 case NECP_SESSION_ACTION_POLICY_ADD: {
1121 return_value = necp_session_add_policy(session, uap, retval);
1122 break;
1123 }
1124 case NECP_SESSION_ACTION_POLICY_GET: {
1125 return_value = necp_session_get_policy(session, uap, retval);
1126 break;
1127 }
1128 case NECP_SESSION_ACTION_POLICY_DELETE: {
1129 return_value = necp_session_delete_policy(session, uap, retval);
1130 break;
1131 }
1132 case NECP_SESSION_ACTION_POLICY_APPLY_ALL: {
1133 return_value = necp_session_apply_all(session, uap, retval);
1134 break;
1135 }
1136 case NECP_SESSION_ACTION_POLICY_LIST_ALL: {
1137 return_value = necp_session_list_all(session, uap, retval);
1138 break;
1139 }
1140 case NECP_SESSION_ACTION_POLICY_DELETE_ALL: {
1141 return_value = necp_session_delete_all(session, uap, retval);
1142 break;
1143 }
1144 case NECP_SESSION_ACTION_SET_SESSION_PRIORITY: {
1145 return_value = necp_session_set_session_priority(session, uap, retval);
1146 break;
1147 }
1148 case NECP_SESSION_ACTION_LOCK_SESSION_TO_PROC: {
1149 return_value = necp_session_lock_to_process(session, uap, retval);
1150 break;
1151 }
1152 case NECP_SESSION_ACTION_REGISTER_SERVICE: {
1153 return_value = necp_session_register_service(session, uap, retval);
1154 break;
1155 }
1156 case NECP_SESSION_ACTION_UNREGISTER_SERVICE: {
1157 return_value = necp_session_unregister_service(session, uap, retval);
1158 break;
1159 }
1160 case NECP_SESSION_ACTION_POLICY_DUMP_ALL: {
1161 return_value = necp_session_dump_all(session, uap, retval);
1162 break;
1163 }
1164 default: {
1165 NECPLOG(LOG_ERR, "necp_session_action unknown action (%u)", action);
1166 return_value = EINVAL;
1167 break;
1168 }
1169 }
1170
1171 done:
1172 NECP_SESSION_UNLOCK(session);
1173 file_drop(uap->necp_fd);
1174
1175 return return_value;
1176 }
1177
1178 struct necp_resolver_key_state {
1179 const struct ccdigest_info *digest_info;
1180 uint8_t key[CCSHA256_OUTPUT_SIZE];
1181 };
1182 static struct necp_resolver_key_state s_necp_resolver_key_state;
1183
1184 static void
1185 necp_generate_resolver_key(void)
1186 {
1187 s_necp_resolver_key_state.digest_info = ccsha256_di();
1188 cc_rand_generate(s_necp_resolver_key_state.key, sizeof(s_necp_resolver_key_state.key));
1189 }
1190
1191 static void
1192 necp_sign_update_context(const struct ccdigest_info *di,
1193 cchmac_ctx_t ctx,
1194 uuid_t client_id,
1195 u_int8_t *query,
1196 u_int32_t query_length,
1197 u_int8_t *answer,
1198 u_int32_t answer_length)
1199 {
1200 const uint8_t context[32] = {[0 ... 31] = 0x20}; // 0x20 repeated 32 times
1201 const char *context_string = "NECP Resolver Binder";
1202 uint8_t separator = 0;
1203 cchmac_update(di, ctx, sizeof(context), context);
1204 cchmac_update(di, ctx, strlen(context_string), context_string);
1205 cchmac_update(di, ctx, sizeof(separator), &separator);
1206 cchmac_update(di, ctx, sizeof(uuid_t), client_id);
1207 cchmac_update(di, ctx, sizeof(query_length), &query_length);
1208 cchmac_update(di, ctx, query_length, query);
1209 cchmac_update(di, ctx, sizeof(answer_length), &answer_length);
1210 cchmac_update(di, ctx, answer_length, answer);
1211 }
1212
1213 int
1214 necp_sign_resolver_answer(uuid_t client_id, u_int8_t *query, u_int32_t query_length,
1215 u_int8_t *answer, u_int32_t answer_length,
1216 u_int8_t *tag, u_int32_t *out_tag_length)
1217 {
1218 if (s_necp_resolver_key_state.digest_info == NULL) {
1219 return EINVAL;
1220 }
1221
1222 if (query == NULL ||
1223 query_length == 0 ||
1224 answer == NULL ||
1225 answer_length == 0 ||
1226 tag == NULL ||
1227 out_tag_length == NULL) {
1228 return EINVAL;
1229 }
1230
1231 size_t required_tag_length = s_necp_resolver_key_state.digest_info->output_size;
1232 if (*out_tag_length < required_tag_length) {
1233 return ERANGE;
1234 }
1235
1236 *out_tag_length = required_tag_length;
1237
1238 cchmac_ctx_decl(s_necp_resolver_key_state.digest_info->state_size,
1239 s_necp_resolver_key_state.digest_info->block_size, ctx);
1240 cchmac_init(s_necp_resolver_key_state.digest_info, ctx,
1241 sizeof(s_necp_resolver_key_state.key),
1242 s_necp_resolver_key_state.key);
1243 necp_sign_update_context(s_necp_resolver_key_state.digest_info,
1244 ctx, client_id, query, query_length,
1245 answer, answer_length);
1246 cchmac_final(s_necp_resolver_key_state.digest_info, ctx, tag);
1247
1248 return 0;
1249 }
1250
1251 bool
1252 necp_validate_resolver_answer(uuid_t client_id, u_int8_t *query, u_int32_t query_length,
1253 u_int8_t *answer, u_int32_t answer_length,
1254 u_int8_t *tag, u_int32_t tag_length)
1255 {
1256 if (s_necp_resolver_key_state.digest_info == NULL) {
1257 return false;
1258 }
1259
1260 if (query == NULL ||
1261 query_length == 0 ||
1262 answer == NULL ||
1263 answer_length == 0 ||
1264 tag == NULL ||
1265 tag_length == 0) {
1266 return false;
1267 }
1268
1269 size_t required_tag_length = s_necp_resolver_key_state.digest_info->output_size;
1270 if (tag_length != required_tag_length) {
1271 return false;
1272 }
1273
1274 uint8_t actual_tag[required_tag_length];
1275
1276 cchmac_ctx_decl(s_necp_resolver_key_state.digest_info->state_size,
1277 s_necp_resolver_key_state.digest_info->block_size, ctx);
1278 cchmac_init(s_necp_resolver_key_state.digest_info, ctx,
1279 sizeof(s_necp_resolver_key_state.key),
1280 s_necp_resolver_key_state.key);
1281 necp_sign_update_context(s_necp_resolver_key_state.digest_info,
1282 ctx, client_id, query, query_length,
1283 answer, answer_length);
1284 cchmac_final(s_necp_resolver_key_state.digest_info, ctx, actual_tag);
1285
1286 return cc_cmp_safe(s_necp_resolver_key_state.digest_info->output_size, tag, actual_tag) == 0;
1287 }
1288
1289 errno_t
1290 necp_init(void)
1291 {
1292 errno_t result = 0;
1293
1294 necp_kernel_policy_grp_attr = lck_grp_attr_alloc_init();
1295 if (necp_kernel_policy_grp_attr == NULL) {
1296 NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
1297 result = ENOMEM;
1298 goto done;
1299 }
1300
1301 necp_kernel_policy_mtx_grp = lck_grp_alloc_init(NECP_CONTROL_NAME, necp_kernel_policy_grp_attr);
1302 if (necp_kernel_policy_mtx_grp == NULL) {
1303 NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
1304 result = ENOMEM;
1305 goto done;
1306 }
1307
1308 necp_kernel_policy_mtx_attr = lck_attr_alloc_init();
1309 if (necp_kernel_policy_mtx_attr == NULL) {
1310 NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
1311 result = ENOMEM;
1312 goto done;
1313 }
1314
1315 lck_rw_init(&necp_kernel_policy_lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
1316
1317 necp_route_rule_grp_attr = lck_grp_attr_alloc_init();
1318 if (necp_route_rule_grp_attr == NULL) {
1319 NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
1320 result = ENOMEM;
1321 goto done;
1322 }
1323
1324 necp_route_rule_mtx_grp = lck_grp_alloc_init("necp_route_rule", necp_route_rule_grp_attr);
1325 if (necp_route_rule_mtx_grp == NULL) {
1326 NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
1327 result = ENOMEM;
1328 goto done;
1329 }
1330
1331 necp_route_rule_mtx_attr = lck_attr_alloc_init();
1332 if (necp_route_rule_mtx_attr == NULL) {
1333 NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
1334 result = ENOMEM;
1335 goto done;
1336 }
1337
1338 lck_rw_init(&necp_route_rule_lock, necp_route_rule_mtx_grp, necp_route_rule_mtx_attr);
1339
1340 necp_client_init();
1341
1342 TAILQ_INIT(&necp_session_list);
1343
1344 LIST_INIT(&necp_kernel_socket_policies);
1345 LIST_INIT(&necp_kernel_ip_output_policies);
1346
1347 LIST_INIT(&necp_account_id_list);
1348
1349 LIST_INIT(&necp_uuid_service_id_list);
1350
1351 LIST_INIT(&necp_registered_service_list);
1352
1353 LIST_INIT(&necp_route_rules);
1354 LIST_INIT(&necp_aggregate_route_rules);
1355
1356 necp_generate_resolver_key();
1357
1358 necp_uuid_app_id_hashtbl = hashinit(NECP_UUID_APP_ID_HASH_SIZE, M_NECP, &necp_uuid_app_id_hash_mask);
1359 necp_uuid_app_id_hash_num_buckets = necp_uuid_app_id_hash_mask + 1;
1360 necp_num_uuid_app_id_mappings = 0;
1361 necp_uuid_app_id_mappings_dirty = FALSE;
1362
1363 necp_kernel_application_policies_condition_mask = 0;
1364 necp_kernel_socket_policies_condition_mask = 0;
1365 necp_kernel_ip_output_policies_condition_mask = 0;
1366
1367 necp_kernel_application_policies_count = 0;
1368 necp_kernel_socket_policies_count = 0;
1369 necp_kernel_socket_policies_non_app_count = 0;
1370 necp_kernel_ip_output_policies_count = 0;
1371 necp_kernel_ip_output_policies_non_id_count = 0;
1372
1373 necp_kernel_socket_policies_gencount = 1;
1374
1375 memset(&necp_kernel_socket_policies_map, 0, sizeof(necp_kernel_socket_policies_map));
1376 memset(&necp_kernel_ip_output_policies_map, 0, sizeof(necp_kernel_ip_output_policies_map));
1377 necp_kernel_socket_policies_app_layer_map = NULL;
1378
1379 necp_drop_unentitled_order = necp_get_first_order_for_priority(necp_drop_unentitled_level);
1380
1381 done:
1382 if (result != 0) {
1383 if (necp_kernel_policy_mtx_attr != NULL) {
1384 lck_attr_free(necp_kernel_policy_mtx_attr);
1385 necp_kernel_policy_mtx_attr = NULL;
1386 }
1387 if (necp_kernel_policy_mtx_grp != NULL) {
1388 lck_grp_free(necp_kernel_policy_mtx_grp);
1389 necp_kernel_policy_mtx_grp = NULL;
1390 }
1391 if (necp_kernel_policy_grp_attr != NULL) {
1392 lck_grp_attr_free(necp_kernel_policy_grp_attr);
1393 necp_kernel_policy_grp_attr = NULL;
1394 }
1395 if (necp_route_rule_mtx_attr != NULL) {
1396 lck_attr_free(necp_route_rule_mtx_attr);
1397 necp_route_rule_mtx_attr = NULL;
1398 }
1399 if (necp_route_rule_mtx_grp != NULL) {
1400 lck_grp_free(necp_route_rule_mtx_grp);
1401 necp_route_rule_mtx_grp = NULL;
1402 }
1403 if (necp_route_rule_grp_attr != NULL) {
1404 lck_grp_attr_free(necp_route_rule_grp_attr);
1405 necp_route_rule_grp_attr = NULL;
1406 }
1407 }
1408 return result;
1409 }
1410
1411 static void
1412 necp_post_change_event(struct kev_necp_policies_changed_data *necp_event_data)
1413 {
1414 struct kev_msg ev_msg;
1415 memset(&ev_msg, 0, sizeof(ev_msg));
1416
1417 ev_msg.vendor_code = KEV_VENDOR_APPLE;
1418 ev_msg.kev_class = KEV_NETWORK_CLASS;
1419 ev_msg.kev_subclass = KEV_NECP_SUBCLASS;
1420 ev_msg.event_code = KEV_NECP_POLICIES_CHANGED;
1421
1422 ev_msg.dv[0].data_ptr = necp_event_data;
1423 ev_msg.dv[0].data_length = sizeof(necp_event_data->changed_count);
1424 ev_msg.dv[1].data_length = 0;
1425
1426 kev_post_msg(&ev_msg);
1427 }
1428
1429 static inline bool
1430 necp_buffer_write_tlv_validate(u_int8_t *cursor, u_int8_t type, u_int32_t length,
1431 u_int8_t *buffer, u_int32_t buffer_length)
1432 {
1433 if (cursor < buffer || (uintptr_t)(cursor - buffer) > buffer_length) {
1434 NECPLOG0(LOG_ERR, "Cannot write TLV in buffer (invalid cursor)");
1435 return false;
1436 }
1437 u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
1438 if (next_tlv <= buffer || // make sure the next TLV start doesn't overflow
1439 (uintptr_t)(next_tlv - buffer) > buffer_length) { // make sure the next TLV has enough room in buffer
1440 NECPLOG(LOG_ERR, "Cannot write TLV in buffer (TLV length %u, buffer length %u)",
1441 length, buffer_length);
1442 return false;
1443 }
1444 return true;
1445 }
1446
1447 u_int8_t *
1448 necp_buffer_write_tlv_if_different(u_int8_t *cursor, u_int8_t type,
1449 u_int32_t length, const void *value, bool *updated,
1450 u_int8_t *buffer, u_int32_t buffer_length)
1451 {
1452 if (!necp_buffer_write_tlv_validate(cursor, type, length, buffer, buffer_length)) {
1453 // If we can't fit this TLV, return the current cursor
1454 return cursor;
1455 }
1456 u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
1457 if (*updated || *(u_int8_t *)(cursor) != type) {
1458 *(u_int8_t *)(cursor) = type;
1459 *updated = TRUE;
1460 }
1461 if (*updated || *(u_int32_t *)(void *)(cursor + sizeof(type)) != length) {
1462 *(u_int32_t *)(void *)(cursor + sizeof(type)) = length;
1463 *updated = TRUE;
1464 }
1465 if (length > 0) {
1466 if (*updated || memcmp((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length) != 0) {
1467 memcpy((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length);
1468 *updated = TRUE;
1469 }
1470 }
1471 return next_tlv;
1472 }
1473
1474 u_int8_t *
1475 necp_buffer_write_tlv(u_int8_t *cursor, u_int8_t type,
1476 u_int32_t length, const void *value,
1477 u_int8_t *buffer, u_int32_t buffer_length)
1478 {
1479 if (!necp_buffer_write_tlv_validate(cursor, type, length, buffer, buffer_length)) {
1480 return NULL;
1481 }
1482 u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
1483 *(u_int8_t *)(cursor) = type;
1484 *(u_int32_t *)(void *)(cursor + sizeof(type)) = length;
1485 if (length > 0) {
1486 memcpy((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length);
1487 }
1488
1489 return next_tlv;
1490 }
1491
1492 u_int8_t
1493 necp_buffer_get_tlv_type(u_int8_t *buffer, int tlv_offset)
1494 {
1495 u_int8_t *type = NULL;
1496
1497 if (buffer == NULL) {
1498 return 0;
1499 }
1500
1501 type = (u_int8_t *)((u_int8_t *)buffer + tlv_offset);
1502 return type ? *type : 0;
1503 }
1504
1505 u_int32_t
1506 necp_buffer_get_tlv_length(u_int8_t *buffer, int tlv_offset)
1507 {
1508 u_int32_t *length = NULL;
1509
1510 if (buffer == NULL) {
1511 return 0;
1512 }
1513
1514 length = (u_int32_t *)(void *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t));
1515 return length ? *length : 0;
1516 }
1517
1518 u_int8_t *
1519 necp_buffer_get_tlv_value(u_int8_t *buffer, int tlv_offset, u_int32_t *value_size)
1520 {
1521 u_int8_t *value = NULL;
1522 u_int32_t length = necp_buffer_get_tlv_length(buffer, tlv_offset);
1523 if (length == 0) {
1524 return value;
1525 }
1526
1527 if (value_size) {
1528 *value_size = length;
1529 }
1530
1531 value = (u_int8_t *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
1532 return value;
1533 }
1534
1535 int
1536 necp_buffer_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int *err, int next)
1537 {
1538 if (err != NULL) {
1539 *err = ENOENT;
1540 }
1541 if (offset < 0) {
1542 if (err != NULL) {
1543 *err = EINVAL;
1544 }
1545 return -1;
1546 }
1547 int cursor = offset;
1548 int next_cursor;
1549 u_int32_t curr_length;
1550 u_int8_t curr_type;
1551
1552 while (TRUE) {
1553 if ((((u_int32_t)cursor) + sizeof(curr_type) + sizeof(curr_length)) > buffer_length) {
1554 return -1;
1555 }
1556 if (!next) {
1557 curr_type = necp_buffer_get_tlv_type(buffer, cursor);
1558 } else {
1559 next = 0;
1560 curr_type = NECP_TLV_NIL;
1561 }
1562 curr_length = necp_buffer_get_tlv_length(buffer, cursor);
1563 if (curr_length > buffer_length - ((u_int32_t)cursor + sizeof(curr_type) + sizeof(curr_length))) {
1564 return -1;
1565 }
1566
1567 next_cursor = (cursor + sizeof(curr_type) + sizeof(curr_length) + curr_length);
1568 if (curr_type == type) {
1569 // check if entire TLV fits inside buffer
1570 if (((u_int32_t)next_cursor) <= buffer_length) {
1571 if (err != NULL) {
1572 *err = 0;
1573 }
1574 return cursor;
1575 } else {
1576 return -1;
1577 }
1578 }
1579 cursor = next_cursor;
1580 }
1581 }
1582
1583 static int
1584 necp_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int *err, int next)
1585 {
1586 int cursor = -1;
1587 if (buffer != NULL) {
1588 cursor = necp_buffer_find_tlv(buffer, buffer_length, offset, type, err, next);
1589 }
1590 return cursor;
1591 }
1592
1593 static int
1594 necp_get_tlv_at_offset(u_int8_t *buffer, u_int32_t buffer_length,
1595 int tlv_offset, u_int32_t out_buffer_length, void *out_buffer, u_int32_t *value_size)
1596 {
1597 if (buffer == NULL) {
1598 NECPLOG0(LOG_ERR, "necp_get_tlv_at_offset buffer is NULL");
1599 return EINVAL;
1600 }
1601
1602 // Handle buffer parsing
1603
1604 // Validate that buffer has enough room for any TLV
1605 if (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) > buffer_length) {
1606 NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV (%u < %u)",
1607 buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
1608 return EINVAL;
1609 }
1610
1611 // Validate that buffer has enough room for this TLV
1612 u_int32_t tlv_length = necp_buffer_get_tlv_length(buffer, tlv_offset);
1613 if (tlv_length > buffer_length - (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t))) {
1614 NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV of length %u (%u < %u)",
1615 tlv_length, buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) + tlv_length);
1616 return EINVAL;
1617 }
1618
1619 if (out_buffer != NULL && out_buffer_length > 0) {
1620 // Validate that out buffer is large enough for value
1621 if (out_buffer_length < tlv_length) {
1622 NECPLOG(LOG_ERR, "necp_get_tlv_at_offset out_buffer_length is too small for TLV value (%u < %u)",
1623 out_buffer_length, tlv_length);
1624 return EINVAL;
1625 }
1626
1627 // Get value pointer
1628 u_int8_t *tlv_value = necp_buffer_get_tlv_value(buffer, tlv_offset, NULL);
1629 if (tlv_value == NULL) {
1630 NECPLOG0(LOG_ERR, "necp_get_tlv_at_offset tlv_value is NULL");
1631 return ENOENT;
1632 }
1633
1634 // Copy value
1635 memcpy(out_buffer, tlv_value, tlv_length);
1636 }
1637
1638 // Copy out length
1639 if (value_size != NULL) {
1640 *value_size = tlv_length;
1641 }
1642
1643 return 0;
1644 }
1645
1646 static int
1647 necp_get_tlv(u_int8_t *buffer, u_int32_t buffer_length,
1648 int offset, u_int8_t type, u_int32_t buff_len, void *buff, u_int32_t *value_size)
1649 {
1650 int error = 0;
1651
1652 int tlv_offset = necp_find_tlv(buffer, buffer_length, offset, type, &error, 0);
1653 if (tlv_offset < 0) {
1654 return error;
1655 }
1656
1657 return necp_get_tlv_at_offset(buffer, buffer_length, tlv_offset, buff_len, buff, value_size);
1658 }
1659
1660 // Session Management
1661
1662 static struct necp_session *
1663 necp_create_session(void)
1664 {
1665 struct necp_session *new_session = NULL;
1666
1667 MALLOC(new_session, struct necp_session *, sizeof(*new_session), M_NECP, M_WAITOK | M_ZERO);
1668 if (new_session == NULL) {
1669 goto done;
1670 }
1671
1672 new_session->necp_fd_type = necp_fd_type_session;
1673 new_session->session_priority = NECP_SESSION_PRIORITY_UNKNOWN;
1674 new_session->dirty = FALSE;
1675 LIST_INIT(&new_session->policies);
1676 lck_mtx_init(&new_session->lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
1677
1678 // Take the lock
1679 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
1680
1681 // Find the next available control unit
1682 u_int32_t control_unit = 1;
1683 struct necp_session *next_session = NULL;
1684 TAILQ_FOREACH(next_session, &necp_session_list, chain) {
1685 if (next_session->control_unit > control_unit) {
1686 // Found a gap, grab this control unit
1687 break;
1688 }
1689
1690 // Try the next control unit, loop around
1691 control_unit = next_session->control_unit + 1;
1692 }
1693
1694 new_session->control_unit = control_unit;
1695 new_session->session_order = necp_allocate_new_session_order(new_session->session_priority, control_unit);
1696
1697 if (next_session != NULL) {
1698 TAILQ_INSERT_BEFORE(next_session, new_session, chain);
1699 } else {
1700 TAILQ_INSERT_TAIL(&necp_session_list, new_session, chain);
1701 }
1702
1703 necp_session_count++;
1704 lck_rw_done(&necp_kernel_policy_lock);
1705
1706 if (necp_debug) {
1707 NECPLOG(LOG_DEBUG, "Created NECP session, control unit %d", control_unit);
1708 }
1709
1710 done:
1711 return new_session;
1712 }
1713
1714 static void
1715 necp_delete_session(struct necp_session *session)
1716 {
1717 if (session != NULL) {
1718 struct necp_service_registration *service = NULL;
1719 struct necp_service_registration *temp_service = NULL;
1720 LIST_FOREACH_SAFE(service, &session->services, session_chain, temp_service) {
1721 LIST_REMOVE(service, session_chain);
1722 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
1723 LIST_REMOVE(service, kernel_chain);
1724 lck_rw_done(&necp_kernel_policy_lock);
1725 FREE(service, M_NECP);
1726 }
1727 if (necp_debug) {
1728 NECPLOG0(LOG_DEBUG, "Deleted NECP session");
1729 }
1730
1731 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
1732 TAILQ_REMOVE(&necp_session_list, session, chain);
1733 necp_session_count--;
1734 lck_rw_done(&necp_kernel_policy_lock);
1735
1736 lck_mtx_destroy(&session->lock, necp_kernel_policy_mtx_grp);
1737 FREE(session, M_NECP);
1738 }
1739 }
1740
1741 // Session Policy Management
1742
1743 static inline u_int8_t
1744 necp_policy_result_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
1745 {
1746 return (buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0;
1747 }
1748
1749 static inline u_int32_t
1750 necp_policy_result_get_parameter_length_from_buffer(u_int8_t *buffer, u_int32_t length)
1751 {
1752 return (buffer && length > sizeof(u_int8_t)) ? (length - sizeof(u_int8_t)) : 0;
1753 }
1754
1755 static inline u_int8_t *
1756 necp_policy_result_get_parameter_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
1757 {
1758 return (buffer && length > sizeof(u_int8_t)) ? (buffer + sizeof(u_int8_t)) : NULL;
1759 }
1760
1761 static bool
1762 necp_policy_result_requires_route_rules(u_int8_t *buffer, u_int32_t length)
1763 {
1764 u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
1765 if (type == NECP_POLICY_RESULT_ROUTE_RULES) {
1766 return TRUE;
1767 }
1768 return FALSE;
1769 }
1770
1771 static inline bool
1772 necp_address_is_valid(struct sockaddr *address)
1773 {
1774 if (address->sa_family == AF_INET) {
1775 return address->sa_len == sizeof(struct sockaddr_in);
1776 } else if (address->sa_family == AF_INET6) {
1777 return address->sa_len == sizeof(struct sockaddr_in6);
1778 } else {
1779 return FALSE;
1780 }
1781 }
1782
1783 static bool
1784 necp_policy_result_is_valid(u_int8_t *buffer, u_int32_t length)
1785 {
1786 bool validated = FALSE;
1787 u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
1788 u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(buffer, length);
1789 switch (type) {
1790 case NECP_POLICY_RESULT_PASS:
1791 case NECP_POLICY_RESULT_DROP:
1792 case NECP_POLICY_RESULT_ROUTE_RULES:
1793 case NECP_POLICY_RESULT_SCOPED_DIRECT:
1794 case NECP_POLICY_RESULT_ALLOW_UNENTITLED: {
1795 validated = TRUE;
1796 break;
1797 }
1798 case NECP_POLICY_RESULT_SKIP:
1799 case NECP_POLICY_RESULT_SOCKET_DIVERT:
1800 case NECP_POLICY_RESULT_SOCKET_FILTER: {
1801 if (parameter_length >= sizeof(u_int32_t)) {
1802 validated = TRUE;
1803 }
1804 break;
1805 }
1806 case NECP_POLICY_RESULT_IP_TUNNEL: {
1807 if (parameter_length > sizeof(u_int32_t)) {
1808 validated = TRUE;
1809 }
1810 break;
1811 }
1812 case NECP_POLICY_RESULT_SOCKET_SCOPED: {
1813 if (parameter_length > 0) {
1814 validated = TRUE;
1815 }
1816 break;
1817 }
1818 case NECP_POLICY_RESULT_TRIGGER:
1819 case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
1820 case NECP_POLICY_RESULT_TRIGGER_SCOPED:
1821 case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED:
1822 case NECP_POLICY_RESULT_USE_NETAGENT:
1823 case NECP_POLICY_RESULT_NETAGENT_SCOPED:{
1824 if (parameter_length >= sizeof(uuid_t)) {
1825 validated = TRUE;
1826 }
1827 break;
1828 }
1829 default: {
1830 validated = FALSE;
1831 break;
1832 }
1833 }
1834
1835 if (necp_debug) {
1836 NECPLOG(LOG_DEBUG, "Policy result type %d, valid %d", type, validated);
1837 }
1838
1839 return validated;
1840 }
1841
1842 static inline u_int8_t
1843 necp_policy_condition_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
1844 {
1845 return (buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0;
1846 }
1847
1848 static inline u_int8_t
1849 necp_policy_condition_get_flags_from_buffer(u_int8_t *buffer, u_int32_t length)
1850 {
1851 return (buffer && length >= (2 * sizeof(u_int8_t))) ? buffer[1] : 0;
1852 }
1853
1854 static inline u_int32_t
1855 necp_policy_condition_get_value_length_from_buffer(u_int8_t *buffer, u_int32_t length)
1856 {
1857 return (buffer && length >= (2 * sizeof(u_int8_t))) ? (length - (2 * sizeof(u_int8_t))) : 0;
1858 }
1859
1860 static inline u_int8_t *
1861 necp_policy_condition_get_value_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
1862 {
1863 return (buffer && length > (2 * sizeof(u_int8_t))) ? (buffer + (2 * sizeof(u_int8_t))) : NULL;
1864 }
1865
1866 static inline bool
1867 necp_policy_condition_is_default(u_int8_t *buffer, u_int32_t length)
1868 {
1869 return necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_DEFAULT;
1870 }
1871
1872 static inline bool
1873 necp_policy_condition_is_application(u_int8_t *buffer, u_int32_t length)
1874 {
1875 return necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_APPLICATION;
1876 }
1877
1878 static inline bool
1879 necp_policy_condition_is_real_application(u_int8_t *buffer, u_int32_t length)
1880 {
1881 return necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_REAL_APPLICATION;
1882 }
1883
1884 static inline bool
1885 necp_policy_condition_requires_application(u_int8_t *buffer, u_int32_t length)
1886 {
1887 u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
1888 return type == NECP_POLICY_CONDITION_REAL_APPLICATION;
1889 }
1890
1891 static inline bool
1892 necp_policy_condition_requires_real_application(u_int8_t *buffer, u_int32_t length)
1893 {
1894 u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
1895 return type == NECP_POLICY_CONDITION_ENTITLEMENT;
1896 }
1897
1898 static bool
1899 necp_policy_condition_is_valid(u_int8_t *buffer, u_int32_t length, u_int8_t policy_result_type)
1900 {
1901 bool validated = FALSE;
1902 bool result_cannot_have_ip_layer = (policy_result_type == NECP_POLICY_RESULT_SOCKET_DIVERT ||
1903 policy_result_type == NECP_POLICY_RESULT_SOCKET_FILTER ||
1904 policy_result_type == NECP_POLICY_RESULT_TRIGGER ||
1905 policy_result_type == NECP_POLICY_RESULT_TRIGGER_IF_NEEDED ||
1906 policy_result_type == NECP_POLICY_RESULT_TRIGGER_SCOPED ||
1907 policy_result_type == NECP_POLICY_RESULT_NO_TRIGGER_SCOPED ||
1908 policy_result_type == NECP_POLICY_RESULT_SOCKET_SCOPED ||
1909 policy_result_type == NECP_POLICY_RESULT_ROUTE_RULES ||
1910 policy_result_type == NECP_POLICY_RESULT_USE_NETAGENT ||
1911 policy_result_type == NECP_POLICY_RESULT_NETAGENT_SCOPED ||
1912 policy_result_type == NECP_POLICY_RESULT_SCOPED_DIRECT ||
1913 policy_result_type == NECP_POLICY_RESULT_ALLOW_UNENTITLED) ? TRUE : FALSE;
1914 u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(buffer, length);
1915 u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(buffer, length);
1916 u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
1917 u_int8_t flags = necp_policy_condition_get_flags_from_buffer(buffer, length);
1918 switch (type) {
1919 case NECP_POLICY_CONDITION_APPLICATION:
1920 case NECP_POLICY_CONDITION_REAL_APPLICATION: {
1921 if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
1922 condition_length >= sizeof(uuid_t) &&
1923 condition_value != NULL &&
1924 !uuid_is_null(condition_value)) {
1925 validated = TRUE;
1926 }
1927 break;
1928 }
1929 case NECP_POLICY_CONDITION_DOMAIN:
1930 case NECP_POLICY_CONDITION_ACCOUNT:
1931 case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
1932 if (condition_length > 0) {
1933 validated = TRUE;
1934 }
1935 break;
1936 }
1937 case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
1938 if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
1939 validated = TRUE;
1940 }
1941 break;
1942 }
1943 case NECP_POLICY_CONDITION_DEFAULT:
1944 case NECP_POLICY_CONDITION_ALL_INTERFACES:
1945 case NECP_POLICY_CONDITION_ENTITLEMENT:
1946 case NECP_POLICY_CONDITION_PLATFORM_BINARY:
1947 case NECP_POLICY_CONDITION_HAS_CLIENT:
1948 case NECP_POLICY_CONDITION_LOCAL_NETWORKS: {
1949 if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE)) {
1950 validated = TRUE;
1951 }
1952 break;
1953 }
1954 case NECP_POLICY_CONDITION_IP_PROTOCOL: {
1955 if (condition_length >= sizeof(u_int16_t)) {
1956 validated = TRUE;
1957 }
1958 break;
1959 }
1960 case NECP_POLICY_CONDITION_PID: {
1961 if (condition_length >= sizeof(pid_t) &&
1962 condition_value != NULL &&
1963 *((pid_t *)(void *)condition_value) != 0) {
1964 validated = TRUE;
1965 }
1966 break;
1967 }
1968 case NECP_POLICY_CONDITION_UID: {
1969 if (condition_length >= sizeof(uid_t)) {
1970 validated = TRUE;
1971 }
1972 break;
1973 }
1974 case NECP_POLICY_CONDITION_LOCAL_ADDR:
1975 case NECP_POLICY_CONDITION_REMOTE_ADDR: {
1976 if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr) &&
1977 necp_address_is_valid(&((struct necp_policy_condition_addr *)(void *)condition_value)->address.sa)) {
1978 validated = TRUE;
1979 }
1980 break;
1981 }
1982 case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE:
1983 case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE: {
1984 if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr_range) &&
1985 necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->start_address.sa) &&
1986 necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->end_address.sa)) {
1987 validated = TRUE;
1988 }
1989 break;
1990 }
1991 case NECP_POLICY_CONDITION_AGENT_TYPE: {
1992 if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
1993 condition_length >= sizeof(struct necp_policy_condition_agent_type)) {
1994 validated = TRUE;
1995 }
1996 break;
1997 }
1998 case NECP_POLICY_CONDITION_FLOW_IP_PROTOCOL: {
1999 if (condition_length >= sizeof(u_int16_t)) {
2000 validated = TRUE;
2001 }
2002 break;
2003 }
2004 case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR:
2005 case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR: {
2006 if (condition_length >= sizeof(struct necp_policy_condition_addr) &&
2007 necp_address_is_valid(&((struct necp_policy_condition_addr *)(void *)condition_value)->address.sa)) {
2008 validated = TRUE;
2009 }
2010 break;
2011 }
2012 case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_RANGE:
2013 case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_RANGE: {
2014 if (condition_length >= sizeof(struct necp_policy_condition_addr_range) &&
2015 necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->start_address.sa) &&
2016 necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->end_address.sa)) {
2017 validated = TRUE;
2018 }
2019 break;
2020 }
2021 case NECP_POLICY_CONDITION_CLIENT_FLAGS: {
2022 if (condition_length == 0 || condition_length >= sizeof(u_int32_t)) {
2023 validated = TRUE;
2024 }
2025 break;
2026 }
2027 case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_EMPTY: {
2028 validated = TRUE;
2029 break;
2030 }
2031 case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_EMPTY: {
2032 validated = TRUE;
2033 break;
2034 }
2035 default: {
2036 validated = FALSE;
2037 break;
2038 }
2039 }
2040
2041 if (necp_debug) {
2042 NECPLOG(LOG_DEBUG, "Policy condition type %d, valid %d", type, validated);
2043 }
2044
2045 return validated;
2046 }
2047
2048 static bool
2049 necp_policy_route_rule_is_default(u_int8_t *buffer, u_int32_t length)
2050 {
2051 return necp_policy_condition_get_value_length_from_buffer(buffer, length) == 0 &&
2052 necp_policy_condition_get_flags_from_buffer(buffer, length) == 0;
2053 }
2054
2055 static bool
2056 necp_policy_route_rule_is_valid(u_int8_t *buffer, u_int32_t length)
2057 {
2058 bool validated = FALSE;
2059 u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
2060 switch (type) {
2061 case NECP_ROUTE_RULE_ALLOW_INTERFACE: {
2062 validated = TRUE;
2063 break;
2064 }
2065 case NECP_ROUTE_RULE_DENY_INTERFACE: {
2066 validated = TRUE;
2067 break;
2068 }
2069 case NECP_ROUTE_RULE_QOS_MARKING: {
2070 validated = TRUE;
2071 break;
2072 }
2073 case NECP_ROUTE_RULE_DENY_LQM_ABORT: {
2074 validated = TRUE;
2075 break;
2076 }
2077 default: {
2078 validated = FALSE;
2079 break;
2080 }
2081 }
2082
2083 if (necp_debug) {
2084 NECPLOG(LOG_DEBUG, "Policy route rule type %d, valid %d", type, validated);
2085 }
2086
2087 return validated;
2088 }
2089
2090 static int
2091 necp_get_posix_error_for_necp_error(int response_error)
2092 {
2093 switch (response_error) {
2094 case NECP_ERROR_UNKNOWN_PACKET_TYPE:
2095 case NECP_ERROR_INVALID_TLV:
2096 case NECP_ERROR_POLICY_RESULT_INVALID:
2097 case NECP_ERROR_POLICY_CONDITIONS_INVALID:
2098 case NECP_ERROR_ROUTE_RULES_INVALID: {
2099 return EINVAL;
2100 }
2101 case NECP_ERROR_POLICY_ID_NOT_FOUND: {
2102 return ENOENT;
2103 }
2104 case NECP_ERROR_INVALID_PROCESS: {
2105 return EPERM;
2106 }
2107 case NECP_ERROR_INTERNAL:
2108 default: {
2109 return ENOMEM;
2110 }
2111 }
2112 }
2113
2114 static necp_policy_id
2115 necp_handle_policy_add(struct necp_session *session,
2116 u_int8_t *tlv_buffer, size_t tlv_buffer_length, int offset, int *return_error)
2117 {
2118 bool has_default_condition = FALSE;
2119 bool has_non_default_condition = FALSE;
2120 bool has_application_condition = FALSE;
2121 bool has_real_application_condition = FALSE;
2122 bool requires_application_condition = FALSE;
2123 bool requires_real_application_condition = FALSE;
2124 u_int8_t *conditions_array = NULL;
2125 u_int32_t conditions_array_size = 0;
2126 int conditions_array_cursor;
2127
2128 bool has_default_route_rule = FALSE;
2129 u_int8_t *route_rules_array = NULL;
2130 u_int32_t route_rules_array_size = 0;
2131 int route_rules_array_cursor;
2132
2133 int cursor;
2134 int error = 0;
2135 u_int32_t response_error = NECP_ERROR_INTERNAL;
2136
2137 necp_policy_order order = 0;
2138 struct necp_session_policy *policy = NULL;
2139 u_int8_t *policy_result = NULL;
2140 u_int32_t policy_result_size = 0;
2141
2142 // Read policy order
2143 error = necp_get_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_ORDER, sizeof(order), &order, NULL);
2144 if (error) {
2145 NECPLOG(LOG_ERR, "Failed to get policy order: %d", error);
2146 response_error = NECP_ERROR_INVALID_TLV;
2147 goto fail;
2148 }
2149
2150 // Read policy result
2151 cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_RESULT, &error, 0);
2152 if (error || cursor < 0) {
2153 NECPLOG(LOG_ERR, "Failed to find policy result TLV: %d", error);
2154 response_error = NECP_ERROR_INVALID_TLV;
2155 goto fail;
2156 }
2157 error = necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &policy_result_size);
2158 if (error || policy_result_size == 0) {
2159 NECPLOG(LOG_ERR, "Failed to get policy result length: %d", error);
2160 response_error = NECP_ERROR_INVALID_TLV;
2161 goto fail;
2162 }
2163 if (policy_result_size > NECP_MAX_POLICY_RESULT_SIZE) {
2164 NECPLOG(LOG_ERR, "Policy result length too large: %u", policy_result_size);
2165 response_error = NECP_ERROR_INVALID_TLV;
2166 goto fail;
2167 }
2168 MALLOC(policy_result, u_int8_t *, policy_result_size, M_NECP, M_WAITOK);
2169 if (policy_result == NULL) {
2170 NECPLOG(LOG_ERR, "Failed to allocate a policy result buffer (size %d)", policy_result_size);
2171 response_error = NECP_ERROR_INTERNAL;
2172 goto fail;
2173 }
2174 error = necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, policy_result_size, policy_result, NULL);
2175 if (error) {
2176 NECPLOG(LOG_ERR, "Failed to get policy result: %d", error);
2177 response_error = NECP_ERROR_POLICY_RESULT_INVALID;
2178 goto fail;
2179 }
2180 if (!necp_policy_result_is_valid(policy_result, policy_result_size)) {
2181 NECPLOG0(LOG_ERR, "Failed to validate policy result");
2182 response_error = NECP_ERROR_POLICY_RESULT_INVALID;
2183 goto fail;
2184 }
2185
2186 if (necp_policy_result_requires_route_rules(policy_result, policy_result_size)) {
2187 // Read route rules conditions
2188 for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_ROUTE_RULE, &error, 0);
2189 cursor >= 0;
2190 cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
2191 u_int32_t route_rule_size = 0;
2192 necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &route_rule_size);
2193 if (os_add_overflow(route_rules_array_size,
2194 (sizeof(u_int8_t) + sizeof(u_int32_t) + route_rule_size),
2195 &route_rules_array_size)) {
2196 NECPLOG0(LOG_ERR, "Route rules size overflowed, too large");
2197 response_error = NECP_ERROR_INVALID_TLV;
2198 goto fail;
2199 }
2200 }
2201
2202 if (route_rules_array_size == 0) {
2203 NECPLOG0(LOG_ERR, "Failed to get policy route rules");
2204 response_error = NECP_ERROR_INVALID_TLV;
2205 goto fail;
2206 }
2207 if (route_rules_array_size > NECP_MAX_ROUTE_RULES_ARRAY_SIZE) {
2208 NECPLOG(LOG_ERR, "Route rules length too large: %u", route_rules_array_size);
2209 response_error = NECP_ERROR_INVALID_TLV;
2210 goto fail;
2211 }
2212 MALLOC(route_rules_array, u_int8_t *, route_rules_array_size, M_NECP, M_WAITOK);
2213 if (route_rules_array == NULL) {
2214 NECPLOG(LOG_ERR, "Failed to allocate a policy route rules array (size %d)", route_rules_array_size);
2215 response_error = NECP_ERROR_INTERNAL;
2216 goto fail;
2217 }
2218
2219 route_rules_array_cursor = 0;
2220 for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_ROUTE_RULE, &error, 0);
2221 cursor >= 0;
2222 cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
2223 u_int8_t route_rule_type = NECP_TLV_ROUTE_RULE;
2224 u_int32_t route_rule_size = 0;
2225 necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &route_rule_size);
2226 if (route_rule_size > 0 &&
2227 (sizeof(route_rule_type) + sizeof(route_rule_size) + route_rule_size) <= (route_rules_array_size - route_rules_array_cursor)) {
2228 // Add type
2229 memcpy((route_rules_array + route_rules_array_cursor), &route_rule_type, sizeof(route_rule_type));
2230 route_rules_array_cursor += sizeof(route_rule_type);
2231
2232 // Add length
2233 memcpy((route_rules_array + route_rules_array_cursor), &route_rule_size, sizeof(route_rule_size));
2234 route_rules_array_cursor += sizeof(route_rule_size);
2235
2236 // Add value
2237 necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, route_rule_size, (route_rules_array + route_rules_array_cursor), NULL);
2238
2239 if (!necp_policy_route_rule_is_valid((route_rules_array + route_rules_array_cursor), route_rule_size)) {
2240 NECPLOG0(LOG_ERR, "Failed to validate policy route rule");
2241 response_error = NECP_ERROR_ROUTE_RULES_INVALID;
2242 goto fail;
2243 }
2244
2245 if (necp_policy_route_rule_is_default((route_rules_array + route_rules_array_cursor), route_rule_size)) {
2246 if (has_default_route_rule) {
2247 NECPLOG0(LOG_ERR, "Failed to validate route rule; contained multiple default route rules");
2248 response_error = NECP_ERROR_ROUTE_RULES_INVALID;
2249 goto fail;
2250 }
2251 has_default_route_rule = TRUE;
2252 }
2253
2254 route_rules_array_cursor += route_rule_size;
2255 }
2256 }
2257 }
2258
2259 // Read policy conditions
2260 for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
2261 cursor >= 0;
2262 cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
2263 u_int32_t condition_size = 0;
2264 necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &condition_size);
2265
2266 if (condition_size > 0) {
2267 if (os_add_overflow(conditions_array_size,
2268 (sizeof(u_int8_t) + sizeof(u_int32_t) + condition_size),
2269 &conditions_array_size)) {
2270 NECPLOG0(LOG_ERR, "Conditions size overflowed, too large");
2271 response_error = NECP_ERROR_INVALID_TLV;
2272 goto fail;
2273 }
2274 }
2275 }
2276
2277 if (conditions_array_size == 0) {
2278 NECPLOG0(LOG_ERR, "Failed to get policy conditions");
2279 response_error = NECP_ERROR_INVALID_TLV;
2280 goto fail;
2281 }
2282 if (conditions_array_size > NECP_MAX_CONDITIONS_ARRAY_SIZE) {
2283 NECPLOG(LOG_ERR, "Conditions length too large: %u", conditions_array_size);
2284 response_error = NECP_ERROR_INVALID_TLV;
2285 goto fail;
2286 }
2287 MALLOC(conditions_array, u_int8_t *, conditions_array_size, M_NECP, M_WAITOK);
2288 if (conditions_array == NULL) {
2289 NECPLOG(LOG_ERR, "Failed to allocate a policy conditions array (size %d)", conditions_array_size);
2290 response_error = NECP_ERROR_INTERNAL;
2291 goto fail;
2292 }
2293
2294 conditions_array_cursor = 0;
2295 for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
2296 cursor >= 0;
2297 cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
2298 u_int8_t condition_type = NECP_TLV_POLICY_CONDITION;
2299 u_int32_t condition_size = 0;
2300 necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &condition_size);
2301 if (condition_size > 0 &&
2302 (sizeof(condition_type) + sizeof(condition_size) + condition_size) <= (conditions_array_size - conditions_array_cursor)) {
2303 // Add type
2304 memcpy((conditions_array + conditions_array_cursor), &condition_type, sizeof(condition_type));
2305 conditions_array_cursor += sizeof(condition_type);
2306
2307 // Add length
2308 memcpy((conditions_array + conditions_array_cursor), &condition_size, sizeof(condition_size));
2309 conditions_array_cursor += sizeof(condition_size);
2310
2311 // Add value
2312 necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, condition_size, (conditions_array + conditions_array_cursor), NULL);
2313 if (!necp_policy_condition_is_valid((conditions_array + conditions_array_cursor), condition_size, necp_policy_result_get_type_from_buffer(policy_result, policy_result_size))) {
2314 NECPLOG0(LOG_ERR, "Failed to validate policy condition");
2315 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
2316 goto fail;
2317 }
2318
2319 if (necp_policy_condition_is_default((conditions_array + conditions_array_cursor), condition_size)) {
2320 has_default_condition = TRUE;
2321 } else {
2322 has_non_default_condition = TRUE;
2323 }
2324 if (has_default_condition && has_non_default_condition) {
2325 NECPLOG0(LOG_ERR, "Failed to validate conditions; contained default and non-default conditions");
2326 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
2327 goto fail;
2328 }
2329
2330 if (necp_policy_condition_is_application((conditions_array + conditions_array_cursor), condition_size)) {
2331 has_application_condition = TRUE;
2332 }
2333
2334 if (necp_policy_condition_is_real_application((conditions_array + conditions_array_cursor), condition_size)) {
2335 has_real_application_condition = TRUE;
2336 }
2337
2338 if (necp_policy_condition_requires_application((conditions_array + conditions_array_cursor), condition_size)) {
2339 requires_application_condition = TRUE;
2340 }
2341
2342 if (necp_policy_condition_requires_real_application((conditions_array + conditions_array_cursor), condition_size)) {
2343 requires_real_application_condition = TRUE;
2344 }
2345
2346 conditions_array_cursor += condition_size;
2347 }
2348 }
2349
2350 if (requires_application_condition && !has_application_condition) {
2351 NECPLOG0(LOG_ERR, "Failed to validate conditions; did not contain application condition");
2352 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
2353 goto fail;
2354 }
2355
2356 if (requires_real_application_condition && !has_real_application_condition) {
2357 NECPLOG0(LOG_ERR, "Failed to validate conditions; did not contain real application condition");
2358 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
2359 goto fail;
2360 }
2361
2362 if ((policy = necp_policy_create(session, order, conditions_array, conditions_array_size, route_rules_array, route_rules_array_size, policy_result, policy_result_size)) == NULL) {
2363 response_error = NECP_ERROR_INTERNAL;
2364 goto fail;
2365 }
2366
2367 return policy->local_id;
2368
2369 fail:
2370 if (policy_result != NULL) {
2371 FREE(policy_result, M_NECP);
2372 }
2373 if (conditions_array != NULL) {
2374 FREE(conditions_array, M_NECP);
2375 }
2376 if (route_rules_array != NULL) {
2377 FREE(route_rules_array, M_NECP);
2378 }
2379
2380 if (return_error != NULL) {
2381 *return_error = necp_get_posix_error_for_necp_error(response_error);
2382 }
2383 return 0;
2384 }
2385
2386 static necp_policy_id
2387 necp_policy_get_new_id(struct necp_session *session)
2388 {
2389 session->last_policy_id++;
2390 if (session->last_policy_id < 1) {
2391 session->last_policy_id = 1;
2392 }
2393
2394 necp_policy_id newid = session->last_policy_id;
2395
2396 if (newid == 0) {
2397 NECPLOG0(LOG_ERR, "Allocate policy id failed.\n");
2398 return 0;
2399 }
2400
2401 return newid;
2402 }
2403
2404 /*
2405 * For the policy dump response this is the structure:
2406 *
2407 * <NECP_PACKET_HEADER>
2408 * {
2409 * type : NECP_TLV_POLICY_DUMP
2410 * length : ...
2411 * value :
2412 * {
2413 * {
2414 * type : NECP_TLV_POLICY_ID
2415 * len : ...
2416 * value : ...
2417 * }
2418 * {
2419 * type : NECP_TLV_POLICY_ORDER
2420 * len : ...
2421 * value : ...
2422 * }
2423 * {
2424 * type : NECP_TLV_POLICY_RESULT_STRING
2425 * len : ...
2426 * value : ...
2427 * }
2428 * {
2429 * type : NECP_TLV_POLICY_OWNER
2430 * len : ...
2431 * value : ...
2432 * }
2433 * {
2434 * type : NECP_TLV_POLICY_CONDITION
2435 * len : ...
2436 * value :
2437 * {
2438 * {
2439 * type : NECP_POLICY_CONDITION_ALL_INTERFACES
2440 * len : ...
2441 * value : ...
2442 * }
2443 * {
2444 * type : NECP_POLICY_CONDITION_BOUND_INTERFACES
2445 * len : ...
2446 * value : ...
2447 * }
2448 * ...
2449 * }
2450 * }
2451 * }
2452 * }
2453 * {
2454 * type : NECP_TLV_POLICY_DUMP
2455 * length : ...
2456 * value :
2457 * {
2458 * {
2459 * type : NECP_TLV_POLICY_ID
2460 * len : ...
2461 * value : ...
2462 * }
2463 * {
2464 * type : NECP_TLV_POLICY_ORDER
2465 * len : ...
2466 * value : ...
2467 * }
2468 * {
2469 * type : NECP_TLV_POLICY_RESULT_STRING
2470 * len : ...
2471 * value : ...
2472 * }
2473 * {
2474 * type : NECP_TLV_POLICY_OWNER
2475 * len : ...
2476 * value : ...
2477 * }
2478 * {
2479 * type : NECP_TLV_POLICY_CONDITION
2480 * len : ...
2481 * value :
2482 * {
2483 * {
2484 * type : NECP_POLICY_CONDITION_ALL_INTERFACES
2485 * len : ...
2486 * value : ...
2487 * }
2488 * {
2489 * type : NECP_POLICY_CONDITION_BOUND_INTERFACES
2490 * len : ...
2491 * value : ...
2492 * }
2493 * ...
2494 * }
2495 * }
2496 * }
2497 * }
2498 * ...
2499 */
2500 static int
2501 necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
2502 {
2503 struct necp_kernel_socket_policy *policy = NULL;
2504 int policy_i;
2505 int policy_count = 0;
2506 u_int8_t **tlv_buffer_pointers = NULL;
2507 u_int32_t *tlv_buffer_lengths = NULL;
2508 u_int32_t total_tlv_len = 0;
2509 u_int8_t *result_buf = NULL;
2510 u_int8_t *result_buf_cursor = result_buf;
2511 char result_string[MAX_RESULT_STRING_LEN];
2512 char proc_name_string[MAXCOMLEN + 1];
2513
2514 int error_code = 0;
2515 bool error_occured = false;
2516 u_int32_t response_error = NECP_ERROR_INTERNAL;
2517
2518 #define REPORT_ERROR(error) error_occured = true; \
2519 response_error = error; \
2520 goto done
2521
2522 #define UNLOCK_AND_REPORT_ERROR(lock, error) lck_rw_done(lock); \
2523 REPORT_ERROR(error)
2524
2525 errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
2526 if (cred_result != 0) {
2527 NECPLOG0(LOG_ERR, "Session does not hold the necessary entitlement to get Network Extension Policy information");
2528 REPORT_ERROR(NECP_ERROR_INTERNAL);
2529 }
2530
2531 // LOCK
2532 lck_rw_lock_shared(&necp_kernel_policy_lock);
2533
2534 if (necp_debug) {
2535 NECPLOG0(LOG_DEBUG, "Gathering policies");
2536 }
2537
2538 policy_count = necp_kernel_application_policies_count;
2539
2540 MALLOC(tlv_buffer_pointers, u_int8_t * *, sizeof(u_int8_t *) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
2541 if (tlv_buffer_pointers == NULL) {
2542 NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_pointers (%u bytes)", sizeof(u_int8_t *) * policy_count);
2543 UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
2544 }
2545
2546 MALLOC(tlv_buffer_lengths, u_int32_t *, sizeof(u_int32_t) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
2547 if (tlv_buffer_lengths == NULL) {
2548 NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_lengths (%u bytes)", sizeof(u_int32_t) * policy_count);
2549 UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
2550 }
2551
2552 for (policy_i = 0; necp_kernel_socket_policies_app_layer_map != NULL && necp_kernel_socket_policies_app_layer_map[policy_i] != NULL; policy_i++) {
2553 policy = necp_kernel_socket_policies_app_layer_map[policy_i];
2554
2555 memset(result_string, 0, MAX_RESULT_STRING_LEN);
2556 memset(proc_name_string, 0, MAXCOMLEN + 1);
2557
2558 necp_get_result_description(result_string, policy->result, policy->result_parameter);
2559 proc_name(policy->session_pid, proc_name_string, MAXCOMLEN);
2560
2561 u_int16_t proc_name_len = strlen(proc_name_string) + 1;
2562 u_int16_t result_string_len = strlen(result_string) + 1;
2563
2564 if (necp_debug) {
2565 NECPLOG(LOG_DEBUG, "Policy: process: %s, result: %s", proc_name_string, result_string);
2566 }
2567
2568 u_int32_t total_allocated_bytes = sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->id) + // NECP_TLV_POLICY_ID
2569 sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->order) + // NECP_TLV_POLICY_ORDER
2570 sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->session_order) + // NECP_TLV_POLICY_SESSION_ORDER
2571 sizeof(u_int8_t) + sizeof(u_int32_t) + result_string_len + // NECP_TLV_POLICY_RESULT_STRING
2572 sizeof(u_int8_t) + sizeof(u_int32_t) + proc_name_len + // NECP_TLV_POLICY_OWNER
2573 sizeof(u_int8_t) + sizeof(u_int32_t); // NECP_TLV_POLICY_CONDITION
2574
2575 // We now traverse the condition_mask to see how much space we need to allocate
2576 u_int32_t condition_mask = policy->condition_mask;
2577 u_int8_t num_conditions = 0;
2578 struct necp_string_id_mapping *account_id_entry = NULL;
2579 char if_name[IFXNAMSIZ];
2580 u_int32_t condition_tlv_length = 0;
2581 memset(if_name, 0, sizeof(if_name));
2582
2583 if (condition_mask == NECP_POLICY_CONDITION_DEFAULT) {
2584 num_conditions++;
2585 } else {
2586 if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
2587 num_conditions++;
2588 }
2589 if (condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
2590 num_conditions++;
2591 }
2592 if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
2593 snprintf(if_name, IFXNAMSIZ, "%s%d", ifnet_name(policy->cond_bound_interface), ifnet_unit(policy->cond_bound_interface));
2594 condition_tlv_length += strlen(if_name) + 1;
2595 num_conditions++;
2596 }
2597 if (condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
2598 condition_tlv_length += sizeof(policy->cond_protocol);
2599 num_conditions++;
2600 }
2601 if (condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
2602 condition_tlv_length += sizeof(uuid_t);
2603 num_conditions++;
2604 }
2605 if (condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
2606 condition_tlv_length += sizeof(uuid_t);
2607 num_conditions++;
2608 }
2609 if (condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
2610 u_int32_t domain_len = strlen(policy->cond_domain) + 1;
2611 condition_tlv_length += domain_len;
2612 num_conditions++;
2613 }
2614 if (condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
2615 account_id_entry = necp_lookup_string_with_id_locked(&necp_account_id_list, policy->cond_account_id);
2616 u_int32_t account_id_len = 0;
2617 if (account_id_entry) {
2618 account_id_len = account_id_entry->string ? strlen(account_id_entry->string) + 1 : 0;
2619 }
2620 condition_tlv_length += account_id_len;
2621 num_conditions++;
2622 }
2623 if (condition_mask & NECP_KERNEL_CONDITION_PID) {
2624 condition_tlv_length += sizeof(pid_t);
2625 num_conditions++;
2626 }
2627 if (condition_mask & NECP_KERNEL_CONDITION_UID) {
2628 condition_tlv_length += sizeof(uid_t);
2629 num_conditions++;
2630 }
2631 if (condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
2632 condition_tlv_length += sizeof(struct necp_policy_condition_tc_range);
2633 num_conditions++;
2634 }
2635 if (condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
2636 num_conditions++;
2637 }
2638 if (condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
2639 u_int32_t entitlement_len = strlen(policy->cond_custom_entitlement) + 1;
2640 condition_tlv_length += entitlement_len;
2641 num_conditions++;
2642 }
2643 if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
2644 num_conditions++;
2645 }
2646 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
2647 num_conditions++;
2648 }
2649 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
2650 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
2651 condition_tlv_length += sizeof(struct necp_policy_condition_addr_range);
2652 } else {
2653 condition_tlv_length += sizeof(struct necp_policy_condition_addr);
2654 }
2655 num_conditions++;
2656 }
2657 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
2658 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
2659 condition_tlv_length += sizeof(struct necp_policy_condition_addr_range);
2660 } else {
2661 condition_tlv_length += sizeof(struct necp_policy_condition_addr);
2662 }
2663 num_conditions++;
2664 }
2665 if (condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
2666 condition_tlv_length += sizeof(struct necp_policy_condition_agent_type);
2667 num_conditions++;
2668 }
2669 if (condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
2670 condition_tlv_length += sizeof(u_int32_t);
2671 num_conditions++;
2672 }
2673 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
2674 num_conditions++;
2675 }
2676 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
2677 num_conditions++;
2678 }
2679 }
2680
2681 condition_tlv_length += num_conditions * (sizeof(u_int8_t) + sizeof(u_int32_t)); // These are for the condition TLVs. The space for "value" is already accounted for above.
2682 total_allocated_bytes += condition_tlv_length;
2683
2684 u_int8_t *tlv_buffer;
2685 MALLOC(tlv_buffer, u_int8_t *, total_allocated_bytes, M_NECP, M_NOWAIT | M_ZERO);
2686 if (tlv_buffer == NULL) {
2687 NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer (%u bytes)", total_allocated_bytes);
2688 continue;
2689 }
2690
2691 u_int8_t *cursor = tlv_buffer;
2692 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(policy->id), &policy->id, tlv_buffer, total_allocated_bytes);
2693 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order, tlv_buffer, total_allocated_bytes);
2694 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_SESSION_ORDER, sizeof(policy->session_order), &policy->session_order, tlv_buffer, total_allocated_bytes);
2695 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT_STRING, result_string_len, result_string, tlv_buffer, total_allocated_bytes);
2696 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_OWNER, proc_name_len, proc_name_string, tlv_buffer, total_allocated_bytes);
2697
2698 #define N_QUICK 256
2699 u_int8_t q_cond_buf[N_QUICK]; // Minor optimization
2700
2701 u_int8_t *cond_buf; // To be used for condition TLVs
2702 if (condition_tlv_length <= N_QUICK) {
2703 cond_buf = q_cond_buf;
2704 } else {
2705 MALLOC(cond_buf, u_int8_t *, condition_tlv_length, M_NECP, M_NOWAIT);
2706 if (cond_buf == NULL) {
2707 NECPLOG(LOG_DEBUG, "Failed to allocate cond_buffer (%u bytes)", condition_tlv_length);
2708 FREE(tlv_buffer, M_NECP);
2709 continue;
2710 }
2711 }
2712
2713 memset(cond_buf, 0, condition_tlv_length);
2714 u_int8_t *cond_buf_cursor = cond_buf;
2715 if (condition_mask == NECP_POLICY_CONDITION_DEFAULT) {
2716 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DEFAULT, 0, "", cond_buf, condition_tlv_length);
2717 } else {
2718 if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
2719 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ALL_INTERFACES, 0, "", cond_buf, condition_tlv_length);
2720 }
2721 if (condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
2722 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_HAS_CLIENT, 0, "", cond_buf, condition_tlv_length);
2723 }
2724 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
2725 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_NETWORKS, 0, "", cond_buf, condition_tlv_length);
2726 }
2727 if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
2728 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_BOUND_INTERFACE, strlen(if_name) + 1,
2729 if_name, cond_buf, condition_tlv_length);
2730 }
2731 if (condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
2732 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_IP_PROTOCOL, sizeof(policy->cond_protocol), &policy->cond_protocol,
2733 cond_buf, condition_tlv_length);
2734 }
2735 if (condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
2736 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_app_id);
2737 if (entry != NULL) {
2738 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_APPLICATION, sizeof(entry->uuid), entry->uuid,
2739 cond_buf, condition_tlv_length);
2740 }
2741 }
2742 if (condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
2743 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_real_app_id);
2744 if (entry != NULL) {
2745 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REAL_APPLICATION, sizeof(entry->uuid), entry->uuid,
2746 cond_buf, condition_tlv_length);
2747 }
2748 }
2749 if (condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
2750 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DOMAIN, strlen(policy->cond_domain) + 1, policy->cond_domain,
2751 cond_buf, condition_tlv_length);
2752 }
2753 if (condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
2754 if (account_id_entry != NULL) {
2755 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ACCOUNT, strlen(account_id_entry->string) + 1, account_id_entry->string,
2756 cond_buf, condition_tlv_length);
2757 }
2758 }
2759 if (condition_mask & NECP_KERNEL_CONDITION_PID) {
2760 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PID, sizeof(policy->cond_pid), &policy->cond_pid,
2761 cond_buf, condition_tlv_length);
2762 }
2763 if (condition_mask & NECP_KERNEL_CONDITION_UID) {
2764 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_UID, sizeof(policy->cond_uid), &policy->cond_uid,
2765 cond_buf, condition_tlv_length);
2766 }
2767 if (condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
2768 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_TRAFFIC_CLASS, sizeof(policy->cond_traffic_class), &policy->cond_traffic_class,
2769 cond_buf, condition_tlv_length);
2770 }
2771 if (condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
2772 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, 0, "",
2773 cond_buf, condition_tlv_length);
2774 }
2775 if (condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
2776 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, strlen(policy->cond_custom_entitlement) + 1, policy->cond_custom_entitlement,
2777 cond_buf, condition_tlv_length);
2778 }
2779 if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
2780 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PLATFORM_BINARY, 0, "", cond_buf, condition_tlv_length);
2781 }
2782 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
2783 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
2784 struct necp_policy_condition_addr_range range;
2785 memcpy(&range.start_address, &policy->cond_local_start, sizeof(policy->cond_local_start));
2786 memcpy(&range.end_address, &policy->cond_local_end, sizeof(policy->cond_local_end));
2787 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE, sizeof(range), &range,
2788 cond_buf, condition_tlv_length);
2789 } else {
2790 struct necp_policy_condition_addr addr;
2791 addr.prefix = policy->cond_local_prefix;
2792 memcpy(&addr.address, &policy->cond_local_start, sizeof(policy->cond_local_start));
2793 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR, sizeof(addr), &addr,
2794 cond_buf, condition_tlv_length);
2795 }
2796 }
2797 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
2798 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
2799 struct necp_policy_condition_addr_range range;
2800 memcpy(&range.start_address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
2801 memcpy(&range.end_address, &policy->cond_remote_end, sizeof(policy->cond_remote_end));
2802 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE, sizeof(range), &range,
2803 cond_buf, condition_tlv_length);
2804 } else {
2805 struct necp_policy_condition_addr addr;
2806 addr.prefix = policy->cond_remote_prefix;
2807 memcpy(&addr.address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
2808 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR, sizeof(addr), &addr,
2809 cond_buf, condition_tlv_length);
2810 }
2811 }
2812 if (condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
2813 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_AGENT_TYPE,
2814 sizeof(policy->cond_agent_type), &policy->cond_agent_type,
2815 cond_buf, condition_tlv_length);
2816 }
2817 if (condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
2818 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_CLIENT_FLAGS, sizeof(policy->cond_client_flags), &policy->cond_client_flags, cond_buf, condition_tlv_length);
2819 }
2820 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
2821 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_EMPTY, 0, "", cond_buf, condition_tlv_length);
2822 }
2823 if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
2824 cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_EMPTY, 0, "", cond_buf, condition_tlv_length);
2825 }
2826 }
2827
2828 cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_CONDITION, cond_buf_cursor - cond_buf, cond_buf, tlv_buffer, total_allocated_bytes);
2829 if (cond_buf != q_cond_buf) {
2830 FREE(cond_buf, M_NECP);
2831 }
2832
2833 tlv_buffer_pointers[policy_i] = tlv_buffer;
2834 tlv_buffer_lengths[policy_i] = (cursor - tlv_buffer);
2835
2836 // This is the length of the TLV for NECP_TLV_POLICY_DUMP
2837 total_tlv_len += sizeof(u_int8_t) + sizeof(u_int32_t) + (cursor - tlv_buffer);
2838 }
2839
2840 // UNLOCK
2841 lck_rw_done(&necp_kernel_policy_lock);
2842
2843 // Copy out
2844 if (out_buffer != 0) {
2845 if (out_buffer_length < total_tlv_len + sizeof(u_int32_t)) {
2846 NECPLOG(LOG_DEBUG, "out_buffer_length too small (%u < %u)", out_buffer_length, total_tlv_len + sizeof(u_int32_t));
2847 REPORT_ERROR(NECP_ERROR_INVALID_TLV);
2848 }
2849
2850 // Allow malloc to wait, since the total buffer may be large and we are not holding any locks
2851 MALLOC(result_buf, u_int8_t *, total_tlv_len + sizeof(u_int32_t), M_NECP, M_WAITOK | M_ZERO);
2852 if (result_buf == NULL) {
2853 NECPLOG(LOG_DEBUG, "Failed to allocate result_buffer (%u bytes)", total_tlv_len + sizeof(u_int32_t));
2854 REPORT_ERROR(NECP_ERROR_INTERNAL);
2855 }
2856
2857 // Add four bytes for total length at the start
2858 memcpy(result_buf, &total_tlv_len, sizeof(u_int32_t));
2859
2860 // Copy the TLVs
2861 result_buf_cursor = result_buf + sizeof(u_int32_t);
2862 for (int i = 0; i < policy_count; i++) {
2863 if (tlv_buffer_pointers[i] != NULL) {
2864 result_buf_cursor = necp_buffer_write_tlv(result_buf_cursor, NECP_TLV_POLICY_DUMP, tlv_buffer_lengths[i], tlv_buffer_pointers[i],
2865 result_buf, total_tlv_len + sizeof(u_int32_t));
2866 }
2867 }
2868
2869 int copy_error = copyout(result_buf, out_buffer, total_tlv_len + sizeof(u_int32_t));
2870 if (copy_error) {
2871 NECPLOG(LOG_DEBUG, "Failed to copy out result_buffer (%u bytes)", total_tlv_len + sizeof(u_int32_t));
2872 REPORT_ERROR(NECP_ERROR_INTERNAL);
2873 }
2874 }
2875
2876 done:
2877
2878 if (error_occured) {
2879 error_code = necp_get_posix_error_for_necp_error(response_error);
2880 }
2881
2882 if (result_buf != NULL) {
2883 FREE(result_buf, M_NECP);
2884 }
2885
2886 if (tlv_buffer_pointers != NULL) {
2887 for (int i = 0; i < policy_count; i++) {
2888 if (tlv_buffer_pointers[i] != NULL) {
2889 FREE(tlv_buffer_pointers[i], M_NECP);
2890 tlv_buffer_pointers[i] = NULL;
2891 }
2892 }
2893 FREE(tlv_buffer_pointers, M_NECP);
2894 }
2895
2896 if (tlv_buffer_lengths != NULL) {
2897 FREE(tlv_buffer_lengths, M_NECP);
2898 }
2899 #undef N_QUICK
2900 #undef RESET_COND_BUF
2901 #undef REPORT_ERROR
2902 #undef UNLOCK_AND_REPORT_ERROR
2903
2904 return error_code;
2905 }
2906
2907 static struct necp_session_policy *
2908 necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8_t *conditions_array, u_int32_t conditions_array_size, u_int8_t *route_rules_array, u_int32_t route_rules_array_size, u_int8_t *result, u_int32_t result_size)
2909 {
2910 struct necp_session_policy *new_policy = NULL;
2911 struct necp_session_policy *tmp_policy = NULL;
2912
2913 if (session == NULL || conditions_array == NULL || result == NULL || result_size == 0) {
2914 goto done;
2915 }
2916
2917 MALLOC_ZONE(new_policy, struct necp_session_policy *, sizeof(*new_policy), M_NECP_SESSION_POLICY, M_WAITOK);
2918 if (new_policy == NULL) {
2919 goto done;
2920 }
2921
2922 memset(new_policy, 0, sizeof(*new_policy)); // M_ZERO is not supported for MALLOC_ZONE
2923 new_policy->applied = FALSE;
2924 new_policy->pending_deletion = FALSE;
2925 new_policy->pending_update = FALSE;
2926 new_policy->order = order;
2927 new_policy->conditions = conditions_array;
2928 new_policy->conditions_size = conditions_array_size;
2929 new_policy->route_rules = route_rules_array;
2930 new_policy->route_rules_size = route_rules_array_size;
2931 new_policy->result = result;
2932 new_policy->result_size = result_size;
2933 new_policy->local_id = necp_policy_get_new_id(session);
2934
2935 LIST_INSERT_SORTED_ASCENDING(&session->policies, new_policy, chain, order, tmp_policy);
2936
2937 session->dirty = TRUE;
2938
2939 if (necp_debug) {
2940 NECPLOG(LOG_DEBUG, "Created NECP policy, order %d", order);
2941 }
2942 done:
2943 return new_policy;
2944 }
2945
2946 static struct necp_session_policy *
2947 necp_policy_find(struct necp_session *session, necp_policy_id policy_id)
2948 {
2949 struct necp_session_policy *policy = NULL;
2950 if (policy_id == 0) {
2951 return NULL;
2952 }
2953
2954 LIST_FOREACH(policy, &session->policies, chain) {
2955 if (policy->local_id == policy_id) {
2956 return policy;
2957 }
2958 }
2959
2960 return NULL;
2961 }
2962
2963 static inline u_int8_t
2964 necp_policy_get_result_type(struct necp_session_policy *policy)
2965 {
2966 return policy ? necp_policy_result_get_type_from_buffer(policy->result, policy->result_size) : 0;
2967 }
2968
2969 static inline u_int32_t
2970 necp_policy_get_result_parameter_length(struct necp_session_policy *policy)
2971 {
2972 return policy ? necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size) : 0;
2973 }
2974
2975 static bool
2976 necp_policy_get_result_parameter(struct necp_session_policy *policy, u_int8_t *parameter_buffer, u_int32_t parameter_buffer_length)
2977 {
2978 if (policy) {
2979 u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size);
2980 if (parameter_buffer_length >= parameter_length) {
2981 u_int8_t *parameter = necp_policy_result_get_parameter_pointer_from_buffer(policy->result, policy->result_size);
2982 if (parameter && parameter_buffer) {
2983 memcpy(parameter_buffer, parameter, parameter_length);
2984 return TRUE;
2985 }
2986 }
2987 }
2988
2989 return FALSE;
2990 }
2991
2992 static bool
2993 necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_policy *policy)
2994 {
2995 if (session == NULL || policy == NULL) {
2996 return FALSE;
2997 }
2998
2999 policy->pending_deletion = TRUE;
3000 session->dirty = TRUE;
3001
3002 if (necp_debug) {
3003 NECPLOG0(LOG_DEBUG, "Marked NECP policy for removal");
3004 }
3005 return TRUE;
3006 }
3007
3008 static bool
3009 necp_policy_mark_all_for_deletion(struct necp_session *session)
3010 {
3011 struct necp_session_policy *policy = NULL;
3012 struct necp_session_policy *temp_policy = NULL;
3013
3014 LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
3015 necp_policy_mark_for_deletion(session, policy);
3016 }
3017
3018 return TRUE;
3019 }
3020
3021 static bool
3022 necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy)
3023 {
3024 if (session == NULL || policy == NULL) {
3025 return FALSE;
3026 }
3027
3028 LIST_REMOVE(policy, chain);
3029
3030 if (policy->result) {
3031 FREE(policy->result, M_NECP);
3032 policy->result = NULL;
3033 }
3034
3035 if (policy->conditions) {
3036 FREE(policy->conditions, M_NECP);
3037 policy->conditions = NULL;
3038 }
3039
3040 if (policy->route_rules) {
3041 FREE(policy->route_rules, M_NECP);
3042 policy->route_rules = NULL;
3043 }
3044
3045 FREE_ZONE(policy, sizeof(*policy), M_NECP_SESSION_POLICY);
3046
3047 if (necp_debug) {
3048 NECPLOG0(LOG_DEBUG, "Removed NECP policy");
3049 }
3050 return TRUE;
3051 }
3052
3053 static bool
3054 necp_policy_unapply(struct necp_session_policy *policy)
3055 {
3056 int i = 0;
3057 if (policy == NULL) {
3058 return FALSE;
3059 }
3060
3061 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
3062
3063 // Release local uuid mappings
3064 if (!uuid_is_null(policy->applied_app_uuid)) {
3065 bool removed_mapping = FALSE;
3066 if (necp_remove_uuid_app_id_mapping(policy->applied_app_uuid, &removed_mapping, TRUE) && removed_mapping) {
3067 necp_uuid_app_id_mappings_dirty = TRUE;
3068 necp_num_uuid_app_id_mappings--;
3069 }
3070 uuid_clear(policy->applied_app_uuid);
3071 }
3072 if (!uuid_is_null(policy->applied_real_app_uuid)) {
3073 necp_remove_uuid_app_id_mapping(policy->applied_real_app_uuid, NULL, FALSE);
3074 uuid_clear(policy->applied_real_app_uuid);
3075 }
3076 if (!uuid_is_null(policy->applied_result_uuid)) {
3077 necp_remove_uuid_service_id_mapping(policy->applied_result_uuid);
3078 uuid_clear(policy->applied_result_uuid);
3079 }
3080
3081 // Release string mappings
3082 if (policy->applied_account != NULL) {
3083 necp_remove_string_to_id_mapping(&necp_account_id_list, policy->applied_account);
3084 FREE(policy->applied_account, M_NECP);
3085 policy->applied_account = NULL;
3086 }
3087
3088 // Release route rule
3089 if (policy->applied_route_rules_id != 0) {
3090 necp_remove_route_rule(&necp_route_rules, policy->applied_route_rules_id);
3091 policy->applied_route_rules_id = 0;
3092 }
3093
3094 // Remove socket policies
3095 for (i = 0; i < MAX_KERNEL_SOCKET_POLICIES; i++) {
3096 if (policy->kernel_socket_policies[i] != 0) {
3097 necp_kernel_socket_policy_delete(policy->kernel_socket_policies[i]);
3098 policy->kernel_socket_policies[i] = 0;
3099 }
3100 }
3101
3102 // Remove IP output policies
3103 for (i = 0; i < MAX_KERNEL_IP_OUTPUT_POLICIES; i++) {
3104 if (policy->kernel_ip_output_policies[i] != 0) {
3105 necp_kernel_ip_output_policy_delete(policy->kernel_ip_output_policies[i]);
3106 policy->kernel_ip_output_policies[i] = 0;
3107 }
3108 }
3109
3110 policy->applied = FALSE;
3111
3112 return TRUE;
3113 }
3114
3115 #define NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION 0
3116 #define NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION 1
3117 #define NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION 2
3118 #define NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS 3
3119 struct necp_policy_result_ip_tunnel {
3120 u_int32_t secondary_result;
3121 char interface_name[IFXNAMSIZ];
3122 } __attribute__((__packed__));
3123
3124 struct necp_policy_result_service {
3125 uuid_t identifier;
3126 u_int32_t data;
3127 } __attribute__((__packed__));
3128
3129 static bool
3130 necp_policy_apply(struct necp_session *session, struct necp_session_policy *policy)
3131 {
3132 bool socket_only_conditions = FALSE;
3133 bool socket_ip_conditions = FALSE;
3134
3135 bool socket_layer_non_id_conditions = FALSE;
3136 bool ip_output_layer_non_id_conditions = FALSE;
3137 bool ip_output_layer_non_id_only = FALSE;
3138 bool ip_output_layer_id_condition = FALSE;
3139 bool ip_output_layer_tunnel_condition_from_id = FALSE;
3140 bool ip_output_layer_tunnel_condition_from_non_id = FALSE;
3141 necp_kernel_policy_id cond_ip_output_layer_id = NECP_KERNEL_POLICY_ID_NONE;
3142
3143 u_int32_t master_condition_mask = 0;
3144 u_int32_t master_condition_negated_mask = 0;
3145 ifnet_t cond_bound_interface = NULL;
3146 u_int32_t cond_account_id = 0;
3147 char *cond_domain = NULL;
3148 char *cond_custom_entitlement = NULL;
3149 pid_t cond_pid = 0;
3150 uid_t cond_uid = 0;
3151 necp_app_id cond_app_id = 0;
3152 necp_app_id cond_real_app_id = 0;
3153 struct necp_policy_condition_tc_range cond_traffic_class;
3154 cond_traffic_class.start_tc = 0;
3155 cond_traffic_class.end_tc = 0;
3156 u_int16_t cond_protocol = 0;
3157 union necp_sockaddr_union cond_local_start;
3158 union necp_sockaddr_union cond_local_end;
3159 u_int8_t cond_local_prefix = 0;
3160 union necp_sockaddr_union cond_remote_start;
3161 union necp_sockaddr_union cond_remote_end;
3162 u_int8_t cond_remote_prefix = 0;
3163 u_int32_t cond_client_flags = 0;
3164 u_int32_t offset = 0;
3165 u_int8_t ultimate_result = 0;
3166 u_int32_t secondary_result = 0;
3167 struct necp_policy_condition_agent_type cond_agent_type = {};
3168 necp_kernel_policy_result_parameter secondary_result_parameter;
3169 memset(&secondary_result_parameter, 0, sizeof(secondary_result_parameter));
3170 u_int32_t cond_last_interface_index = 0;
3171 necp_kernel_policy_result_parameter ultimate_result_parameter;
3172 memset(&ultimate_result_parameter, 0, sizeof(ultimate_result_parameter));
3173
3174 if (policy == NULL) {
3175 return FALSE;
3176 }
3177
3178 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
3179
3180 // Process conditions
3181 while (offset < policy->conditions_size) {
3182 u_int32_t length = 0;
3183 u_int8_t *value = necp_buffer_get_tlv_value(policy->conditions, offset, &length);
3184
3185 u_int8_t condition_type = necp_policy_condition_get_type_from_buffer(value, length);
3186 u_int8_t condition_flags = necp_policy_condition_get_flags_from_buffer(value, length);
3187 bool condition_is_negative = condition_flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE;
3188 u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(value, length);
3189 u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(value, length);
3190 switch (condition_type) {
3191 case NECP_POLICY_CONDITION_DEFAULT: {
3192 socket_ip_conditions = TRUE;
3193 break;
3194 }
3195 case NECP_POLICY_CONDITION_ALL_INTERFACES: {
3196 master_condition_mask |= NECP_KERNEL_CONDITION_ALL_INTERFACES;
3197 socket_ip_conditions = TRUE;
3198 break;
3199 }
3200 case NECP_POLICY_CONDITION_HAS_CLIENT: {
3201 master_condition_mask |= NECP_KERNEL_CONDITION_HAS_CLIENT;
3202 socket_only_conditions = TRUE;
3203 break;
3204 }
3205 case NECP_POLICY_CONDITION_ENTITLEMENT: {
3206 if (condition_length > 0) {
3207 if (cond_custom_entitlement == NULL) {
3208 cond_custom_entitlement = necp_copy_string((char *)condition_value, condition_length);
3209 if (cond_custom_entitlement != NULL) {
3210 master_condition_mask |= NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT;
3211 socket_only_conditions = TRUE;
3212 }
3213 }
3214 } else {
3215 master_condition_mask |= NECP_KERNEL_CONDITION_ENTITLEMENT;
3216 socket_only_conditions = TRUE;
3217 }
3218 break;
3219 }
3220 case NECP_POLICY_CONDITION_PLATFORM_BINARY: {
3221 master_condition_mask |= NECP_KERNEL_CONDITION_PLATFORM_BINARY;
3222 socket_only_conditions = TRUE;
3223 break;
3224 }
3225 case NECP_POLICY_CONDITION_DOMAIN: {
3226 // Make sure there is only one such rule
3227 if (condition_length > 0 && cond_domain == NULL) {
3228 cond_domain = necp_create_trimmed_domain((char *)condition_value, condition_length);
3229 if (cond_domain != NULL) {
3230 master_condition_mask |= NECP_KERNEL_CONDITION_DOMAIN;
3231 if (condition_is_negative) {
3232 master_condition_negated_mask |= NECP_KERNEL_CONDITION_DOMAIN;
3233 }
3234 socket_only_conditions = TRUE;
3235 }
3236 }
3237 break;
3238 }
3239 case NECP_POLICY_CONDITION_ACCOUNT: {
3240 // Make sure there is only one such rule
3241 if (condition_length > 0 && cond_account_id == 0 && policy->applied_account == NULL) {
3242 char *string = NULL;
3243 MALLOC(string, char *, condition_length + 1, M_NECP, M_WAITOK);
3244 if (string != NULL) {
3245 memcpy(string, condition_value, condition_length);
3246 string[condition_length] = 0;
3247 cond_account_id = necp_create_string_to_id_mapping(&necp_account_id_list, string);
3248 if (cond_account_id != 0) {
3249 policy->applied_account = string; // Save the string in parent policy
3250 master_condition_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
3251 if (condition_is_negative) {
3252 master_condition_negated_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
3253 }
3254 socket_only_conditions = TRUE;
3255 } else {
3256 FREE(string, M_NECP);
3257 }
3258 }
3259 }
3260 break;
3261 }
3262 case NECP_POLICY_CONDITION_APPLICATION: {
3263 // Make sure there is only one such rule, because we save the uuid in the policy
3264 if (condition_length >= sizeof(uuid_t) && cond_app_id == 0) {
3265 bool allocated_mapping = FALSE;
3266 uuid_t application_uuid;
3267 memcpy(application_uuid, condition_value, sizeof(uuid_t));
3268 cond_app_id = necp_create_uuid_app_id_mapping(application_uuid, &allocated_mapping, TRUE);
3269 if (cond_app_id != 0) {
3270 if (allocated_mapping) {
3271 necp_uuid_app_id_mappings_dirty = TRUE;
3272 necp_num_uuid_app_id_mappings++;
3273 }
3274 uuid_copy(policy->applied_app_uuid, application_uuid);
3275 master_condition_mask |= NECP_KERNEL_CONDITION_APP_ID;
3276 if (condition_is_negative) {
3277 master_condition_negated_mask |= NECP_KERNEL_CONDITION_APP_ID;
3278 }
3279 socket_only_conditions = TRUE;
3280 }
3281 }
3282 break;
3283 }
3284 case NECP_POLICY_CONDITION_REAL_APPLICATION: {
3285 // Make sure there is only one such rule, because we save the uuid in the policy
3286 if (condition_length >= sizeof(uuid_t) && cond_real_app_id == 0) {
3287 uuid_t real_application_uuid;
3288 memcpy(real_application_uuid, condition_value, sizeof(uuid_t));
3289 cond_real_app_id = necp_create_uuid_app_id_mapping(real_application_uuid, NULL, FALSE);
3290 if (cond_real_app_id != 0) {
3291 uuid_copy(policy->applied_real_app_uuid, real_application_uuid);
3292 master_condition_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
3293 if (condition_is_negative) {
3294 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
3295 }
3296 socket_only_conditions = TRUE;
3297 }
3298 }
3299 break;
3300 }
3301 case NECP_POLICY_CONDITION_PID: {
3302 if (condition_length >= sizeof(pid_t)) {
3303 master_condition_mask |= NECP_KERNEL_CONDITION_PID;
3304 if (condition_is_negative) {
3305 master_condition_negated_mask |= NECP_KERNEL_CONDITION_PID;
3306 }
3307 memcpy(&cond_pid, condition_value, sizeof(cond_pid));
3308 socket_only_conditions = TRUE;
3309 }
3310 break;
3311 }
3312 case NECP_POLICY_CONDITION_UID: {
3313 if (condition_length >= sizeof(uid_t)) {
3314 master_condition_mask |= NECP_KERNEL_CONDITION_UID;
3315 if (condition_is_negative) {
3316 master_condition_negated_mask |= NECP_KERNEL_CONDITION_UID;
3317 }
3318 memcpy(&cond_uid, condition_value, sizeof(cond_uid));
3319 socket_only_conditions = TRUE;
3320 }
3321 break;
3322 }
3323 case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
3324 if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
3325 master_condition_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
3326 if (condition_is_negative) {
3327 master_condition_negated_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
3328 }
3329 memcpy(&cond_traffic_class, condition_value, sizeof(cond_traffic_class));
3330 socket_only_conditions = TRUE;
3331 }
3332 break;
3333 }
3334 case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
3335 if (condition_length <= IFXNAMSIZ && condition_length > 0) {
3336 char interface_name[IFXNAMSIZ];
3337 memcpy(interface_name, condition_value, condition_length);
3338 interface_name[condition_length - 1] = 0; // Make sure the string is NULL terminated
3339 if (ifnet_find_by_name(interface_name, &cond_bound_interface) == 0) {
3340 master_condition_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
3341 if (condition_is_negative) {
3342 master_condition_negated_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
3343 }
3344 }
3345 socket_ip_conditions = TRUE;
3346 }
3347 break;
3348 }
3349 case NECP_POLICY_CONDITION_IP_PROTOCOL:
3350 case NECP_POLICY_CONDITION_FLOW_IP_PROTOCOL: {
3351 if (condition_length >= sizeof(u_int16_t)) {
3352 master_condition_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
3353 if (condition_is_negative) {
3354 master_condition_negated_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
3355 }
3356 memcpy(&cond_protocol, condition_value, sizeof(cond_protocol));
3357 if (condition_type == NECP_POLICY_CONDITION_FLOW_IP_PROTOCOL) {
3358 socket_only_conditions = TRUE;
3359 } else {
3360 socket_ip_conditions = TRUE;
3361 }
3362 }
3363 break;
3364 }
3365 case NECP_POLICY_CONDITION_LOCAL_NETWORKS: {
3366 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_NETWORKS;
3367 socket_ip_conditions = TRUE;
3368 break;
3369 }
3370 case NECP_POLICY_CONDITION_LOCAL_ADDR:
3371 case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR: {
3372 struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
3373 if (!necp_address_is_valid(&address_struct->address.sa)) {
3374 break;
3375 }
3376
3377 cond_local_prefix = address_struct->prefix;
3378 memcpy(&cond_local_start, &address_struct->address, sizeof(address_struct->address));
3379 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
3380 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
3381 if (condition_is_negative) {
3382 master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
3383 master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
3384 }
3385 if (condition_type == NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR) {
3386 socket_only_conditions = TRUE;
3387 } else {
3388 socket_ip_conditions = TRUE;
3389 }
3390 break;
3391 }
3392 case NECP_POLICY_CONDITION_REMOTE_ADDR:
3393 case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR: {
3394 struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
3395 if (!necp_address_is_valid(&address_struct->address.sa)) {
3396 break;
3397 }
3398
3399 cond_remote_prefix = address_struct->prefix;
3400 memcpy(&cond_remote_start, &address_struct->address, sizeof(address_struct->address));
3401 master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
3402 master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
3403 if (condition_is_negative) {
3404 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
3405 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
3406 }
3407 if (condition_type == NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR) {
3408 socket_only_conditions = TRUE;
3409 } else {
3410 socket_ip_conditions = TRUE;
3411 }
3412 break;
3413 }
3414 case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE:
3415 case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_RANGE: {
3416 struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
3417 if (!necp_address_is_valid(&address_struct->start_address.sa) ||
3418 !necp_address_is_valid(&address_struct->end_address.sa)) {
3419 break;
3420 }
3421
3422 memcpy(&cond_local_start, &address_struct->start_address, sizeof(address_struct->start_address));
3423 memcpy(&cond_local_end, &address_struct->end_address, sizeof(address_struct->end_address));
3424 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
3425 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
3426 if (condition_is_negative) {
3427 master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
3428 master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
3429 }
3430 if (condition_type == NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_RANGE) {
3431 socket_only_conditions = TRUE;
3432 } else {
3433 socket_ip_conditions = TRUE;
3434 }
3435 break;
3436 }
3437 case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE:
3438 case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_RANGE: {
3439 struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
3440 if (!necp_address_is_valid(&address_struct->start_address.sa) ||
3441 !necp_address_is_valid(&address_struct->end_address.sa)) {
3442 break;
3443 }
3444
3445 memcpy(&cond_remote_start, &address_struct->start_address, sizeof(address_struct->start_address));
3446 memcpy(&cond_remote_end, &address_struct->end_address, sizeof(address_struct->end_address));
3447 master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
3448 master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
3449 if (condition_is_negative) {
3450 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
3451 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
3452 }
3453 if (condition_type == NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_RANGE) {
3454 socket_only_conditions = TRUE;
3455 } else {
3456 socket_ip_conditions = TRUE;
3457 }
3458 break;
3459 }
3460 case NECP_POLICY_CONDITION_AGENT_TYPE: {
3461 if (condition_length >= sizeof(cond_agent_type)) {
3462 master_condition_mask |= NECP_KERNEL_CONDITION_AGENT_TYPE;
3463 memcpy(&cond_agent_type, condition_value, sizeof(cond_agent_type));
3464 socket_only_conditions = TRUE;
3465 }
3466 break;
3467 }
3468 case NECP_POLICY_CONDITION_CLIENT_FLAGS: {
3469 if (condition_is_negative) {
3470 master_condition_negated_mask |= NECP_KERNEL_CONDITION_CLIENT_FLAGS;
3471 }
3472 master_condition_mask |= NECP_KERNEL_CONDITION_CLIENT_FLAGS;
3473 socket_only_conditions = TRUE;
3474 if (condition_length >= sizeof(u_int32_t)) {
3475 memcpy(&cond_client_flags, condition_value, sizeof(cond_client_flags));
3476 } else {
3477 // Empty means match on fallback traffic
3478 cond_client_flags = NECP_CLIENT_PARAMETER_FLAG_FALLBACK_TRAFFIC;
3479 }
3480 break;
3481 }
3482 case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_EMPTY: {
3483 master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_EMPTY;
3484 if (condition_is_negative) {
3485 master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_EMPTY;
3486 }
3487 socket_only_conditions = TRUE;
3488 break;
3489 }
3490 case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_EMPTY: {
3491 master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_EMPTY;
3492 if (condition_is_negative) {
3493 master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_EMPTY;
3494 }
3495 socket_only_conditions = TRUE;
3496 break;
3497 }
3498 default: {
3499 break;
3500 }
3501 }
3502
3503 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
3504 }
3505
3506 // Process result
3507 ultimate_result = necp_policy_get_result_type(policy);
3508 switch (ultimate_result) {
3509 case NECP_POLICY_RESULT_PASS: {
3510 if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
3511 socket_layer_non_id_conditions = TRUE;
3512 ip_output_layer_id_condition = TRUE;
3513 } else if (socket_ip_conditions) {
3514 socket_layer_non_id_conditions = TRUE;
3515 ip_output_layer_id_condition = TRUE;
3516 ip_output_layer_non_id_conditions = TRUE;
3517 }
3518 break;
3519 }
3520 case NECP_POLICY_RESULT_DROP: {
3521 if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
3522 socket_layer_non_id_conditions = TRUE;
3523 } else if (socket_ip_conditions) {
3524 socket_layer_non_id_conditions = TRUE;
3525 ip_output_layer_non_id_conditions = TRUE;
3526 ip_output_layer_non_id_only = TRUE; // Only apply drop to packets that didn't go through socket layer
3527 }
3528 break;
3529 }
3530 case NECP_POLICY_RESULT_SKIP: {
3531 u_int32_t skip_policy_order = 0;
3532 if (necp_policy_get_result_parameter(policy, (u_int8_t *)&skip_policy_order, sizeof(skip_policy_order))) {
3533 ultimate_result_parameter.skip_policy_order = skip_policy_order;
3534 }
3535
3536 if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
3537 socket_layer_non_id_conditions = TRUE;
3538 ip_output_layer_id_condition = TRUE;
3539 } else if (socket_ip_conditions) {
3540 socket_layer_non_id_conditions = TRUE;
3541 ip_output_layer_non_id_conditions = TRUE;
3542 }
3543 break;
3544 }
3545 case NECP_POLICY_RESULT_SOCKET_DIVERT:
3546 case NECP_POLICY_RESULT_SOCKET_FILTER: {
3547 u_int32_t control_unit = 0;
3548 if (necp_policy_get_result_parameter(policy, (u_int8_t *)&control_unit, sizeof(control_unit))) {
3549 ultimate_result_parameter.flow_divert_control_unit = control_unit;
3550 }
3551 socket_layer_non_id_conditions = TRUE;
3552 break;
3553 }
3554 case NECP_POLICY_RESULT_IP_TUNNEL: {
3555 struct necp_policy_result_ip_tunnel tunnel_parameters;
3556 u_int32_t tunnel_parameters_length = necp_policy_get_result_parameter_length(policy);
3557 if (tunnel_parameters_length > sizeof(u_int32_t) &&
3558 tunnel_parameters_length <= sizeof(struct necp_policy_result_ip_tunnel) &&
3559 necp_policy_get_result_parameter(policy, (u_int8_t *)&tunnel_parameters, sizeof(tunnel_parameters))) {
3560 ifnet_t tunnel_interface = NULL;
3561 tunnel_parameters.interface_name[tunnel_parameters_length - sizeof(u_int32_t) - 1] = 0; // Make sure the string is NULL terminated
3562 if (ifnet_find_by_name(tunnel_parameters.interface_name, &tunnel_interface) == 0) {
3563 ultimate_result_parameter.tunnel_interface_index = tunnel_interface->if_index;
3564 ifnet_release(tunnel_interface);
3565 }
3566
3567 secondary_result = tunnel_parameters.secondary_result;
3568 if (secondary_result) {
3569 cond_last_interface_index = ultimate_result_parameter.tunnel_interface_index;
3570 }
3571 }
3572
3573 if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
3574 socket_layer_non_id_conditions = TRUE;
3575 ip_output_layer_id_condition = TRUE;
3576 if (secondary_result) {
3577 ip_output_layer_tunnel_condition_from_id = TRUE;
3578 }
3579 } else if (socket_ip_conditions) {
3580 socket_layer_non_id_conditions = TRUE;
3581 ip_output_layer_id_condition = TRUE;
3582 ip_output_layer_non_id_conditions = TRUE;
3583 if (secondary_result) {
3584 ip_output_layer_tunnel_condition_from_id = TRUE;
3585 ip_output_layer_tunnel_condition_from_non_id = TRUE;
3586 }
3587 }
3588 break;
3589 }
3590 case NECP_POLICY_RESULT_TRIGGER:
3591 case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
3592 case NECP_POLICY_RESULT_TRIGGER_SCOPED:
3593 case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
3594 struct necp_policy_result_service service_parameters;
3595 u_int32_t service_result_length = necp_policy_get_result_parameter_length(policy);
3596 bool has_extra_service_data = FALSE;
3597 if (service_result_length >= (sizeof(service_parameters))) {
3598 has_extra_service_data = TRUE;
3599 }
3600 if (necp_policy_get_result_parameter(policy, (u_int8_t *)&service_parameters, sizeof(service_parameters))) {
3601 ultimate_result_parameter.service.identifier = necp_create_uuid_service_id_mapping(service_parameters.identifier);
3602 if (ultimate_result_parameter.service.identifier != 0) {
3603 uuid_copy(policy->applied_result_uuid, service_parameters.identifier);
3604 socket_layer_non_id_conditions = TRUE;
3605 if (has_extra_service_data) {
3606 ultimate_result_parameter.service.data = service_parameters.data;
3607 } else {
3608 ultimate_result_parameter.service.data = 0;
3609 }
3610 }
3611 }
3612 break;
3613 }
3614 case NECP_POLICY_RESULT_USE_NETAGENT:
3615 case NECP_POLICY_RESULT_NETAGENT_SCOPED: {
3616 uuid_t netagent_uuid;
3617 if (necp_policy_get_result_parameter(policy, (u_int8_t *)&netagent_uuid, sizeof(netagent_uuid))) {
3618 ultimate_result_parameter.netagent_id = necp_create_uuid_service_id_mapping(netagent_uuid);
3619 if (ultimate_result_parameter.netagent_id != 0) {
3620 uuid_copy(policy->applied_result_uuid, netagent_uuid);
3621 socket_layer_non_id_conditions = TRUE;
3622 }
3623 }
3624 break;
3625 }
3626 case NECP_POLICY_RESULT_SOCKET_SCOPED: {
3627 u_int32_t interface_name_length = necp_policy_get_result_parameter_length(policy);
3628 if (interface_name_length <= IFXNAMSIZ && interface_name_length > 0) {
3629 char interface_name[IFXNAMSIZ];
3630 ifnet_t scope_interface = NULL;
3631 necp_policy_get_result_parameter(policy, (u_int8_t *)interface_name, interface_name_length);
3632 interface_name[interface_name_length - 1] = 0; // Make sure the string is NULL terminated
3633 if (ifnet_find_by_name(interface_name, &scope_interface) == 0) {
3634 ultimate_result_parameter.scoped_interface_index = scope_interface->if_index;
3635 socket_layer_non_id_conditions = TRUE;
3636 ifnet_release(scope_interface);
3637 }
3638 }
3639 break;
3640 }
3641 case NECP_POLICY_RESULT_SCOPED_DIRECT: {
3642 socket_layer_non_id_conditions = TRUE;
3643 break;
3644 }
3645 case NECP_POLICY_RESULT_ALLOW_UNENTITLED: {
3646 socket_layer_non_id_conditions = TRUE;
3647 break;
3648 }
3649 case NECP_POLICY_RESULT_ROUTE_RULES: {
3650 if (policy->route_rules != NULL && policy->route_rules_size > 0) {
3651 u_int32_t route_rule_id = necp_create_route_rule(&necp_route_rules, policy->route_rules, policy->route_rules_size);
3652 if (route_rule_id > 0) {
3653 policy->applied_route_rules_id = route_rule_id;
3654 ultimate_result_parameter.route_rule_id = route_rule_id;
3655 if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
3656 socket_layer_non_id_conditions = TRUE;
3657 } else if (socket_ip_conditions) {
3658 socket_layer_non_id_conditions = TRUE;
3659 ip_output_layer_non_id_conditions = TRUE;
3660 ip_output_layer_non_id_only = TRUE; // Only apply route rules to packets that didn't go through socket layer
3661 }
3662 }
3663 }
3664 break;
3665 }
3666 default: {
3667 break;
3668 }
3669 }
3670
3671 if (socket_layer_non_id_conditions) {
3672 necp_kernel_policy_id policy_id = necp_kernel_socket_policy_add(policy->order, session->session_order, session->proc_pid, master_condition_mask, master_condition_negated_mask, cond_app_id, cond_real_app_id, cond_custom_entitlement, cond_account_id, cond_domain, cond_pid, cond_uid, cond_bound_interface, cond_traffic_class, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, &cond_agent_type, cond_client_flags, ultimate_result, ultimate_result_parameter);
3673
3674 if (policy_id == 0) {
3675 NECPLOG0(LOG_DEBUG, "Error applying socket kernel policy");
3676 goto fail;
3677 }
3678
3679 cond_ip_output_layer_id = policy_id;
3680 policy->kernel_socket_policies[0] = policy_id;
3681 }
3682
3683 if (ip_output_layer_non_id_conditions) {
3684 u_int32_t condition_mask = master_condition_mask;
3685 if (ip_output_layer_non_id_only) {
3686 condition_mask |= NECP_KERNEL_CONDITION_POLICY_ID;
3687 }
3688
3689 necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS, session->session_order, session->proc_pid, condition_mask, master_condition_negated_mask, NECP_KERNEL_POLICY_ID_NONE, cond_bound_interface, 0, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, ultimate_result, ultimate_result_parameter);
3690
3691 if (policy_id == 0) {
3692 NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
3693 goto fail;
3694 }
3695
3696 policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS] = policy_id;
3697 }
3698
3699 if (ip_output_layer_id_condition) {
3700 necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, cond_ip_output_layer_id, NULL, 0, 0, NULL, NULL, 0, NULL, NULL, 0, ultimate_result, ultimate_result_parameter);
3701
3702 if (policy_id == 0) {
3703 NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
3704 goto fail;
3705 }
3706
3707 policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION] = policy_id;
3708 }
3709
3710 // Extra policies for IP Output tunnels for when packets loop back
3711 if (ip_output_layer_tunnel_condition_from_id) {
3712 necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
3713
3714 if (policy_id == 0) {
3715 NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
3716 goto fail;
3717 }
3718
3719 policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION] = policy_id;
3720 }
3721
3722 if (ip_output_layer_tunnel_condition_from_id) {
3723 necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
3724
3725 if (policy_id == 0) {
3726 NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
3727 goto fail;
3728 }
3729
3730 policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION] = policy_id;
3731 }
3732
3733 policy->applied = TRUE;
3734 policy->pending_update = FALSE;
3735 return TRUE;
3736
3737 fail:
3738 return FALSE;
3739 }
3740
3741 static void
3742 necp_policy_apply_all(struct necp_session *session)
3743 {
3744 struct necp_session_policy *policy = NULL;
3745 struct necp_session_policy *temp_policy = NULL;
3746 struct kev_necp_policies_changed_data kev_data;
3747 kev_data.changed_count = 0;
3748
3749 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
3750
3751 // Remove exisiting applied policies
3752 if (session->dirty) {
3753 LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
3754 if (policy->pending_deletion) {
3755 if (policy->applied) {
3756 necp_policy_unapply(policy);
3757 }
3758 // Delete the policy
3759 necp_policy_delete(session, policy);
3760 } else if (!policy->applied) {
3761 necp_policy_apply(session, policy);
3762 } else if (policy->pending_update) {
3763 // Must have been applied, but needs an update. Remove and re-add.
3764 necp_policy_unapply(policy);
3765 necp_policy_apply(session, policy);
3766 }
3767 }
3768
3769 necp_kernel_socket_policies_update_uuid_table();
3770 necp_kernel_socket_policies_reprocess();
3771 necp_kernel_ip_output_policies_reprocess();
3772
3773 // Clear dirty bit flags
3774 session->dirty = FALSE;
3775 }
3776
3777 lck_rw_done(&necp_kernel_policy_lock);
3778
3779 necp_update_all_clients();
3780 necp_post_change_event(&kev_data);
3781
3782 if (necp_debug) {
3783 NECPLOG0(LOG_DEBUG, "Applied NECP policies");
3784 }
3785 }
3786
3787 // Kernel Policy Management
3788 // ---------------------
3789 // Kernel policies are derived from session policies
3790 static necp_kernel_policy_id
3791 necp_kernel_policy_get_new_id(bool socket_level)
3792 {
3793 static necp_kernel_policy_id necp_last_kernel_socket_policy_id = 0;
3794 static necp_kernel_policy_id necp_last_kernel_ip_policy_id = 0;
3795
3796 necp_kernel_policy_id newid = NECP_KERNEL_POLICY_ID_NONE;
3797
3798 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
3799
3800 if (socket_level) {
3801 bool wrapped = FALSE;
3802 do {
3803 necp_last_kernel_socket_policy_id++;
3804 if (necp_last_kernel_socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET ||
3805 necp_last_kernel_socket_policy_id >= NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
3806 if (wrapped) {
3807 // Already wrapped, give up
3808 NECPLOG0(LOG_ERR, "Failed to find a free socket kernel policy ID.\n");
3809 return NECP_KERNEL_POLICY_ID_NONE;
3810 }
3811 necp_last_kernel_socket_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET;
3812 wrapped = TRUE;
3813 }
3814 newid = necp_last_kernel_socket_policy_id;
3815 } while (necp_kernel_socket_policy_find(newid) != NULL); // If already used, keep trying
3816 } else {
3817 bool wrapped = FALSE;
3818 do {
3819 necp_last_kernel_ip_policy_id++;
3820 if (necp_last_kernel_ip_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
3821 if (wrapped) {
3822 // Already wrapped, give up
3823 NECPLOG0(LOG_ERR, "Failed to find a free IP kernel policy ID.\n");
3824 return NECP_KERNEL_POLICY_ID_NONE;
3825 }
3826 necp_last_kernel_ip_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_IP;
3827 wrapped = TRUE;
3828 }
3829 newid = necp_last_kernel_ip_policy_id;
3830 } while (necp_kernel_ip_output_policy_find(newid) != NULL); // If already used, keep trying
3831 }
3832
3833 if (newid == NECP_KERNEL_POLICY_ID_NONE) {
3834 NECPLOG0(LOG_ERR, "Allocate kernel policy id failed.\n");
3835 return NECP_KERNEL_POLICY_ID_NONE;
3836 }
3837
3838 return newid;
3839 }
3840
3841 #define NECP_KERNEL_VALID_SOCKET_CONDITIONS (NECP_KERNEL_CONDITION_APP_ID | NECP_KERNEL_CONDITION_REAL_APP_ID | NECP_KERNEL_CONDITION_DOMAIN | NECP_KERNEL_CONDITION_ACCOUNT_ID | NECP_KERNEL_CONDITION_PID | NECP_KERNEL_CONDITION_UID | NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_TRAFFIC_CLASS | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_ENTITLEMENT | NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT | NECP_KERNEL_CONDITION_AGENT_TYPE | NECP_KERNEL_CONDITION_HAS_CLIENT | NECP_KERNEL_CONDITION_LOCAL_NETWORKS | NECP_KERNEL_CONDITION_CLIENT_FLAGS | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_PLATFORM_BINARY)
3842
3843 static necp_kernel_policy_id
3844 necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *cond_domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, u_int32_t cond_client_flags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
3845 {
3846 struct necp_kernel_socket_policy *new_kernel_policy = NULL;
3847 struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
3848
3849 MALLOC_ZONE(new_kernel_policy, struct necp_kernel_socket_policy *, sizeof(*new_kernel_policy), M_NECP_SOCKET_POLICY, M_WAITOK);
3850 if (new_kernel_policy == NULL) {
3851 goto done;
3852 }
3853
3854 memset(new_kernel_policy, 0, sizeof(*new_kernel_policy)); // M_ZERO is not supported for MALLOC_ZONE
3855 new_kernel_policy->id = necp_kernel_policy_get_new_id(true);
3856 new_kernel_policy->order = order;
3857 new_kernel_policy->session_order = session_order;
3858 new_kernel_policy->session_pid = session_pid;
3859
3860 // Sanitize condition mask
3861 new_kernel_policy->condition_mask = (condition_mask & NECP_KERNEL_VALID_SOCKET_CONDITIONS);
3862 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE)) {
3863 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_BOUND_INTERFACE;
3864 }
3865 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
3866 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REAL_APP_ID;
3867 }
3868 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
3869 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_ENTITLEMENT;
3870 }
3871 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX)) {
3872 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_LOCAL_PREFIX;
3873 }
3874 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX)) {
3875 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REMOTE_PREFIX;
3876 }
3877 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
3878 new_kernel_policy->condition_mask &= ~(NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_LOCAL_END);
3879 }
3880 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY)) {
3881 new_kernel_policy->condition_mask &= ~(NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_REMOTE_END);
3882 }
3883 new_kernel_policy->condition_negated_mask = condition_negated_mask & new_kernel_policy->condition_mask;
3884
3885 // Set condition values
3886 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
3887 new_kernel_policy->cond_app_id = cond_app_id;
3888 }
3889 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
3890 new_kernel_policy->cond_real_app_id = cond_real_app_id;
3891 }
3892 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
3893 new_kernel_policy->cond_custom_entitlement = cond_custom_entitlement;
3894 new_kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_unknown;
3895 }
3896 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
3897 new_kernel_policy->cond_account_id = cond_account_id;
3898 }
3899 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
3900 new_kernel_policy->cond_domain = cond_domain;
3901 new_kernel_policy->cond_domain_dot_count = necp_count_dots(cond_domain, strlen(cond_domain));
3902 }
3903 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PID) {
3904 new_kernel_policy->cond_pid = cond_pid;
3905 }
3906 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_UID) {
3907 new_kernel_policy->cond_uid = cond_uid;
3908 }
3909 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
3910 if (cond_bound_interface) {
3911 ifnet_reference(cond_bound_interface);
3912 }
3913 new_kernel_policy->cond_bound_interface = cond_bound_interface;
3914 }
3915 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
3916 new_kernel_policy->cond_traffic_class = cond_traffic_class;
3917 }
3918 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
3919 new_kernel_policy->cond_protocol = cond_protocol;
3920 }
3921 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
3922 memcpy(&new_kernel_policy->cond_local_start, cond_local_start, cond_local_start->sa.sa_len);
3923 }
3924 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
3925 memcpy(&new_kernel_policy->cond_local_end, cond_local_end, cond_local_end->sa.sa_len);
3926 }
3927 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
3928 new_kernel_policy->cond_local_prefix = cond_local_prefix;
3929 }
3930 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
3931 memcpy(&new_kernel_policy->cond_remote_start, cond_remote_start, cond_remote_start->sa.sa_len);
3932 }
3933 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
3934 memcpy(&new_kernel_policy->cond_remote_end, cond_remote_end, cond_remote_end->sa.sa_len);
3935 }
3936 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
3937 new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
3938 }
3939 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
3940 memcpy(&new_kernel_policy->cond_agent_type, cond_agent_type, sizeof(*cond_agent_type));
3941 }
3942 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
3943 new_kernel_policy->cond_client_flags = cond_client_flags;
3944 }
3945
3946 new_kernel_policy->result = result;
3947 memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
3948
3949 if (necp_debug) {
3950 NECPLOG(LOG_DEBUG, "Added kernel policy: socket, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
3951 }
3952 LIST_INSERT_SORTED_TWICE_ASCENDING(&necp_kernel_socket_policies, new_kernel_policy, chain, session_order, order, tmp_kernel_policy);
3953 done:
3954 return new_kernel_policy ? new_kernel_policy->id : 0;
3955 }
3956
3957 static struct necp_kernel_socket_policy *
3958 necp_kernel_socket_policy_find(necp_kernel_policy_id policy_id)
3959 {
3960 struct necp_kernel_socket_policy *kernel_policy = NULL;
3961 struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
3962
3963 if (policy_id == 0) {
3964 return NULL;
3965 }
3966
3967 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_socket_policies, chain, tmp_kernel_policy) {
3968 if (kernel_policy->id == policy_id) {
3969 return kernel_policy;
3970 }
3971 }
3972
3973 return NULL;
3974 }
3975
3976 static bool
3977 necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id)
3978 {
3979 struct necp_kernel_socket_policy *policy = NULL;
3980
3981 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
3982
3983 policy = necp_kernel_socket_policy_find(policy_id);
3984 if (policy) {
3985 LIST_REMOVE(policy, chain);
3986
3987 if (policy->cond_bound_interface) {
3988 ifnet_release(policy->cond_bound_interface);
3989 policy->cond_bound_interface = NULL;
3990 }
3991
3992 if (policy->cond_domain) {
3993 FREE(policy->cond_domain, M_NECP);
3994 policy->cond_domain = NULL;
3995 }
3996
3997 if (policy->cond_custom_entitlement) {
3998 FREE(policy->cond_custom_entitlement, M_NECP);
3999 policy->cond_custom_entitlement = NULL;
4000 }
4001
4002 FREE_ZONE(policy, sizeof(*policy), M_NECP_SOCKET_POLICY);
4003 return TRUE;
4004 }
4005
4006 return FALSE;
4007 }
4008
4009 static inline const char *
4010 necp_get_result_description(char *result_string, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
4011 {
4012 uuid_string_t uuid_string;
4013 switch (result) {
4014 case NECP_KERNEL_POLICY_RESULT_NONE: {
4015 snprintf(result_string, MAX_RESULT_STRING_LEN, "None");
4016 break;
4017 }
4018 case NECP_KERNEL_POLICY_RESULT_PASS: {
4019 snprintf(result_string, MAX_RESULT_STRING_LEN, "Pass");
4020 break;
4021 }
4022 case NECP_KERNEL_POLICY_RESULT_SKIP: {
4023 snprintf(result_string, MAX_RESULT_STRING_LEN, "Skip (%u)", result_parameter.skip_policy_order);
4024 break;
4025 }
4026 case NECP_KERNEL_POLICY_RESULT_DROP: {
4027 snprintf(result_string, MAX_RESULT_STRING_LEN, "Drop");
4028 break;
4029 }
4030 case NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT: {
4031 snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketDivert (%d)", result_parameter.flow_divert_control_unit);
4032 break;
4033 }
4034 case NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER: {
4035 snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketFilter (%d)", result_parameter.filter_control_unit);
4036 break;
4037 }
4038 case NECP_KERNEL_POLICY_RESULT_IP_TUNNEL: {
4039 ifnet_t interface = ifindex2ifnet[result_parameter.tunnel_interface_index];
4040 snprintf(result_string, MAX_RESULT_STRING_LEN, "IPTunnel (%s%d)", ifnet_name(interface), ifnet_unit(interface));
4041 break;
4042 }
4043 case NECP_KERNEL_POLICY_RESULT_IP_FILTER: {
4044 snprintf(result_string, MAX_RESULT_STRING_LEN, "IPFilter");
4045 break;
4046 }
4047 case NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED: {
4048 ifnet_t interface = ifindex2ifnet[result_parameter.scoped_interface_index];
4049 snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketScoped (%s%d)", ifnet_name(interface), ifnet_unit(interface));
4050 break;
4051 }
4052 case NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT: {
4053 snprintf(result_string, MAX_RESULT_STRING_LEN, "ScopedDirect");
4054 break;
4055 }
4056 case NECP_KERNEL_POLICY_RESULT_ALLOW_UNENTITLED: {
4057 snprintf(result_string, MAX_RESULT_STRING_LEN, "AllowUnentitled");
4058 break;
4059 }
4060 case NECP_KERNEL_POLICY_RESULT_ROUTE_RULES: {
4061 int index = 0;
4062 char interface_names[MAX_ROUTE_RULE_INTERFACES][IFXNAMSIZ];
4063 struct necp_route_rule *route_rule = necp_lookup_route_rule_locked(&necp_route_rules, result_parameter.route_rule_id);
4064 if (route_rule != NULL) {
4065 for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
4066 if (route_rule->exception_if_indices[index] != 0) {
4067 ifnet_t interface = ifindex2ifnet[route_rule->exception_if_indices[index]];
4068 snprintf(interface_names[index], IFXNAMSIZ, "%s%d", ifnet_name(interface), ifnet_unit(interface));
4069 } else {
4070 memset(interface_names[index], 0, IFXNAMSIZ);
4071 }
4072 }
4073 switch (route_rule->default_action) {
4074 case NECP_ROUTE_RULE_DENY_INTERFACE:
4075 snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Only %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
4076 (route_rule->cellular_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Cell " : "",
4077 (route_rule->wifi_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "WiFi " : "",
4078 (route_rule->wired_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Wired " : "",
4079 (route_rule->expensive_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Exp " : "",
4080 (route_rule->constrained_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Constrained " : "",
4081 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[0] : "",
4082 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4083 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[1] : "",
4084 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4085 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[2] : "",
4086 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4087 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[3] : "",
4088 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4089 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[4] : "",
4090 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4091 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[5] : "",
4092 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4093 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[6] : "",
4094 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4095 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[7] : "",
4096 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4097 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[8] : "",
4098 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
4099 (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[9] : "");
4100 break;
4101 case NECP_ROUTE_RULE_ALLOW_INTERFACE:
4102 snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
4103 (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Cell " : "",
4104 (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!WiFi " : "",
4105 (route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Wired " : "",
4106 (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Exp " : "",
4107 (route_rule->constrained_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Constrained " : "",
4108 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4109 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[0] : "",
4110 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4111 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[1] : "",
4112 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4113 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[2] : "",
4114 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4115 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[3] : "",
4116 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4117 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[4] : "",
4118 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4119 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[5] : "",
4120 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4121 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[6] : "",
4122 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4123 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[7] : "",
4124 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4125 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[8] : "",
4126 (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
4127 (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[9] : "");
4128 break;
4129 case NECP_ROUTE_RULE_QOS_MARKING:
4130 snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (QoSMarking %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
4131 (route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Cell " : "",
4132 (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING) ? "WiFi " : "",
4133 (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Wired " : "",
4134 (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Exp " : "",
4135 (route_rule->constrained_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Constrained " : "",
4136 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[0] : "",
4137 (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4138 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[1] : "",
4139 (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4140 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[2] : "",
4141 (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4142 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[3] : "",
4143 (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4144 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[4] : "",
4145 (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4146 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[5] : "",
4147 (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4148 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[6] : "",
4149 (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4150 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[7] : "",
4151 (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4152 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[8] : "",
4153 (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
4154 (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[9] : "");
4155 break;
4156 default:
4157 snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Unknown)");
4158 break;
4159 }
4160 }
4161 break;
4162 }
4163 case NECP_KERNEL_POLICY_RESULT_USE_NETAGENT: {
4164 bool found_mapping = FALSE;
4165 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
4166 if (mapping != NULL) {
4167 uuid_unparse(mapping->uuid, uuid_string);
4168 found_mapping = TRUE;
4169 }
4170 snprintf(result_string, MAX_RESULT_STRING_LEN, "UseNetAgent (%s)", found_mapping ? uuid_string : "Unknown");
4171 break;
4172 }
4173 case NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED: {
4174 bool found_mapping = FALSE;
4175 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
4176 if (mapping != NULL) {
4177 uuid_unparse(mapping->uuid, uuid_string);
4178 found_mapping = TRUE;
4179 }
4180 snprintf(result_string, MAX_RESULT_STRING_LEN, "NetAgentScoped (%s)", found_mapping ? uuid_string : "Unknown");
4181 break;
4182 }
4183 case NECP_POLICY_RESULT_TRIGGER: {
4184 bool found_mapping = FALSE;
4185 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
4186 if (mapping != NULL) {
4187 uuid_unparse(mapping->uuid, uuid_string);
4188 found_mapping = TRUE;
4189 }
4190 snprintf(result_string, MAX_RESULT_STRING_LEN, "Trigger (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
4191 break;
4192 }
4193 case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED: {
4194 bool found_mapping = FALSE;
4195 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
4196 if (mapping != NULL) {
4197 uuid_unparse(mapping->uuid, uuid_string);
4198 found_mapping = TRUE;
4199 }
4200 snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerIfNeeded (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
4201 break;
4202 }
4203 case NECP_POLICY_RESULT_TRIGGER_SCOPED: {
4204 bool found_mapping = FALSE;
4205 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
4206 if (mapping != NULL) {
4207 uuid_unparse(mapping->uuid, uuid_string);
4208 found_mapping = TRUE;
4209 }
4210 snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
4211 break;
4212 }
4213 case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
4214 bool found_mapping = FALSE;
4215 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
4216 if (mapping != NULL) {
4217 uuid_unparse(mapping->uuid, uuid_string);
4218 found_mapping = TRUE;
4219 }
4220 snprintf(result_string, MAX_RESULT_STRING_LEN, "NoTriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
4221 break;
4222 }
4223 default: {
4224 snprintf(result_string, MAX_RESULT_STRING_LEN, "Unknown %d (%d)", result, result_parameter.tunnel_interface_index);
4225 break;
4226 }
4227 }
4228 return result_string;
4229 }
4230
4231 static void
4232 necp_kernel_socket_policies_dump_all(void)
4233 {
4234 if (necp_debug) {
4235 struct necp_kernel_socket_policy *policy = NULL;
4236 int policy_i;
4237 int app_i;
4238 char result_string[MAX_RESULT_STRING_LEN];
4239 char proc_name_string[MAXCOMLEN + 1];
4240 memset(result_string, 0, MAX_RESULT_STRING_LEN);
4241 memset(proc_name_string, 0, MAXCOMLEN + 1);
4242
4243 NECPLOG0(LOG_DEBUG, "NECP Application Policies:\n");
4244 NECPLOG0(LOG_DEBUG, "-----------\n");
4245 for (policy_i = 0; necp_kernel_socket_policies_app_layer_map != NULL && necp_kernel_socket_policies_app_layer_map[policy_i] != NULL; policy_i++) {
4246 policy = necp_kernel_socket_policies_app_layer_map[policy_i];
4247 proc_name(policy->session_pid, proc_name_string, MAXCOMLEN);
4248 NECPLOG(LOG_DEBUG, "\t%3d. Policy ID: %5d\tProcess: %10.10s\tOrder: %04d.%04d\tMask: %5x\tResult: %s\n", policy_i, policy->id, proc_name_string, policy->session_order, policy->order, policy->condition_mask, necp_get_result_description(result_string, policy->result, policy->result_parameter));
4249 }
4250 if (necp_kernel_socket_policies_app_layer_map[0] != NULL) {
4251 NECPLOG0(LOG_DEBUG, "-----------\n");
4252 }
4253
4254 NECPLOG0(LOG_DEBUG, "NECP Socket Policies:\n");
4255 NECPLOG0(LOG_DEBUG, "-----------\n");
4256 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4257 NECPLOG(LOG_DEBUG, "\tApp Bucket: %d\n", app_i);
4258 for (policy_i = 0; necp_kernel_socket_policies_map[app_i] != NULL && (necp_kernel_socket_policies_map[app_i])[policy_i] != NULL; policy_i++) {
4259 policy = (necp_kernel_socket_policies_map[app_i])[policy_i];
4260 proc_name(policy->session_pid, proc_name_string, MAXCOMLEN);
4261 NECPLOG(LOG_DEBUG, "\t%3d. Policy ID: %5d\tProcess: %10.10s\tOrder: %04d.%04d\tMask: %5x\tResult: %s\n", policy_i, policy->id, proc_name_string, policy->session_order, policy->order, policy->condition_mask, necp_get_result_description(result_string, policy->result, policy->result_parameter));
4262 }
4263 NECPLOG0(LOG_DEBUG, "-----------\n");
4264 }
4265 }
4266 }
4267
4268 static inline bool
4269 necp_kernel_socket_result_is_trigger_service_type(struct necp_kernel_socket_policy *kernel_policy)
4270 {
4271 return kernel_policy->result >= NECP_KERNEL_POLICY_RESULT_TRIGGER && kernel_policy->result <= NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED;
4272 }
4273
4274 static inline bool
4275 necp_kernel_socket_policy_results_overlap(struct necp_kernel_socket_policy *upper_policy, struct necp_kernel_socket_policy *lower_policy)
4276 {
4277 if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_DROP) {
4278 // Drop always cancels out lower policies
4279 return TRUE;
4280 } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER ||
4281 upper_policy->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES ||
4282 upper_policy->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ||
4283 upper_policy->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED ||
4284 upper_policy->result == NECP_KERNEL_POLICY_RESULT_ALLOW_UNENTITLED) {
4285 // Filters and route rules never cancel out lower policies
4286 return FALSE;
4287 } else if (necp_kernel_socket_result_is_trigger_service_type(upper_policy)) {
4288 // Trigger/Scoping policies can overlap one another, but not other results
4289 return necp_kernel_socket_result_is_trigger_service_type(lower_policy);
4290 } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
4291 if (upper_policy->session_order != lower_policy->session_order) {
4292 // A skip cannot override a policy of a different session
4293 return FALSE;
4294 } else {
4295 if (upper_policy->result_parameter.skip_policy_order == 0 ||
4296 lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
4297 // This policy is beyond the skip
4298 return FALSE;
4299 } else {
4300 // This policy is inside the skip
4301 return TRUE;
4302 }
4303 }
4304 }
4305
4306 // A hard pass, flow divert, tunnel, or scope will currently block out lower policies
4307 return TRUE;
4308 }
4309
4310 static bool
4311 necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *policy, struct necp_kernel_socket_policy **policy_array, int valid_indices)
4312 {
4313 bool can_skip = FALSE;
4314 u_int32_t highest_skip_session_order = 0;
4315 u_int32_t highest_skip_order = 0;
4316 int i;
4317 for (i = 0; i < valid_indices; i++) {
4318 struct necp_kernel_socket_policy *compared_policy = policy_array[i];
4319
4320 // For policies in a skip window, we can't mark conflicting policies as unnecessary
4321 if (can_skip) {
4322 if (highest_skip_session_order != compared_policy->session_order ||
4323 (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
4324 // If we've moved on to the next session, or passed the skip window
4325 highest_skip_session_order = 0;
4326 highest_skip_order = 0;
4327 can_skip = FALSE;
4328 } else {
4329 // If this policy is also a skip, in can increase the skip window
4330 if (compared_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
4331 if (compared_policy->result_parameter.skip_policy_order > highest_skip_order) {
4332 highest_skip_order = compared_policy->result_parameter.skip_policy_order;
4333 }
4334 }
4335 continue;
4336 }
4337 }
4338
4339 if (compared_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
4340 // This policy is a skip. Set the skip window accordingly
4341 can_skip = TRUE;
4342 highest_skip_session_order = compared_policy->session_order;
4343 highest_skip_order = compared_policy->result_parameter.skip_policy_order;
4344 }
4345
4346 // The result of the compared policy must be able to block out this policy result
4347 if (!necp_kernel_socket_policy_results_overlap(compared_policy, policy)) {
4348 continue;
4349 }
4350
4351 // If new policy matches All Interfaces, compared policy must also
4352 if ((policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
4353 continue;
4354 }
4355
4356 // If new policy matches Local Networks, compared policy must also
4357 if ((policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS)) {
4358 continue;
4359 }
4360
4361 // Default makes lower policies unecessary always
4362 if (compared_policy->condition_mask == 0) {
4363 return TRUE;
4364 }
4365
4366 // Compared must be more general than policy, and include only conditions within policy
4367 if ((policy->condition_mask & compared_policy->condition_mask) != compared_policy->condition_mask) {
4368 continue;
4369 }
4370
4371 // Negative conditions must match for the overlapping conditions
4372 if ((policy->condition_negated_mask & compared_policy->condition_mask) != (compared_policy->condition_negated_mask & compared_policy->condition_mask)) {
4373 continue;
4374 }
4375
4376 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN &&
4377 strcmp(compared_policy->cond_domain, policy->cond_domain) != 0) {
4378 continue;
4379 }
4380
4381 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT &&
4382 strcmp(compared_policy->cond_custom_entitlement, policy->cond_custom_entitlement) != 0) {
4383 continue;
4384 }
4385
4386 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID &&
4387 compared_policy->cond_account_id != policy->cond_account_id) {
4388 continue;
4389 }
4390
4391 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
4392 compared_policy->cond_policy_id != policy->cond_policy_id) {
4393 continue;
4394 }
4395
4396 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID &&
4397 compared_policy->cond_app_id != policy->cond_app_id) {
4398 continue;
4399 }
4400
4401 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID &&
4402 compared_policy->cond_real_app_id != policy->cond_real_app_id) {
4403 continue;
4404 }
4405
4406 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PID &&
4407 compared_policy->cond_pid != policy->cond_pid) {
4408 continue;
4409 }
4410
4411 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_UID &&
4412 compared_policy->cond_uid != policy->cond_uid) {
4413 continue;
4414 }
4415
4416 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
4417 compared_policy->cond_bound_interface != policy->cond_bound_interface) {
4418 continue;
4419 }
4420
4421 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
4422 compared_policy->cond_protocol != policy->cond_protocol) {
4423 continue;
4424 }
4425
4426 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS &&
4427 compared_policy->cond_client_flags != policy->cond_client_flags) {
4428 continue;
4429 }
4430
4431 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS &&
4432 !(compared_policy->cond_traffic_class.start_tc <= policy->cond_traffic_class.start_tc &&
4433 compared_policy->cond_traffic_class.end_tc >= policy->cond_traffic_class.end_tc)) {
4434 continue;
4435 }
4436
4437 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
4438 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
4439 if (!necp_is_range_in_range((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&policy->cond_local_end, (struct sockaddr *)&compared_policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_end)) {
4440 continue;
4441 }
4442 } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
4443 if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
4444 !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
4445 continue;
4446 }
4447 }
4448 }
4449
4450 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
4451 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
4452 if (!necp_is_range_in_range((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&policy->cond_remote_end, (struct sockaddr *)&compared_policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_end)) {
4453 continue;
4454 }
4455 } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
4456 if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
4457 !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
4458 continue;
4459 }
4460 }
4461 }
4462
4463 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE &&
4464 memcmp(&compared_policy->cond_agent_type, &policy->cond_agent_type, sizeof(policy->cond_agent_type)) == 0) {
4465 continue;
4466 }
4467
4468 return TRUE;
4469 }
4470
4471 return FALSE;
4472 }
4473
4474 static bool
4475 necp_kernel_socket_policies_reprocess(void)
4476 {
4477 int app_i;
4478 int bucket_allocation_counts[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
4479 int bucket_current_free_index[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
4480 int app_layer_allocation_count = 0;
4481 int app_layer_current_free_index = 0;
4482 struct necp_kernel_socket_policy *kernel_policy = NULL;
4483
4484 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4485
4486 // Reset mask to 0
4487 necp_kernel_application_policies_condition_mask = 0;
4488 necp_kernel_socket_policies_condition_mask = 0;
4489 necp_kernel_application_policies_count = 0;
4490 necp_kernel_socket_policies_count = 0;
4491 necp_kernel_socket_policies_non_app_count = 0;
4492
4493 // Reset all maps to NULL
4494 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4495 if (necp_kernel_socket_policies_map[app_i] != NULL) {
4496 FREE(necp_kernel_socket_policies_map[app_i], M_NECP);
4497 necp_kernel_socket_policies_map[app_i] = NULL;
4498 }
4499
4500 // Init counts
4501 bucket_allocation_counts[app_i] = 0;
4502 }
4503 if (necp_kernel_socket_policies_app_layer_map != NULL) {
4504 FREE(necp_kernel_socket_policies_app_layer_map, M_NECP);
4505 necp_kernel_socket_policies_app_layer_map = NULL;
4506 }
4507
4508 // Create masks and counts
4509 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
4510 // App layer mask/count
4511 necp_kernel_application_policies_condition_mask |= kernel_policy->condition_mask;
4512 necp_kernel_application_policies_count++;
4513 app_layer_allocation_count++;
4514
4515 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) {
4516 // Agent type conditions only apply to app layer
4517 continue;
4518 }
4519
4520 // Update socket layer bucket mask/counts
4521 necp_kernel_socket_policies_condition_mask |= kernel_policy->condition_mask;
4522 necp_kernel_socket_policies_count++;
4523
4524 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
4525 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
4526 necp_kernel_socket_policies_non_app_count++;
4527 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4528 bucket_allocation_counts[app_i]++;
4529 }
4530 } else {
4531 bucket_allocation_counts[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id)]++;
4532 }
4533 }
4534
4535 // Allocate maps
4536 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4537 if (bucket_allocation_counts[app_i] > 0) {
4538 // Allocate a NULL-terminated array of policy pointers for each bucket
4539 MALLOC(necp_kernel_socket_policies_map[app_i], struct necp_kernel_socket_policy **, sizeof(struct necp_kernel_socket_policy *) * (bucket_allocation_counts[app_i] + 1), M_NECP, M_WAITOK);
4540 if (necp_kernel_socket_policies_map[app_i] == NULL) {
4541 goto fail;
4542 }
4543
4544 // Initialize the first entry to NULL
4545 (necp_kernel_socket_policies_map[app_i])[0] = NULL;
4546 }
4547 bucket_current_free_index[app_i] = 0;
4548 }
4549 MALLOC(necp_kernel_socket_policies_app_layer_map, struct necp_kernel_socket_policy **, sizeof(struct necp_kernel_socket_policy *) * (app_layer_allocation_count + 1), M_NECP, M_WAITOK);
4550 if (necp_kernel_socket_policies_app_layer_map == NULL) {
4551 goto fail;
4552 }
4553 necp_kernel_socket_policies_app_layer_map[0] = NULL;
4554
4555 // Fill out maps
4556 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
4557 // Add app layer policies
4558 if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_app_layer_map, app_layer_current_free_index)) {
4559 necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy;
4560 app_layer_current_free_index++;
4561 necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = NULL;
4562 }
4563
4564 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) {
4565 // Agent type conditions only apply to app layer
4566 continue;
4567 }
4568
4569 // Add socket policies
4570 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
4571 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
4572 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4573 if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
4574 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
4575 bucket_current_free_index[app_i]++;
4576 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
4577 }
4578 }
4579 } else {
4580 app_i = NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id);
4581 if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
4582 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
4583 bucket_current_free_index[app_i]++;
4584 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
4585 }
4586 }
4587 }
4588 necp_kernel_socket_policies_dump_all();
4589 BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT();
4590 return TRUE;
4591
4592 fail:
4593 // Free memory, reset masks to 0
4594 necp_kernel_application_policies_condition_mask = 0;
4595 necp_kernel_socket_policies_condition_mask = 0;
4596 necp_kernel_application_policies_count = 0;
4597 necp_kernel_socket_policies_count = 0;
4598 necp_kernel_socket_policies_non_app_count = 0;
4599 for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
4600 if (necp_kernel_socket_policies_map[app_i] != NULL) {
4601 FREE(necp_kernel_socket_policies_map[app_i], M_NECP);
4602 necp_kernel_socket_policies_map[app_i] = NULL;
4603 }
4604 }
4605 if (necp_kernel_socket_policies_app_layer_map != NULL) {
4606 FREE(necp_kernel_socket_policies_app_layer_map, M_NECP);
4607 necp_kernel_socket_policies_app_layer_map = NULL;
4608 }
4609 return FALSE;
4610 }
4611
4612 static u_int32_t
4613 necp_get_new_string_id(void)
4614 {
4615 static u_int32_t necp_last_string_id = 0;
4616
4617 u_int32_t newid = 0;
4618
4619 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4620
4621 bool wrapped = FALSE;
4622 do {
4623 necp_last_string_id++;
4624 if (necp_last_string_id < 1) {
4625 if (wrapped) {
4626 // Already wrapped, give up
4627 NECPLOG0(LOG_ERR, "Failed to find a free app UUID.\n");
4628 return 0;
4629 }
4630 necp_last_string_id = 1;
4631 wrapped = TRUE;
4632 }
4633 newid = necp_last_string_id;
4634 } while (necp_lookup_string_with_id_locked(&necp_account_id_list, newid) != NULL); // If already used, keep trying
4635
4636 if (newid == 0) {
4637 NECPLOG0(LOG_ERR, "Allocate string id failed.\n");
4638 return 0;
4639 }
4640
4641 return newid;
4642 }
4643
4644 static struct necp_string_id_mapping *
4645 necp_lookup_string_to_id_locked(struct necp_string_id_mapping_list *list, char *string)
4646 {
4647 struct necp_string_id_mapping *searchentry = NULL;
4648 struct necp_string_id_mapping *foundentry = NULL;
4649
4650 LIST_FOREACH(searchentry, list, chain) {
4651 if (strcmp(searchentry->string, string) == 0) {
4652 foundentry = searchentry;
4653 break;
4654 }
4655 }
4656
4657 return foundentry;
4658 }
4659
4660 static struct necp_string_id_mapping *
4661 necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_int32_t local_id)
4662 {
4663 struct necp_string_id_mapping *searchentry = NULL;
4664 struct necp_string_id_mapping *foundentry = NULL;
4665
4666 LIST_FOREACH(searchentry, list, chain) {
4667 if (searchentry->id == local_id) {
4668 foundentry = searchentry;
4669 break;
4670 }
4671 }
4672
4673 return foundentry;
4674 }
4675
4676 static u_int32_t
4677 necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *string)
4678 {
4679 u_int32_t string_id = 0;
4680 struct necp_string_id_mapping *existing_mapping = NULL;
4681
4682 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4683
4684 existing_mapping = necp_lookup_string_to_id_locked(list, string);
4685 if (existing_mapping != NULL) {
4686 string_id = existing_mapping->id;
4687 os_ref_retain_locked(&existing_mapping->refcount);
4688 } else {
4689 struct necp_string_id_mapping *new_mapping = NULL;
4690 MALLOC(new_mapping, struct necp_string_id_mapping *, sizeof(struct necp_string_id_mapping), M_NECP, M_WAITOK);
4691 if (new_mapping != NULL) {
4692 memset(new_mapping, 0, sizeof(struct necp_string_id_mapping));
4693
4694 size_t length = strlen(string) + 1;
4695 MALLOC(new_mapping->string, char *, length, M_NECP, M_WAITOK);
4696 if (new_mapping->string != NULL) {
4697 memcpy(new_mapping->string, string, length);
4698 new_mapping->id = necp_get_new_string_id();
4699 os_ref_init(&new_mapping->refcount, &necp_refgrp);
4700 LIST_INSERT_HEAD(list, new_mapping, chain);
4701 string_id = new_mapping->id;
4702 } else {
4703 FREE(new_mapping, M_NECP);
4704 new_mapping = NULL;
4705 }
4706 }
4707 }
4708 return string_id;
4709 }
4710
4711 static bool
4712 necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *string)
4713 {
4714 struct necp_string_id_mapping *existing_mapping = NULL;
4715
4716 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4717
4718 existing_mapping = necp_lookup_string_to_id_locked(list, string);
4719 if (existing_mapping != NULL) {
4720 if (os_ref_release_locked(&existing_mapping->refcount) == 0) {
4721 LIST_REMOVE(existing_mapping, chain);
4722 FREE(existing_mapping->string, M_NECP);
4723 FREE(existing_mapping, M_NECP);
4724 }
4725 return TRUE;
4726 }
4727
4728 return FALSE;
4729 }
4730
4731 #define NECP_FIRST_VALID_ROUTE_RULE_ID 1
4732 #define NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID UINT16_MAX
4733 static u_int32_t
4734 necp_get_new_route_rule_id(bool aggregate)
4735 {
4736 static u_int32_t necp_last_route_rule_id = 0;
4737 static u_int32_t necp_last_aggregate_route_rule_id = 0;
4738
4739 u_int32_t newid = 0;
4740
4741 if (!aggregate) {
4742 // Main necp_kernel_policy_lock protects non-aggregate rule IDs
4743 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4744
4745 bool wrapped = FALSE;
4746 do {
4747 necp_last_route_rule_id++;
4748 if (necp_last_route_rule_id < NECP_FIRST_VALID_ROUTE_RULE_ID ||
4749 necp_last_route_rule_id >= NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID) {
4750 if (wrapped) {
4751 // Already wrapped, give up
4752 NECPLOG0(LOG_ERR, "Failed to find a free route rule id.\n");
4753 return 0;
4754 }
4755 necp_last_route_rule_id = NECP_FIRST_VALID_ROUTE_RULE_ID;
4756 wrapped = TRUE;
4757 }
4758 newid = necp_last_route_rule_id;
4759 } while (necp_lookup_route_rule_locked(&necp_route_rules, newid) != NULL); // If already used, keep trying
4760 } else {
4761 // necp_route_rule_lock protects aggregate rule IDs
4762 LCK_RW_ASSERT(&necp_route_rule_lock, LCK_RW_ASSERT_EXCLUSIVE);
4763
4764 bool wrapped = FALSE;
4765 do {
4766 necp_last_aggregate_route_rule_id++;
4767 if (necp_last_aggregate_route_rule_id < NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID) {
4768 if (wrapped) {
4769 // Already wrapped, give up
4770 NECPLOG0(LOG_ERR, "Failed to find a free aggregate route rule id.\n");
4771 return 0;
4772 }
4773 necp_last_aggregate_route_rule_id = NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID;
4774 wrapped = TRUE;
4775 }
4776 newid = necp_last_aggregate_route_rule_id;
4777 } while (necp_lookup_route_rule_locked(&necp_route_rules, newid) != NULL); // If already used, keep trying
4778 }
4779
4780 if (newid == 0) {
4781 NECPLOG0(LOG_ERR, "Allocate route rule ID failed.\n");
4782 return 0;
4783 }
4784
4785 return newid;
4786 }
4787
4788 static struct necp_route_rule *
4789 necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route_rule_id)
4790 {
4791 struct necp_route_rule *searchentry = NULL;
4792 struct necp_route_rule *foundentry = NULL;
4793
4794 LIST_FOREACH(searchentry, list, chain) {
4795 if (searchentry->id == route_rule_id) {
4796 foundentry = searchentry;
4797 break;
4798 }
4799 }
4800
4801 return foundentry;
4802 }
4803
4804 static struct necp_route_rule *
4805 necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_int32_t default_action, u_int8_t cellular_action, u_int8_t wifi_action, u_int8_t wired_action, u_int8_t expensive_action, u_int8_t constrained_action, u_int32_t *if_indices, u_int8_t *if_actions)
4806 {
4807 struct necp_route_rule *searchentry = NULL;
4808 struct necp_route_rule *foundentry = NULL;
4809
4810 LIST_FOREACH(searchentry, list, chain) {
4811 if (searchentry->default_action == default_action &&
4812 searchentry->cellular_action == cellular_action &&
4813 searchentry->wifi_action == wifi_action &&
4814 searchentry->wired_action == wired_action &&
4815 searchentry->expensive_action == expensive_action &&
4816 searchentry->constrained_action == constrained_action) {
4817 bool match_failed = FALSE;
4818 size_t index_a = 0;
4819 size_t index_b = 0;
4820 size_t count_a = 0;
4821 size_t count_b = 0;
4822 for (index_a = 0; index_a < MAX_ROUTE_RULE_INTERFACES; index_a++) {
4823 bool found_index = FALSE;
4824 if (searchentry->exception_if_indices[index_a] == 0) {
4825 break;
4826 }
4827 count_a++;
4828 for (index_b = 0; index_b < MAX_ROUTE_RULE_INTERFACES; index_b++) {
4829 if (if_indices[index_b] == 0) {
4830 break;
4831 }
4832 if (index_b >= count_b) {
4833 count_b = index_b + 1;
4834 }
4835 if (searchentry->exception_if_indices[index_a] == if_indices[index_b] &&
4836 searchentry->exception_if_actions[index_a] == if_actions[index_b]) {
4837 found_index = TRUE;
4838 break;
4839 }
4840 }
4841 if (!found_index) {
4842 match_failed = TRUE;
4843 break;
4844 }
4845 }
4846 if (!match_failed && count_a == count_b) {
4847 foundentry = searchentry;
4848 break;
4849 }
4850 }
4851 }
4852
4853 return foundentry;
4854 }
4855
4856 static u_int32_t
4857 necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_array, u_int32_t route_rules_array_size)
4858 {
4859 size_t offset = 0;
4860 u_int32_t route_rule_id = 0;
4861 struct necp_route_rule *existing_rule = NULL;
4862 u_int32_t default_action = NECP_ROUTE_RULE_ALLOW_INTERFACE;
4863 u_int8_t cellular_action = NECP_ROUTE_RULE_NONE;
4864 u_int8_t wifi_action = NECP_ROUTE_RULE_NONE;
4865 u_int8_t wired_action = NECP_ROUTE_RULE_NONE;
4866 u_int8_t expensive_action = NECP_ROUTE_RULE_NONE;
4867 u_int8_t constrained_action = NECP_ROUTE_RULE_NONE;
4868 u_int32_t if_indices[MAX_ROUTE_RULE_INTERFACES];
4869 size_t num_valid_indices = 0;
4870 memset(&if_indices, 0, sizeof(if_indices));
4871 u_int8_t if_actions[MAX_ROUTE_RULE_INTERFACES];
4872 memset(&if_actions, 0, sizeof(if_actions));
4873
4874 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4875
4876 if (route_rules_array == NULL || route_rules_array_size == 0) {
4877 return 0;
4878 }
4879
4880 // Process rules
4881 while (offset < route_rules_array_size) {
4882 ifnet_t rule_interface = NULL;
4883 char interface_name[IFXNAMSIZ];
4884 u_int32_t length = 0;
4885 u_int8_t *value = necp_buffer_get_tlv_value(route_rules_array, offset, &length);
4886
4887 u_int8_t rule_type = necp_policy_condition_get_type_from_buffer(value, length);
4888 u_int8_t rule_flags = necp_policy_condition_get_flags_from_buffer(value, length);
4889 u_int32_t rule_length = necp_policy_condition_get_value_length_from_buffer(value, length);
4890 u_int8_t *rule_value = necp_policy_condition_get_value_pointer_from_buffer(value, length);
4891
4892 if (rule_type == NECP_ROUTE_RULE_NONE) {
4893 // Don't allow an explicit rule to be None action
4894 continue;
4895 }
4896
4897 if (rule_length == 0) {
4898 if (rule_flags & NECP_ROUTE_RULE_FLAG_CELLULAR) {
4899 cellular_action = rule_type;
4900 }
4901 if (rule_flags & NECP_ROUTE_RULE_FLAG_WIFI) {
4902 wifi_action = rule_type;
4903 }
4904 if (rule_flags & NECP_ROUTE_RULE_FLAG_WIRED) {
4905 wired_action = rule_type;
4906 }
4907 if (rule_flags & NECP_ROUTE_RULE_FLAG_EXPENSIVE) {
4908 expensive_action = rule_type;
4909 }
4910 if (rule_flags & NECP_ROUTE_RULE_FLAG_CONSTRAINED) {
4911 constrained_action = rule_type;
4912 }
4913 if (rule_flags == 0) {
4914 default_action = rule_type;
4915 }
4916 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
4917 continue;
4918 }
4919
4920 if (num_valid_indices >= MAX_ROUTE_RULE_INTERFACES) {
4921 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
4922 continue;
4923 }
4924
4925 if (rule_length <= IFXNAMSIZ) {
4926 memcpy(interface_name, rule_value, rule_length);
4927 interface_name[rule_length - 1] = 0; // Make sure the string is NULL terminated
4928 if (ifnet_find_by_name(interface_name, &rule_interface) == 0) {
4929 if_actions[num_valid_indices] = rule_type;
4930 if_indices[num_valid_indices++] = rule_interface->if_index;
4931 ifnet_release(rule_interface);
4932 }
4933 }
4934 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
4935 }
4936
4937 existing_rule = necp_lookup_route_rule_by_contents_locked(list, default_action, cellular_action, wifi_action, wired_action, expensive_action, constrained_action, if_indices, if_actions);
4938 if (existing_rule != NULL) {
4939 route_rule_id = existing_rule->id;
4940 os_ref_retain_locked(&existing_rule->refcount);
4941 } else {
4942 struct necp_route_rule *new_rule = NULL;
4943 MALLOC(new_rule, struct necp_route_rule *, sizeof(struct necp_route_rule), M_NECP, M_WAITOK);
4944 if (new_rule != NULL) {
4945 memset(new_rule, 0, sizeof(struct necp_route_rule));
4946 route_rule_id = new_rule->id = necp_get_new_route_rule_id(false);
4947 new_rule->default_action = default_action;
4948 new_rule->cellular_action = cellular_action;
4949 new_rule->wifi_action = wifi_action;
4950 new_rule->wired_action = wired_action;
4951 new_rule->expensive_action = expensive_action;
4952 new_rule->constrained_action = constrained_action;
4953 memcpy(&new_rule->exception_if_indices, &if_indices, sizeof(if_indices));
4954 memcpy(&new_rule->exception_if_actions, &if_actions, sizeof(if_actions));
4955 os_ref_init(&new_rule->refcount, &necp_refgrp);
4956 LIST_INSERT_HEAD(list, new_rule, chain);
4957 }
4958 }
4959 return route_rule_id;
4960 }
4961
4962 static void
4963 necp_remove_aggregate_route_rule_for_id(u_int32_t rule_id)
4964 {
4965 if (rule_id) {
4966 lck_rw_lock_exclusive(&necp_route_rule_lock);
4967
4968 struct necp_aggregate_route_rule *existing_rule = NULL;
4969 struct necp_aggregate_route_rule *tmp_rule = NULL;
4970
4971 LIST_FOREACH_SAFE(existing_rule, &necp_aggregate_route_rules, chain, tmp_rule) {
4972 int index = 0;
4973 for (index = 0; index < MAX_AGGREGATE_ROUTE_RULES; index++) {
4974 u_int32_t route_rule_id = existing_rule->rule_ids[index];
4975 if (route_rule_id == rule_id) {
4976 LIST_REMOVE(existing_rule, chain);
4977 FREE(existing_rule, M_NECP);
4978 break;
4979 }
4980 }
4981 }
4982
4983 lck_rw_done(&necp_route_rule_lock);
4984 }
4985 }
4986
4987 static bool
4988 necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_id)
4989 {
4990 struct necp_route_rule *existing_rule = NULL;
4991
4992 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
4993
4994 existing_rule = necp_lookup_route_rule_locked(list, route_rule_id);
4995 if (existing_rule != NULL) {
4996 if (os_ref_release_locked(&existing_rule->refcount) == 0) {
4997 necp_remove_aggregate_route_rule_for_id(existing_rule->id);
4998 LIST_REMOVE(existing_rule, chain);
4999 FREE(existing_rule, M_NECP);
5000 }
5001 return TRUE;
5002 }
5003
5004 return FALSE;
5005 }
5006
5007 static struct necp_aggregate_route_rule *
5008 necp_lookup_aggregate_route_rule_locked(u_int32_t route_rule_id)
5009 {
5010 struct necp_aggregate_route_rule *searchentry = NULL;
5011 struct necp_aggregate_route_rule *foundentry = NULL;
5012
5013 lck_rw_lock_shared(&necp_route_rule_lock);
5014
5015 LIST_FOREACH(searchentry, &necp_aggregate_route_rules, chain) {
5016 if (searchentry->id == route_rule_id) {
5017 foundentry = searchentry;
5018 break;
5019 }
5020 }
5021
5022 lck_rw_done(&necp_route_rule_lock);
5023
5024 return foundentry;
5025 }
5026
5027 static u_int32_t
5028 necp_create_aggregate_route_rule(u_int32_t *rule_ids)
5029 {
5030 u_int32_t aggregate_route_rule_id = 0;
5031 struct necp_aggregate_route_rule *new_rule = NULL;
5032 struct necp_aggregate_route_rule *existing_rule = NULL;
5033
5034 lck_rw_lock_exclusive(&necp_route_rule_lock);
5035
5036 // Check if the rule already exists
5037 LIST_FOREACH(existing_rule, &necp_aggregate_route_rules, chain) {
5038 if (memcmp(existing_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES)) == 0) {
5039 lck_rw_done(&necp_route_rule_lock);
5040 return existing_rule->id;
5041 }
5042 }
5043
5044 MALLOC(new_rule, struct necp_aggregate_route_rule *, sizeof(struct necp_aggregate_route_rule), M_NECP, M_WAITOK);
5045 if (new_rule != NULL) {
5046 memset(new_rule, 0, sizeof(struct necp_aggregate_route_rule));
5047 aggregate_route_rule_id = new_rule->id = necp_get_new_route_rule_id(true);
5048 new_rule->id = aggregate_route_rule_id;
5049 memcpy(new_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES));
5050 LIST_INSERT_HEAD(&necp_aggregate_route_rules, new_rule, chain);
5051 }
5052 lck_rw_done(&necp_route_rule_lock);
5053
5054 return aggregate_route_rule_id;
5055 }
5056
5057 #define NECP_NULL_SERVICE_ID 1
5058 #define NECP_FIRST_VALID_SERVICE_ID 2
5059 #define NECP_FIRST_VALID_APP_ID UINT16_MAX
5060 static u_int32_t
5061 necp_get_new_uuid_id(bool service)
5062 {
5063 static u_int32_t necp_last_service_uuid_id = 0;
5064 static u_int32_t necp_last_app_uuid_id = 0;
5065
5066 u_int32_t newid = 0;
5067
5068 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5069
5070 if (service) {
5071 bool wrapped = FALSE;
5072 do {
5073 necp_last_service_uuid_id++;
5074 if (necp_last_service_uuid_id < NECP_FIRST_VALID_SERVICE_ID ||
5075 necp_last_service_uuid_id >= NECP_FIRST_VALID_APP_ID) {
5076 if (wrapped) {
5077 // Already wrapped, give up
5078 NECPLOG0(LOG_ERR, "Failed to find a free service UUID.\n");
5079 return NECP_NULL_SERVICE_ID;
5080 }
5081 necp_last_service_uuid_id = NECP_FIRST_VALID_SERVICE_ID;
5082 wrapped = TRUE;
5083 }
5084 newid = necp_last_service_uuid_id;
5085 } while (necp_uuid_lookup_uuid_with_service_id_locked(newid) != NULL); // If already used, keep trying
5086 } else {
5087 bool wrapped = FALSE;
5088 do {
5089 necp_last_app_uuid_id++;
5090 if (necp_last_app_uuid_id < NECP_FIRST_VALID_APP_ID) {
5091 if (wrapped) {
5092 // Already wrapped, give up
5093 NECPLOG0(LOG_ERR, "Failed to find a free app UUID.\n");
5094 return NECP_NULL_SERVICE_ID;
5095 }
5096 necp_last_app_uuid_id = NECP_FIRST_VALID_APP_ID;
5097 wrapped = TRUE;
5098 }
5099 newid = necp_last_app_uuid_id;
5100 } while (necp_uuid_lookup_uuid_with_app_id_locked(newid) != NULL); // If already used, keep trying
5101 }
5102
5103 if (newid == NECP_NULL_SERVICE_ID) {
5104 NECPLOG0(LOG_ERR, "Allocate uuid ID failed.\n");
5105 return NECP_NULL_SERVICE_ID;
5106 }
5107
5108 return newid;
5109 }
5110
5111 static struct necp_uuid_id_mapping *
5112 necp_uuid_lookup_app_id_locked(uuid_t uuid)
5113 {
5114 struct necp_uuid_id_mapping *searchentry = NULL;
5115 struct necp_uuid_id_mapping *foundentry = NULL;
5116
5117 LIST_FOREACH(searchentry, APPUUIDHASH(uuid), chain) {
5118 if (uuid_compare(searchentry->uuid, uuid) == 0) {
5119 foundentry = searchentry;
5120 break;
5121 }
5122 }
5123
5124 return foundentry;
5125 }
5126
5127 static struct necp_uuid_id_mapping *
5128 necp_uuid_lookup_uuid_with_app_id_locked(u_int32_t local_id)
5129 {
5130 struct necp_uuid_id_mapping *searchentry = NULL;
5131 struct necp_uuid_id_mapping *foundentry = NULL;
5132
5133 struct necp_uuid_id_mapping_head *uuid_list_head = NULL;
5134 for (uuid_list_head = &necp_uuid_app_id_hashtbl[necp_uuid_app_id_hash_num_buckets - 1]; uuid_list_head >= necp_uuid_app_id_hashtbl; uuid_list_head--) {
5135 LIST_FOREACH(searchentry, uuid_list_head, chain) {
5136 if (searchentry->id == local_id) {
5137 foundentry = searchentry;
5138 break;
5139 }
5140 }
5141 }
5142
5143 return foundentry;
5144 }
5145
5146 static u_int32_t
5147 necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_policy_table)
5148 {
5149 u_int32_t local_id = 0;
5150 struct necp_uuid_id_mapping *existing_mapping = NULL;
5151
5152 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5153
5154 if (allocated_mapping) {
5155 *allocated_mapping = FALSE;
5156 }
5157
5158 existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
5159 if (existing_mapping != NULL) {
5160 local_id = existing_mapping->id;
5161 os_ref_retain_locked(&existing_mapping->refcount);
5162 if (uuid_policy_table) {
5163 existing_mapping->table_usecount++;
5164 }
5165 } else {
5166 struct necp_uuid_id_mapping *new_mapping = NULL;
5167 MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
5168 if (new_mapping != NULL) {
5169 uuid_copy(new_mapping->uuid, uuid);
5170 new_mapping->id = necp_get_new_uuid_id(false);
5171 os_ref_init(&new_mapping->refcount, &necp_refgrp);
5172 if (uuid_policy_table) {
5173 new_mapping->table_usecount = 1;
5174 } else {
5175 new_mapping->table_usecount = 0;
5176 }
5177
5178 LIST_INSERT_HEAD(APPUUIDHASH(uuid), new_mapping, chain);
5179
5180 if (allocated_mapping) {
5181 *allocated_mapping = TRUE;
5182 }
5183
5184 local_id = new_mapping->id;
5185 }
5186 }
5187
5188 return local_id;
5189 }
5190
5191 static bool
5192 necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_policy_table)
5193 {
5194 struct necp_uuid_id_mapping *existing_mapping = NULL;
5195
5196 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5197
5198 if (removed_mapping) {
5199 *removed_mapping = FALSE;
5200 }
5201
5202 existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
5203 if (existing_mapping != NULL) {
5204 if (uuid_policy_table) {
5205 existing_mapping->table_usecount--;
5206 }
5207 if (os_ref_release_locked(&existing_mapping->refcount) == 0) {
5208 LIST_REMOVE(existing_mapping, chain);
5209 FREE(existing_mapping, M_NECP);
5210 if (removed_mapping) {
5211 *removed_mapping = TRUE;
5212 }
5213 }
5214 return TRUE;
5215 }
5216
5217 return FALSE;
5218 }
5219
5220 static struct necp_uuid_id_mapping *
5221 necp_uuid_get_null_service_id_mapping(void)
5222 {
5223 static struct necp_uuid_id_mapping null_mapping;
5224 uuid_clear(null_mapping.uuid);
5225 null_mapping.id = NECP_NULL_SERVICE_ID;
5226
5227 return &null_mapping;
5228 }
5229
5230 static struct necp_uuid_id_mapping *
5231 necp_uuid_lookup_service_id_locked(uuid_t uuid)
5232 {
5233 struct necp_uuid_id_mapping *searchentry = NULL;
5234 struct necp_uuid_id_mapping *foundentry = NULL;
5235
5236 if (uuid_is_null(uuid)) {
5237 return necp_uuid_get_null_service_id_mapping();
5238 }
5239
5240 LIST_FOREACH(searchentry, &necp_uuid_service_id_list, chain) {
5241 if (uuid_compare(searchentry->uuid, uuid) == 0) {
5242 foundentry = searchentry;
5243 break;
5244 }
5245 }
5246
5247 return foundentry;
5248 }
5249
5250 static struct necp_uuid_id_mapping *
5251 necp_uuid_lookup_uuid_with_service_id_locked(u_int32_t local_id)
5252 {
5253 struct necp_uuid_id_mapping *searchentry = NULL;
5254 struct necp_uuid_id_mapping *foundentry = NULL;
5255
5256 if (local_id == NECP_NULL_SERVICE_ID) {
5257 return necp_uuid_get_null_service_id_mapping();
5258 }
5259
5260 LIST_FOREACH(searchentry, &necp_uuid_service_id_list, chain) {
5261 if (searchentry->id == local_id) {
5262 foundentry = searchentry;
5263 break;
5264 }
5265 }
5266
5267 return foundentry;
5268 }
5269
5270 static u_int32_t
5271 necp_create_uuid_service_id_mapping(uuid_t uuid)
5272 {
5273 u_int32_t local_id = 0;
5274 struct necp_uuid_id_mapping *existing_mapping = NULL;
5275
5276 if (uuid_is_null(uuid)) {
5277 return NECP_NULL_SERVICE_ID;
5278 }
5279
5280 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5281
5282 existing_mapping = necp_uuid_lookup_service_id_locked(uuid);
5283 if (existing_mapping != NULL) {
5284 local_id = existing_mapping->id;
5285 os_ref_retain_locked(&existing_mapping->refcount);
5286 } else {
5287 struct necp_uuid_id_mapping *new_mapping = NULL;
5288 MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
5289 if (new_mapping != NULL) {
5290 uuid_copy(new_mapping->uuid, uuid);
5291 new_mapping->id = necp_get_new_uuid_id(true);
5292 os_ref_init(&new_mapping->refcount, &necp_refgrp);
5293
5294 LIST_INSERT_HEAD(&necp_uuid_service_id_list, new_mapping, chain);
5295
5296 local_id = new_mapping->id;
5297 }
5298 }
5299
5300 return local_id;
5301 }
5302
5303 static bool
5304 necp_remove_uuid_service_id_mapping(uuid_t uuid)
5305 {
5306 struct necp_uuid_id_mapping *existing_mapping = NULL;
5307
5308 if (uuid_is_null(uuid)) {
5309 return TRUE;
5310 }
5311
5312 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5313
5314 existing_mapping = necp_uuid_lookup_service_id_locked(uuid);
5315 if (existing_mapping != NULL) {
5316 if (os_ref_release_locked(&existing_mapping->refcount) == 0) {
5317 LIST_REMOVE(existing_mapping, chain);
5318 FREE(existing_mapping, M_NECP);
5319 }
5320 return TRUE;
5321 }
5322
5323 return FALSE;
5324 }
5325
5326
5327 static bool
5328 necp_kernel_socket_policies_update_uuid_table(void)
5329 {
5330 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5331
5332 if (necp_uuid_app_id_mappings_dirty) {
5333 if (proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_CLEAR, NULL, PROC_UUID_NECP_APP_POLICY) < 0) {
5334 NECPLOG0(LOG_DEBUG, "Error clearing uuids from policy table\n");
5335 return FALSE;
5336 }
5337
5338 if (necp_num_uuid_app_id_mappings > 0) {
5339 struct necp_uuid_id_mapping_head *uuid_list_head = NULL;
5340 for (uuid_list_head = &necp_uuid_app_id_hashtbl[necp_uuid_app_id_hash_num_buckets - 1]; uuid_list_head >= necp_uuid_app_id_hashtbl; uuid_list_head--) {
5341 struct necp_uuid_id_mapping *mapping = NULL;
5342 LIST_FOREACH(mapping, uuid_list_head, chain) {
5343 if (mapping->table_usecount > 0 &&
5344 proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_ADD, mapping->uuid, PROC_UUID_NECP_APP_POLICY) < 0) {
5345 NECPLOG0(LOG_DEBUG, "Error adding uuid to policy table\n");
5346 }
5347 }
5348 }
5349 }
5350
5351 necp_uuid_app_id_mappings_dirty = FALSE;
5352 }
5353
5354 return TRUE;
5355 }
5356
5357 #define NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS (NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_LOCAL_NETWORKS)
5358 static necp_kernel_policy_id
5359 necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
5360 {
5361 struct necp_kernel_ip_output_policy *new_kernel_policy = NULL;
5362 struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
5363
5364 MALLOC_ZONE(new_kernel_policy, struct necp_kernel_ip_output_policy *, sizeof(*new_kernel_policy), M_NECP_IP_POLICY, M_WAITOK);
5365 if (new_kernel_policy == NULL) {
5366 goto done;
5367 }
5368
5369 memset(new_kernel_policy, 0, sizeof(*new_kernel_policy)); // M_ZERO is not supported for MALLOC_ZONE
5370 new_kernel_policy->id = necp_kernel_policy_get_new_id(false);
5371 new_kernel_policy->suborder = suborder;
5372 new_kernel_policy->order = order;
5373 new_kernel_policy->session_order = session_order;
5374 new_kernel_policy->session_pid = session_pid;
5375
5376 // Sanitize condition mask
5377 new_kernel_policy->condition_mask = (condition_mask & NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS);
5378 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE)) {
5379 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_BOUND_INTERFACE;
5380 }
5381 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX)) {
5382 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_LOCAL_PREFIX;
5383 }
5384 if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX)) {
5385 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REMOTE_PREFIX;
5386 }
5387 new_kernel_policy->condition_negated_mask = condition_negated_mask & new_kernel_policy->condition_mask;
5388
5389 // Set condition values
5390 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) {
5391 new_kernel_policy->cond_policy_id = cond_policy_id;
5392 }
5393 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
5394 if (cond_bound_interface) {
5395 ifnet_reference(cond_bound_interface);
5396 }
5397 new_kernel_policy->cond_bound_interface = cond_bound_interface;
5398 }
5399 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) {
5400 new_kernel_policy->cond_last_interface_index = cond_last_interface_index;
5401 }
5402 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
5403 new_kernel_policy->cond_protocol = cond_protocol;
5404 }
5405 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
5406 memcpy(&new_kernel_policy->cond_local_start, cond_local_start, cond_local_start->sa.sa_len);
5407 }
5408 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
5409 memcpy(&new_kernel_policy->cond_local_end, cond_local_end, cond_local_end->sa.sa_len);
5410 }
5411 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
5412 new_kernel_policy->cond_local_prefix = cond_local_prefix;
5413 }
5414 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
5415 memcpy(&new_kernel_policy->cond_remote_start, cond_remote_start, cond_remote_start->sa.sa_len);
5416 }
5417 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
5418 memcpy(&new_kernel_policy->cond_remote_end, cond_remote_end, cond_remote_end->sa.sa_len);
5419 }
5420 if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
5421 new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
5422 }
5423
5424 new_kernel_policy->result = result;
5425 memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
5426
5427 if (necp_debug) {
5428 NECPLOG(LOG_DEBUG, "Added kernel policy: ip output, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
5429 }
5430 LIST_INSERT_SORTED_THRICE_ASCENDING(&necp_kernel_ip_output_policies, new_kernel_policy, chain, session_order, order, suborder, tmp_kernel_policy);
5431 done:
5432 return new_kernel_policy ? new_kernel_policy->id : 0;
5433 }
5434
5435 static struct necp_kernel_ip_output_policy *
5436 necp_kernel_ip_output_policy_find(necp_kernel_policy_id policy_id)
5437 {
5438 struct necp_kernel_ip_output_policy *kernel_policy = NULL;
5439 struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
5440
5441 if (policy_id == 0) {
5442 return NULL;
5443 }
5444
5445 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_ip_output_policies, chain, tmp_kernel_policy) {
5446 if (kernel_policy->id == policy_id) {
5447 return kernel_policy;
5448 }
5449 }
5450
5451 return NULL;
5452 }
5453
5454 static bool
5455 necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id)
5456 {
5457 struct necp_kernel_ip_output_policy *policy = NULL;
5458
5459 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5460
5461 policy = necp_kernel_ip_output_policy_find(policy_id);
5462 if (policy) {
5463 LIST_REMOVE(policy, chain);
5464
5465 if (policy->cond_bound_interface) {
5466 ifnet_release(policy->cond_bound_interface);
5467 policy->cond_bound_interface = NULL;
5468 }
5469
5470 FREE_ZONE(policy, sizeof(*policy), M_NECP_IP_POLICY);
5471 return TRUE;
5472 }
5473
5474 return FALSE;
5475 }
5476
5477 static void
5478 necp_kernel_ip_output_policies_dump_all(void)
5479 {
5480 if (necp_debug) {
5481 struct necp_kernel_ip_output_policy *policy = NULL;
5482 int policy_i;
5483 int id_i;
5484 char result_string[MAX_RESULT_STRING_LEN];
5485 char proc_name_string[MAXCOMLEN + 1];
5486 memset(result_string, 0, MAX_RESULT_STRING_LEN);
5487 memset(proc_name_string, 0, MAXCOMLEN + 1);
5488
5489 NECPLOG0(LOG_DEBUG, "NECP IP Output Policies:\n");
5490 NECPLOG0(LOG_DEBUG, "-----------\n");
5491 for (id_i = 0; id_i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; id_i++) {
5492 NECPLOG(LOG_DEBUG, " ID Bucket: %d\n", id_i);
5493 for (policy_i = 0; necp_kernel_ip_output_policies_map[id_i] != NULL && (necp_kernel_ip_output_policies_map[id_i])[policy_i] != NULL; policy_i++) {
5494 policy = (necp_kernel_ip_output_policies_map[id_i])[policy_i];
5495 proc_name(policy->session_pid, proc_name_string, MAXCOMLEN);
5496 NECPLOG(LOG_DEBUG, "\t%3d. Policy ID: %5d\tProcess: %10.10s\tOrder: %04d.%04d.%d\tMask: %5x\tResult: %s\n", policy_i, policy->id, proc_name_string, policy->session_order, policy->order, policy->suborder, policy->condition_mask, necp_get_result_description(result_string, policy->result, policy->result_parameter));
5497 }
5498 NECPLOG0(LOG_DEBUG, "-----------\n");
5499 }
5500 }
5501 }
5502
5503 static inline bool
5504 necp_kernel_ip_output_policy_results_overlap(struct necp_kernel_ip_output_policy *upper_policy, struct necp_kernel_ip_output_policy *lower_policy)
5505 {
5506 if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
5507 if (upper_policy->session_order != lower_policy->session_order) {
5508 // A skip cannot override a policy of a different session
5509 return FALSE;
5510 } else {
5511 if (upper_policy->result_parameter.skip_policy_order == 0 ||
5512 lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
5513 // This policy is beyond the skip
5514 return FALSE;
5515 } else {
5516 // This policy is inside the skip
5517 return TRUE;
5518 }
5519 }
5520 }
5521
5522 // All other IP Output policy results (drop, tunnel, hard pass) currently overlap
5523 return TRUE;
5524 }
5525
5526 static bool
5527 necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy *policy, struct necp_kernel_ip_output_policy **policy_array, int valid_indices)
5528 {
5529 bool can_skip = FALSE;
5530 u_int32_t highest_skip_session_order = 0;
5531 u_int32_t highest_skip_order = 0;
5532 int i;
5533 for (i = 0; i < valid_indices; i++) {
5534 struct necp_kernel_ip_output_policy *compared_policy = policy_array[i];
5535
5536 // For policies in a skip window, we can't mark conflicting policies as unnecessary
5537 if (can_skip) {
5538 if (highest_skip_session_order != compared_policy->session_order ||
5539 (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
5540 // If we've moved on to the next session, or passed the skip window
5541 highest_skip_session_order = 0;
5542 highest_skip_order = 0;
5543 can_skip = FALSE;
5544 } else {
5545 // If this policy is also a skip, in can increase the skip window
5546 if (compared_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
5547 if (compared_policy->result_parameter.skip_policy_order > highest_skip_order) {
5548 highest_skip_order = compared_policy->result_parameter.skip_policy_order;
5549 }
5550 }
5551 continue;
5552 }
5553 }
5554
5555 if (compared_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
5556 // This policy is a skip. Set the skip window accordingly
5557 can_skip = TRUE;
5558 highest_skip_session_order = compared_policy->session_order;
5559 highest_skip_order = compared_policy->result_parameter.skip_policy_order;
5560 }
5561
5562 // The result of the compared policy must be able to block out this policy result
5563 if (!necp_kernel_ip_output_policy_results_overlap(compared_policy, policy)) {
5564 continue;
5565 }
5566
5567 // If new policy matches All Interfaces, compared policy must also
5568 if ((policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
5569 continue;
5570 }
5571
5572 // If new policy matches Local Networks, compared policy must also
5573 if ((policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS)) {
5574 continue;
5575 }
5576
5577 // Default makes lower policies unecessary always
5578 if (compared_policy->condition_mask == 0) {
5579 return TRUE;
5580 }
5581
5582 // Compared must be more general than policy, and include only conditions within policy
5583 if ((policy->condition_mask & compared_policy->condition_mask) != compared_policy->condition_mask) {
5584 continue;
5585 }
5586
5587 // Negative conditions must match for the overlapping conditions
5588 if ((policy->condition_negated_mask & compared_policy->condition_mask) != (compared_policy->condition_negated_mask & compared_policy->condition_mask)) {
5589 continue;
5590 }
5591
5592 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
5593 compared_policy->cond_policy_id != policy->cond_policy_id) {
5594 continue;
5595 }
5596
5597 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
5598 compared_policy->cond_bound_interface != policy->cond_bound_interface) {
5599 continue;
5600 }
5601
5602 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
5603 compared_policy->cond_protocol != policy->cond_protocol) {
5604 continue;
5605 }
5606
5607 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
5608 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
5609 if (!necp_is_range_in_range((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&policy->cond_local_end, (struct sockaddr *)&compared_policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_end)) {
5610 continue;
5611 }
5612 } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
5613 if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
5614 !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
5615 continue;
5616 }
5617 }
5618 }
5619
5620 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
5621 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
5622 if (!necp_is_range_in_range((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&policy->cond_remote_end, (struct sockaddr *)&compared_policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_end)) {
5623 continue;
5624 }
5625 } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
5626 if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
5627 !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
5628 continue;
5629 }
5630 }
5631 }
5632
5633 return TRUE;
5634 }
5635
5636 return FALSE;
5637 }
5638
5639 static bool
5640 necp_kernel_ip_output_policies_reprocess(void)
5641 {
5642 int i;
5643 int bucket_allocation_counts[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
5644 int bucket_current_free_index[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
5645 struct necp_kernel_ip_output_policy *kernel_policy = NULL;
5646
5647 LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
5648
5649 // Reset mask to 0
5650 necp_kernel_ip_output_policies_condition_mask = 0;
5651 necp_kernel_ip_output_policies_count = 0;
5652 necp_kernel_ip_output_policies_non_id_count = 0;
5653
5654 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
5655 if (necp_kernel_ip_output_policies_map[i] != NULL) {
5656 FREE(necp_kernel_ip_output_policies_map[i], M_NECP);
5657 necp_kernel_ip_output_policies_map[i] = NULL;
5658 }
5659
5660 // Init counts
5661 bucket_allocation_counts[i] = 0;
5662 }
5663
5664 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) {
5665 // Update mask
5666 necp_kernel_ip_output_policies_condition_mask |= kernel_policy->condition_mask;
5667 necp_kernel_ip_output_policies_count++;
5668
5669 /* Update bucket counts:
5670 * Non-id and SKIP policies will be added to all buckets
5671 * Add local networks policy to all buckets for incoming IP
5672 */
5673 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) ||
5674 (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) ||
5675 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
5676 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
5677 bucket_allocation_counts[i]++;
5678 }
5679 }
5680 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) {
5681 necp_kernel_ip_output_policies_non_id_count++;
5682 } else {
5683 bucket_allocation_counts[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id)]++;
5684 }
5685 }
5686
5687 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
5688 if (bucket_allocation_counts[i] > 0) {
5689 // Allocate a NULL-terminated array of policy pointers for each bucket
5690 MALLOC(necp_kernel_ip_output_policies_map[i], struct necp_kernel_ip_output_policy **, sizeof(struct necp_kernel_ip_output_policy *) * (bucket_allocation_counts[i] + 1), M_NECP, M_WAITOK);
5691 if (necp_kernel_ip_output_policies_map[i] == NULL) {
5692 goto fail;
5693 }
5694
5695 // Initialize the first entry to NULL
5696 (necp_kernel_ip_output_policies_map[i])[0] = NULL;
5697 }
5698 bucket_current_free_index[i] = 0;
5699 }
5700
5701 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) {
5702 // Insert pointers into map
5703 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) ||
5704 (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) ||
5705 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
5706 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
5707 if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
5708 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
5709 bucket_current_free_index[i]++;
5710 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
5711 }
5712 }
5713 } else {
5714 i = NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id);
5715 if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
5716 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
5717 bucket_current_free_index[i]++;
5718 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
5719 }
5720 }
5721 }
5722 necp_kernel_ip_output_policies_dump_all();
5723 return TRUE;
5724
5725 fail:
5726 // Free memory, reset mask to 0
5727 necp_kernel_ip_output_policies_condition_mask = 0;
5728 necp_kernel_ip_output_policies_count = 0;
5729 necp_kernel_ip_output_policies_non_id_count = 0;
5730 for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
5731 if (necp_kernel_ip_output_policies_map[i] != NULL) {
5732 FREE(necp_kernel_ip_output_policies_map[i], M_NECP);
5733 necp_kernel_ip_output_policies_map[i] = NULL;
5734 }
5735 }
5736 return FALSE;
5737 }
5738
5739 // Outbound Policy Matching
5740 // ---------------------
5741 struct substring {
5742 char *string;
5743 size_t length;
5744 };
5745
5746 static struct substring
5747 necp_trim_dots_and_stars(char *string, size_t length)
5748 {
5749 struct substring sub;
5750 sub.string = string;
5751 sub.length = string ? length : 0;
5752
5753 while (sub.length && (sub.string[0] == '.' || sub.string[0] == '*')) {
5754 sub.string++;
5755 sub.length--;
5756 }
5757
5758 while (sub.length && (sub.string[sub.length - 1] == '.' || sub.string[sub.length - 1] == '*')) {
5759 sub.length--;
5760 }
5761
5762 return sub;
5763 }
5764
5765 static char *
5766 necp_create_trimmed_domain(char *string, size_t length)
5767 {
5768 char *trimmed_domain = NULL;
5769 struct substring sub = necp_trim_dots_and_stars(string, length);
5770
5771 MALLOC(trimmed_domain, char *, sub.length + 1, M_NECP, M_WAITOK);
5772 if (trimmed_domain == NULL) {
5773 return NULL;
5774 }
5775
5776 memcpy(trimmed_domain, sub.string, sub.length);
5777 trimmed_domain[sub.length] = 0;
5778
5779 return trimmed_domain;
5780 }
5781
5782 static inline int
5783 necp_count_dots(char *string, size_t length)
5784 {
5785 int dot_count = 0;
5786 size_t i = 0;
5787
5788 for (i = 0; i < length; i++) {
5789 if (string[i] == '.') {
5790 dot_count++;
5791 }
5792 }
5793
5794 return dot_count;
5795 }
5796
5797 static bool
5798 necp_check_suffix(struct substring parent, struct substring suffix, bool require_dot_before_suffix)
5799 {
5800 if (parent.length <= suffix.length) {
5801 return FALSE;
5802 }
5803
5804 size_t length_difference = (parent.length - suffix.length);
5805
5806 if (require_dot_before_suffix) {
5807 if (((char *)(parent.string + length_difference - 1))[0] != '.') {
5808 return FALSE;
5809 }
5810 }
5811
5812 // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
5813 return strncasecmp(parent.string + length_difference, suffix.string, suffix.length) == 0;
5814 }
5815
5816 static bool
5817 necp_hostname_matches_domain(struct substring hostname_substring, u_int8_t hostname_dot_count, char *domain, u_int8_t domain_dot_count)
5818 {
5819 if (hostname_substring.string == NULL || domain == NULL) {
5820 return hostname_substring.string == domain;
5821 }
5822
5823 struct substring domain_substring;
5824 domain_substring.string = domain;
5825 domain_substring.length = strlen(domain);
5826
5827 if (hostname_dot_count == domain_dot_count) {
5828 // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
5829 if (hostname_substring.length == domain_substring.length &&
5830 strncasecmp(hostname_substring.string, domain_substring.string, hostname_substring.length) == 0) {
5831 return TRUE;
5832 }
5833 } else if (domain_dot_count < hostname_dot_count) {
5834 if (necp_check_suffix(hostname_substring, domain_substring, TRUE)) {
5835 return TRUE;
5836 }
5837 }
5838
5839 return FALSE;
5840 }
5841
5842 bool
5843 net_domain_contains_hostname(char *hostname_string, char *domain_string)
5844 {
5845 if (hostname_string == NULL ||
5846 domain_string == NULL) {
5847 return false;
5848 }
5849
5850 struct substring hostname_substring;
5851 hostname_substring.string = hostname_string;
5852 hostname_substring.length = strlen(hostname_string);
5853
5854 return necp_hostname_matches_domain(hostname_substring,
5855 necp_count_dots(hostname_string, hostname_substring.length),
5856 domain_string,
5857 necp_count_dots(domain_string, strlen(domain_string)));
5858 }
5859
5860 #define NECP_MAX_STRING_LEN 1024
5861
5862 static char *
5863 necp_copy_string(char *string, size_t length)
5864 {
5865 char *copied_string = NULL;
5866
5867 if (length > NECP_MAX_STRING_LEN) {
5868 return NULL;
5869 }
5870
5871 MALLOC(copied_string, char *, length + 1, M_NECP, M_WAITOK);
5872 if (copied_string == NULL) {
5873 return NULL;
5874 }
5875
5876 memcpy(copied_string, string, length);
5877 copied_string[length] = 0;
5878
5879 return copied_string;
5880 }
5881
5882 static u_int32_t
5883 necp_get_primary_direct_interface_index(void)
5884 {
5885 u_int32_t interface_index = IFSCOPE_NONE;
5886
5887 ifnet_head_lock_shared();
5888 struct ifnet *ordered_interface = NULL;
5889 TAILQ_FOREACH(ordered_interface, &ifnet_ordered_head, if_ordered_link) {
5890 const u_int8_t functional_type = if_functional_type(ordered_interface, TRUE);
5891 if (functional_type != IFRTYPE_FUNCTIONAL_UNKNOWN &&
5892 functional_type != IFRTYPE_FUNCTIONAL_LOOPBACK) {
5893 // All known, non-loopback functional types represent direct physical interfaces (Wi-Fi, Cellular, Wired)
5894 interface_index = ordered_interface->if_index;
5895 break;
5896 }
5897 }
5898 ifnet_head_done();
5899
5900 return interface_index;
5901 }
5902
5903 static inline void
5904 necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info)
5905 {
5906 task_t task = proc_task(proc ? proc : current_proc());
5907 coalition_t coal = task_get_coalition(task, COALITION_TYPE_JETSAM);
5908
5909 if (coal == COALITION_NULL || coalition_is_leader(task, coal)) {
5910 // No parent, nothing to do
5911 return;
5912 }
5913
5914 task_t lead_task = coalition_get_leader(coal);
5915 if (lead_task != NULL) {
5916 proc_t lead_proc = get_bsdtask_info(lead_task);
5917 if (lead_proc != NULL) {
5918 kauth_cred_t lead_cred = kauth_cred_proc_ref(lead_proc);
5919 if (lead_cred != NULL) {
5920 errno_t cred_result = priv_check_cred(lead_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
5921 kauth_cred_unref(&lead_cred);
5922 info->cred_result = cred_result;
5923 }
5924 }
5925 task_deallocate(lead_task);
5926 }
5927 }
5928
5929 #define NECP_KERNEL_ADDRESS_TYPE_CONDITIONS (NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_LOCAL_NETWORKS)
5930 static void
5931 necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_application_uuid, char *account, char *domain, pid_t pid, uid_t uid, u_int16_t protocol, u_int32_t bound_interface_index, u_int32_t traffic_class, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, u_int16_t local_port, u_int16_t remote_port, bool has_client, proc_t proc, u_int32_t drop_order, u_int32_t client_flags, struct necp_socket_info *info)
5932 {
5933 memset(info, 0, sizeof(struct necp_socket_info));
5934
5935 info->pid = pid;
5936 info->uid = uid;
5937 info->protocol = protocol;
5938 info->bound_interface_index = bound_interface_index;
5939 info->traffic_class = traffic_class;
5940 info->has_client = has_client;
5941 info->drop_order = drop_order;
5942 info->client_flags = client_flags;
5943
5944 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT && proc != NULL) {
5945 info->cred_result = priv_check_cred(proc_ucred(proc), PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
5946 if (info->cred_result != 0) {
5947 // Process does not have entitlement, check the parent process
5948 necp_get_parent_cred_result(proc, info);
5949 }
5950 }
5951
5952 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY && proc != NULL) {
5953 info->is_platform_binary = csproc_get_platform_binary(proc) ? true : false;
5954 }
5955
5956 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID && !uuid_is_null(application_uuid)) {
5957 struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(application_uuid);
5958 if (existing_mapping) {
5959 info->application_id = existing_mapping->id;
5960 }
5961 }
5962
5963 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID && !uuid_is_null(real_application_uuid)) {
5964 if (uuid_compare(application_uuid, real_application_uuid) == 0) {
5965 info->real_application_id = info->application_id;
5966 } else {
5967 struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(real_application_uuid);
5968 if (existing_mapping) {
5969 info->real_application_id = existing_mapping->id;
5970 }
5971 }
5972 }
5973
5974 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && account != NULL) {
5975 struct necp_string_id_mapping *existing_mapping = necp_lookup_string_to_id_locked(&necp_account_id_list, account);
5976 if (existing_mapping) {
5977 info->account_id = existing_mapping->id;
5978 }
5979 }
5980
5981 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
5982 info->domain = domain;
5983 }
5984
5985 if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
5986 if (local_addr && local_addr->sa.sa_len > 0) {
5987 memcpy(&info->local_addr, local_addr, local_addr->sa.sa_len);
5988 if (local_port != 0) {
5989 info->local_addr.sin6.sin6_port = local_port;
5990 }
5991 } else if (local_port != 0) {
5992 info->local_addr.sin6.sin6_len = sizeof(struct sockaddr_in6);
5993 info->local_addr.sin6.sin6_family = AF_INET6;
5994 info->local_addr.sin6.sin6_port = local_port;
5995 }
5996 if (remote_addr && remote_addr->sa.sa_len > 0) {
5997 memcpy(&info->remote_addr, remote_addr, remote_addr->sa.sa_len);
5998 if (remote_port != 0) {
5999 info->remote_addr.sin6.sin6_port = remote_port;
6000 }
6001 } else if (remote_port != 0) {
6002 info->remote_addr.sin6.sin6_len = sizeof(struct sockaddr_in6);
6003 info->remote_addr.sin6.sin6_family = AF_INET6;
6004 info->remote_addr.sin6.sin6_port = remote_port;
6005 }
6006 }
6007 }
6008
6009 static void
6010 necp_send_application_interface_denied_event(pid_t pid, uuid_t proc_uuid, u_int32_t if_functional_type)
6011 {
6012 struct kev_netpolicy_ifdenied ev_ifdenied;
6013
6014 bzero(&ev_ifdenied, sizeof(ev_ifdenied));
6015
6016 ev_ifdenied.ev_data.epid = pid;
6017 uuid_copy(ev_ifdenied.ev_data.euuid, proc_uuid);
6018 ev_ifdenied.ev_if_functional_type = if_functional_type;
6019
6020 netpolicy_post_msg(KEV_NETPOLICY_IFDENIED, &ev_ifdenied.ev_data, sizeof(ev_ifdenied));
6021 }
6022
6023 extern char *proc_name_address(void *p);
6024
6025 #define NECP_VERIFY_DELEGATION_ENTITLEMENT(_p, _d) \
6026 if (!has_checked_delegation_entitlement) { \
6027 has_delegation_entitlement = (priv_check_cred(proc_ucred(_p), PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, 0) == 0); \
6028 has_checked_delegation_entitlement = TRUE; \
6029 } \
6030 if (!has_delegation_entitlement) { \
6031 NECPLOG(LOG_ERR, "%s(%d) does not hold the necessary entitlement to delegate network traffic for other processes by %s", \
6032 proc_name_address(_p), proc_pid(_p), _d); \
6033 break; \
6034 }
6035
6036 int
6037 necp_application_find_policy_match_internal(proc_t proc,
6038 u_int8_t *parameters,
6039 u_int32_t parameters_size,
6040 struct necp_aggregate_result *returned_result,
6041 u_int32_t *flags,
6042 u_int32_t *reason,
6043 u_int required_interface_index,
6044 const union necp_sockaddr_union *override_local_addr,
6045 const union necp_sockaddr_union *override_remote_addr,
6046 struct necp_client_endpoint *returned_v4_gateway,
6047 struct necp_client_endpoint *returned_v6_gateway,
6048 struct rtentry **returned_route, bool ignore_address,
6049 bool has_client)
6050 {
6051 int error = 0;
6052 size_t offset = 0;
6053
6054 struct necp_kernel_socket_policy *matched_policy = NULL;
6055 struct necp_socket_info info;
6056 necp_kernel_policy_filter filter_control_unit = 0;
6057 necp_kernel_policy_result service_action = 0;
6058 necp_kernel_policy_service service = { 0, 0 };
6059
6060 u_int16_t protocol = 0;
6061 u_int32_t bound_interface_index = required_interface_index;
6062 u_int32_t traffic_class = 0;
6063 u_int32_t client_flags = 0;
6064 union necp_sockaddr_union local_addr;
6065 union necp_sockaddr_union remote_addr;
6066 bool no_remote_addr = FALSE;
6067 u_int8_t remote_family = 0;
6068 bool no_local_addr = FALSE;
6069 u_int16_t local_port = 0;
6070 u_int16_t remote_port = 0;
6071 necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
6072
6073 if (override_local_addr) {
6074 memcpy(&local_addr, override_local_addr, sizeof(local_addr));
6075 } else {
6076 memset(&local_addr, 0, sizeof(local_addr));
6077 }
6078 if (override_remote_addr) {
6079 memcpy(&remote_addr, override_remote_addr, sizeof(remote_addr));
6080 } else {
6081 memset(&remote_addr, 0, sizeof(remote_addr));
6082 }
6083
6084 // Initialize UID, PID, and UUIDs to the current process
6085 uid_t uid = kauth_cred_getuid(proc_ucred(proc));
6086 pid_t pid = proc_pid(proc);
6087 uuid_t application_uuid;
6088 uuid_clear(application_uuid);
6089 uuid_t real_application_uuid;
6090 uuid_clear(real_application_uuid);
6091 proc_getexecutableuuid(proc, real_application_uuid, sizeof(real_application_uuid));
6092 uuid_copy(application_uuid, real_application_uuid);
6093
6094 char *domain = NULL;
6095 char *account = NULL;
6096
6097 #define NECP_MAX_REQUIRED_AGENTS 16
6098 u_int32_t num_required_agent_types = 0;
6099 struct necp_client_parameter_netagent_type required_agent_types[NECP_MAX_REQUIRED_AGENTS];
6100 memset(&required_agent_types, 0, sizeof(required_agent_types));
6101
6102 u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
6103 u_int32_t netagent_use_flags[NECP_MAX_NETAGENTS];
6104 memset(&netagent_ids, 0, sizeof(netagent_ids));
6105 memset(&netagent_use_flags, 0, sizeof(netagent_use_flags));
6106 int netagent_cursor;
6107
6108 bool has_checked_delegation_entitlement = FALSE;
6109 bool has_delegation_entitlement = FALSE;
6110
6111 if (returned_result == NULL) {
6112 return EINVAL;
6113 }
6114
6115 if (returned_v4_gateway != NULL) {
6116 memset(returned_v4_gateway, 0, sizeof(struct necp_client_endpoint));
6117 }
6118
6119 if (returned_v6_gateway != NULL) {
6120 memset(returned_v6_gateway, 0, sizeof(struct necp_client_endpoint));
6121 }
6122
6123 memset(returned_result, 0, sizeof(struct necp_aggregate_result));
6124
6125 u_int32_t drop_order = necp_process_drop_order(proc_ucred(proc));
6126
6127 necp_kernel_policy_result drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
6128
6129 lck_rw_lock_shared(&necp_kernel_policy_lock);
6130 if (necp_kernel_application_policies_count == 0) {
6131 if (necp_drop_all_order > 0 || drop_order > 0) {
6132 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6133 lck_rw_done(&necp_kernel_policy_lock);
6134 return 0;
6135 }
6136 }
6137 lck_rw_done(&necp_kernel_policy_lock);
6138
6139 while ((offset + sizeof(u_int8_t) + sizeof(u_int32_t)) <= parameters_size) {
6140 u_int8_t type = necp_buffer_get_tlv_type(parameters, offset);
6141 u_int32_t length = necp_buffer_get_tlv_length(parameters, offset);
6142
6143 if (length > (parameters_size - (offset + sizeof(u_int8_t) + sizeof(u_int32_t)))) {
6144 // If the length is larger than what can fit in the remaining parameters size, bail
6145 NECPLOG(LOG_ERR, "Invalid TLV length (%u)", length);
6146 break;
6147 }
6148
6149 if (length > 0) {
6150 u_int8_t *value = necp_buffer_get_tlv_value(parameters, offset, NULL);
6151 if (value != NULL) {
6152 switch (type) {
6153 case NECP_CLIENT_PARAMETER_APPLICATION: {
6154 if (length >= sizeof(uuid_t)) {
6155 if (uuid_compare(application_uuid, value) == 0) {
6156 // No delegation
6157 break;
6158 }
6159
6160 NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "euuid");
6161
6162 uuid_copy(application_uuid, value);
6163 }
6164 break;
6165 }
6166 case NECP_CLIENT_PARAMETER_REAL_APPLICATION: {
6167 if (length >= sizeof(uuid_t)) {
6168 if (uuid_compare(real_application_uuid, value) == 0) {
6169 // No delegation
6170 break;
6171 }
6172
6173 NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uuid");
6174
6175 uuid_copy(real_application_uuid, value);
6176 }
6177 break;
6178 }
6179 case NECP_CLIENT_PARAMETER_PID: {
6180 if (length >= sizeof(pid_t)) {
6181 if (memcmp(&pid, value, sizeof(pid_t)) == 0) {
6182 // No delegation
6183 break;
6184 }
6185
6186 NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "pid");
6187
6188 memcpy(&pid, value, sizeof(pid_t));
6189 }
6190 break;
6191 }
6192 case NECP_CLIENT_PARAMETER_UID: {
6193 if (length >= sizeof(uid_t)) {
6194 if (memcmp(&uid, value, sizeof(uid_t)) == 0) {
6195 // No delegation
6196 break;
6197 }
6198
6199 NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uid");
6200
6201 memcpy(&uid, value, sizeof(uid_t));
6202 }
6203 break;
6204 }
6205 case NECP_CLIENT_PARAMETER_DOMAIN: {
6206 domain = (char *)value;
6207 domain[length - 1] = 0;
6208 break;
6209 }
6210 case NECP_CLIENT_PARAMETER_ACCOUNT: {
6211 account = (char *)value;
6212 account[length - 1] = 0;
6213 break;
6214 }
6215 case NECP_CLIENT_PARAMETER_TRAFFIC_CLASS: {
6216 if (length >= sizeof(u_int32_t)) {
6217 memcpy(&traffic_class, value, sizeof(u_int32_t));
6218 }
6219 break;
6220 }
6221 case NECP_CLIENT_PARAMETER_IP_PROTOCOL: {
6222 if (length >= sizeof(u_int16_t)) {
6223 memcpy(&protocol, value, sizeof(u_int16_t));
6224 } else if (length >= sizeof(u_int8_t)) {
6225 memcpy(&protocol, value, sizeof(u_int8_t));
6226 }
6227 break;
6228 }
6229 case NECP_CLIENT_PARAMETER_BOUND_INTERFACE: {
6230 if (length <= IFXNAMSIZ && length > 0) {
6231 ifnet_t bound_interface = NULL;
6232 char interface_name[IFXNAMSIZ];
6233 memcpy(interface_name, value, length);
6234 interface_name[length - 1] = 0; // Make sure the string is NULL terminated
6235 if (ifnet_find_by_name(interface_name, &bound_interface) == 0) {
6236 bound_interface_index = bound_interface->if_index;
6237 ifnet_release(bound_interface);
6238 }
6239 }
6240 break;
6241 }
6242 case NECP_CLIENT_PARAMETER_LOCAL_ADDRESS: {
6243 if (ignore_address || override_local_addr) {
6244 break;
6245 }
6246
6247 if (length >= sizeof(struct necp_policy_condition_addr)) {
6248 struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
6249 if (necp_address_is_valid(&address_struct->address.sa)) {
6250 memcpy(&local_addr, &address_struct->address, sizeof(address_struct->address));
6251 }
6252 }
6253 break;
6254 }
6255 case NECP_CLIENT_PARAMETER_REMOTE_ADDRESS: {
6256 if (ignore_address || override_remote_addr) {
6257 break;
6258 }
6259
6260 if (length >= sizeof(struct necp_policy_condition_addr)) {
6261 struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
6262 if (necp_address_is_valid(&address_struct->address.sa)) {
6263 memcpy(&remote_addr, &address_struct->address, sizeof(address_struct->address));
6264 }
6265 }
6266 break;
6267 }
6268 case NECP_CLIENT_PARAMETER_LOCAL_ENDPOINT: {
6269 if (ignore_address || override_local_addr) {
6270 break;
6271 }
6272
6273 if (length >= sizeof(struct necp_client_endpoint)) {
6274 struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value;
6275 if (endpoint->u.endpoint.endpoint_family == AF_UNSPEC &&
6276 endpoint->u.endpoint.endpoint_port != 0) {
6277 // Save port
6278 local_port = endpoint->u.endpoint.endpoint_port;
6279 }
6280 }
6281 break;
6282 }
6283 case NECP_CLIENT_PARAMETER_REMOTE_ENDPOINT: {
6284 if (ignore_address || override_remote_addr) {
6285 break;
6286 }
6287
6288 if (length >= sizeof(struct necp_client_endpoint)) {
6289 struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value;
6290 if (endpoint->u.endpoint.endpoint_family == AF_UNSPEC &&
6291 endpoint->u.endpoint.endpoint_port != 0) {
6292 // Save port
6293 remote_port = endpoint->u.endpoint.endpoint_port;
6294 }
6295 }
6296 break;
6297 }
6298 case NECP_CLIENT_PARAMETER_FLAGS: {
6299 if (length >= sizeof(client_flags)) {
6300 memcpy(&client_flags, value, sizeof(client_flags));
6301 }
6302 break;
6303 }
6304 case NECP_CLIENT_PARAMETER_REQUIRE_AGENT_TYPE:
6305 case NECP_CLIENT_PARAMETER_PREFER_AGENT_TYPE: {
6306 if (num_required_agent_types >= NECP_MAX_REQUIRED_AGENTS) {
6307 break;
6308 }
6309 if (length >= sizeof(struct necp_client_parameter_netagent_type)) {
6310 memcpy(&required_agent_types[num_required_agent_types], value, sizeof(struct necp_client_parameter_netagent_type));
6311 num_required_agent_types++;
6312 }
6313 break;
6314 }
6315 default: {
6316 break;
6317 }
6318 }
6319 }
6320 }
6321
6322 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
6323 }
6324
6325 // Check for loopback exception
6326 if (necp_pass_loopback > 0 && necp_is_loopback(&local_addr.sa, &remote_addr.sa, NULL, NULL, bound_interface_index)) {
6327 returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
6328 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_PASS;
6329 returned_result->routed_interface_index = lo_ifp->if_index;
6330 *flags |= (NECP_CLIENT_RESULT_FLAG_IS_LOCAL | NECP_CLIENT_RESULT_FLAG_IS_DIRECT);
6331 return 0;
6332 }
6333
6334 // Lock
6335 lck_rw_lock_shared(&necp_kernel_policy_lock);
6336
6337 u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
6338 size_t route_rule_id_array_count = 0;
6339 necp_application_fillout_info_locked(application_uuid, real_application_uuid, account, domain, pid, uid, protocol, bound_interface_index, traffic_class, &local_addr, &remote_addr, local_port, remote_port, has_client, proc, drop_order, client_flags, &info);
6340 matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_app_layer_map, &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, netagent_use_flags, NECP_MAX_NETAGENTS, required_agent_types, num_required_agent_types, proc, NULL, NULL, &drop_dest_policy_result, &drop_all_bypass);
6341 if (matched_policy) {
6342 returned_result->policy_id = matched_policy->id;
6343 returned_result->routing_result = matched_policy->result;
6344 memcpy(&returned_result->routing_result_parameter, &matched_policy->result_parameter, sizeof(returned_result->routing_result_parameter));
6345 } else {
6346 bool drop_all = false;
6347 if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
6348 // Mark socket as a drop if drop_all is set
6349 drop_all = true;
6350 if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
6351 drop_all_bypass = necp_check_drop_all_bypass_result(proc);
6352 }
6353 }
6354 if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
6355 returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
6356 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6357 } else {
6358 returned_result->policy_id = 0;
6359 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_NONE;
6360 }
6361 }
6362 if (filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
6363 returned_result->filter_control_unit = 0;
6364 } else {
6365 returned_result->filter_control_unit = filter_control_unit;
6366 }
6367 returned_result->service_action = service_action;
6368
6369 // Handle trigger service
6370 if (service.identifier != 0) {
6371 struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(service.identifier);
6372 if (mapping != NULL) {
6373 struct necp_service_registration *service_registration = NULL;
6374 uuid_copy(returned_result->service_uuid, mapping->uuid);
6375 returned_result->service_data = service.data;
6376 if (service.identifier == NECP_NULL_SERVICE_ID) {
6377 // NULL service is always 'registered'
6378 returned_result->service_flags |= NECP_SERVICE_FLAGS_REGISTERED;
6379 } else {
6380 LIST_FOREACH(service_registration, &necp_registered_service_list, kernel_chain) {
6381 if (service.identifier == service_registration->service_id) {
6382 returned_result->service_flags |= NECP_SERVICE_FLAGS_REGISTERED;
6383 break;
6384 }
6385 }
6386 }
6387 }
6388 }
6389
6390 // Handle netagents
6391 for (netagent_cursor = 0; netagent_cursor < NECP_MAX_NETAGENTS; netagent_cursor++) {
6392 struct necp_uuid_id_mapping *mapping = NULL;
6393 u_int32_t netagent_id = netagent_ids[netagent_cursor];
6394 if (netagent_id == 0) {
6395 break;
6396 }
6397 mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
6398 if (mapping != NULL) {
6399 uuid_copy(returned_result->netagents[netagent_cursor], mapping->uuid);
6400 returned_result->netagent_use_flags[netagent_cursor] = netagent_use_flags[netagent_cursor];
6401 }
6402 }
6403
6404 // Do routing evaluation
6405 u_int output_bound_interface = bound_interface_index;
6406 if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
6407 output_bound_interface = returned_result->routing_result_parameter.scoped_interface_index;
6408 } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
6409 output_bound_interface = returned_result->routing_result_parameter.tunnel_interface_index;
6410 } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT) {
6411 output_bound_interface = necp_get_primary_direct_interface_index();
6412 if (output_bound_interface == IFSCOPE_NONE) {
6413 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6414 } else {
6415 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED;
6416 returned_result->routing_result_parameter.scoped_interface_index = output_bound_interface;
6417 }
6418 }
6419
6420 if (local_addr.sa.sa_len == 0 ||
6421 (local_addr.sa.sa_family == AF_INET && local_addr.sin.sin_addr.s_addr == 0) ||
6422 (local_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&local_addr.sin6.sin6_addr))) {
6423 no_local_addr = TRUE;
6424 }
6425
6426 if (remote_addr.sa.sa_len == 0 ||
6427 (remote_addr.sa.sa_family == AF_INET && remote_addr.sin.sin_addr.s_addr == 0) ||
6428 (remote_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&remote_addr.sin6.sin6_addr))) {
6429 no_remote_addr = TRUE;
6430 remote_family = remote_addr.sa.sa_family;
6431 }
6432
6433 returned_result->routed_interface_index = 0;
6434 struct rtentry *rt = NULL;
6435 if (!no_local_addr && (client_flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) != 0) {
6436 // Treat the output bound interface as the routed interface for local address
6437 // validation later.
6438 returned_result->routed_interface_index = output_bound_interface;
6439 } else {
6440 if (no_remote_addr) {
6441 memset(&remote_addr, 0, sizeof(remote_addr));
6442 if (remote_family == AF_INET6) {
6443 // Reset address to ::
6444 remote_addr.sa.sa_family = AF_INET6;
6445 remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
6446 } else {
6447 // Reset address to 0.0.0.0
6448 remote_addr.sa.sa_family = AF_INET;
6449 remote_addr.sa.sa_len = sizeof(struct sockaddr_in);
6450 }
6451 }
6452
6453 rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
6454 output_bound_interface);
6455
6456 if (remote_addr.sa.sa_family == AF_INET && rt != NULL &&
6457 IS_INTF_CLAT46(rt->rt_ifp)) {
6458 rtfree(rt);
6459 rt = NULL;
6460 returned_result->routed_interface_index = 0;
6461 }
6462
6463 if (no_remote_addr && remote_family == AF_UNSPEC &&
6464 (rt == NULL || rt->rt_ifp == NULL)) {
6465 // Route lookup for default IPv4 failed, try IPv6
6466
6467 // Cleanup old route if necessary
6468 if (rt != NULL) {
6469 rtfree(rt);
6470 rt = NULL;
6471 }
6472
6473 // Reset address to ::
6474 memset(&remote_addr, 0, sizeof(remote_addr));
6475 remote_addr.sa.sa_family = AF_INET6;
6476 remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
6477
6478 // Get route
6479 rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
6480 output_bound_interface);
6481 }
6482
6483 if (rt != NULL &&
6484 rt->rt_ifp != NULL) {
6485 returned_result->routed_interface_index = rt->rt_ifp->if_index;
6486 /*
6487 * For local addresses, we allow the interface scope to be
6488 * either the loopback interface or the interface hosting the
6489 * local address.
6490 */
6491 if (bound_interface_index != IFSCOPE_NONE &&
6492 rt->rt_ifa != NULL && rt->rt_ifa->ifa_ifp &&
6493 (output_bound_interface == lo_ifp->if_index ||
6494 rt->rt_ifp->if_index == lo_ifp->if_index ||
6495 rt->rt_ifa->ifa_ifp->if_index == bound_interface_index)) {
6496 struct sockaddr_storage dst;
6497 unsigned int ifscope = bound_interface_index;
6498
6499 /*
6500 * Transform dst into the internal routing table form
6501 */
6502 (void) sa_copy((struct sockaddr *)&remote_addr,
6503 &dst, &ifscope);
6504
6505 if ((rt->rt_ifp->if_index == lo_ifp->if_index) ||
6506 rt_ifa_is_dst((struct sockaddr *)&dst, rt->rt_ifa)) {
6507 returned_result->routed_interface_index =
6508 bound_interface_index;
6509 }
6510 }
6511 }
6512 }
6513
6514 if (returned_result->routed_interface_index != 0 &&
6515 returned_result->routed_interface_index != lo_ifp->if_index && // Loopback can accept any local address
6516 !no_local_addr) {
6517 // Transform local_addr into the ifaddr form
6518 // IPv6 Scope IDs are always embedded in the ifaddr list
6519 struct sockaddr_storage local_address_sanitized;
6520 u_int ifscope = IFSCOPE_NONE;
6521 (void)sa_copy(&local_addr.sa, &local_address_sanitized, &ifscope);
6522 SIN(&local_address_sanitized)->sin_port = 0;
6523 if (local_address_sanitized.ss_family == AF_INET6) {
6524 SIN6(&local_address_sanitized)->sin6_scope_id = 0;
6525 }
6526
6527 // Validate local address on routed interface
6528 struct ifaddr *ifa = ifa_ifwithaddr_scoped((struct sockaddr *)&local_address_sanitized, returned_result->routed_interface_index);
6529 if (ifa == NULL) {
6530 // Interface address not found, reject route
6531 returned_result->routed_interface_index = 0;
6532 if (rt != NULL) {
6533 rtfree(rt);
6534 rt = NULL;
6535 }
6536 } else {
6537 ifaddr_release(ifa);
6538 ifa = NULL;
6539 }
6540 }
6541
6542 if (flags != NULL) {
6543 if ((client_flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) == 0) {
6544 // Check for local/direct
6545 bool is_local = FALSE;
6546 if (rt != NULL && (rt->rt_flags & RTF_LOCAL)) {
6547 is_local = TRUE;
6548 } else if (returned_result->routed_interface_index != 0 &&
6549 !no_remote_addr) {
6550 // Clean up the address before comparison with interface addresses
6551
6552 // Transform remote_addr into the ifaddr form
6553 // IPv6 Scope IDs are always embedded in the ifaddr list
6554 struct sockaddr_storage remote_address_sanitized;
6555 u_int ifscope = IFSCOPE_NONE;
6556 (void)sa_copy(&remote_addr.sa, &remote_address_sanitized, &ifscope);
6557 SIN(&remote_address_sanitized)->sin_port = 0;
6558 if (remote_address_sanitized.ss_family == AF_INET6) {
6559 SIN6(&remote_address_sanitized)->sin6_scope_id = 0;
6560 }
6561
6562 // Check if remote address is an interface address
6563 struct ifaddr *ifa = ifa_ifwithaddr((struct sockaddr *)&remote_address_sanitized);
6564 if (ifa != NULL && ifa->ifa_ifp != NULL) {
6565 u_int if_index_for_remote_addr = ifa->ifa_ifp->if_index;
6566 if (if_index_for_remote_addr == returned_result->routed_interface_index ||
6567 if_index_for_remote_addr == lo_ifp->if_index) {
6568 is_local = TRUE;
6569 }
6570 }
6571 if (ifa != NULL) {
6572 ifaddr_release(ifa);
6573 ifa = NULL;
6574 }
6575 }
6576
6577 if (is_local) {
6578 *flags |= (NECP_CLIENT_RESULT_FLAG_IS_LOCAL | NECP_CLIENT_RESULT_FLAG_IS_DIRECT);
6579 } else {
6580 if (rt != NULL &&
6581 !(rt->rt_flags & RTF_GATEWAY) &&
6582 (rt->rt_ifa && rt->rt_ifa->ifa_ifp && !(rt->rt_ifa->ifa_ifp->if_flags & IFF_POINTOPOINT))) {
6583 // Route is directly accessible
6584 *flags |= NECP_CLIENT_RESULT_FLAG_IS_DIRECT;
6585 }
6586 }
6587
6588 if (rt != NULL &&
6589 rt->rt_ifp != NULL) {
6590 // Check probe status
6591 if (rt->rt_ifp->if_eflags & IFEF_PROBE_CONNECTIVITY) {
6592 *flags |= NECP_CLIENT_RESULT_FLAG_PROBE_CONNECTIVITY;
6593 }
6594
6595 if (rt->rt_ifp->if_type == IFT_CELLULAR) {
6596 struct if_cellular_status_v1 *ifsr;
6597
6598 ifnet_lock_shared(rt->rt_ifp);
6599 lck_rw_lock_exclusive(&rt->rt_ifp->if_link_status_lock);
6600
6601 if (rt->rt_ifp->if_link_status != NULL) {
6602 ifsr = &rt->rt_ifp->if_link_status->ifsr_u.ifsr_cell.if_cell_u.if_status_v1;
6603
6604 if (ifsr->valid_bitmask & IF_CELL_UL_MSS_RECOMMENDED_VALID) {
6605 if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_NONE) {
6606 returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_NONE;
6607 } else if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_MEDIUM) {
6608 returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_MEDIUM;
6609 } else if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_LOW) {
6610 returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_LOW;
6611 }
6612 }
6613 }
6614 lck_rw_done(&rt->rt_ifp->if_link_status_lock);
6615 ifnet_lock_done(rt->rt_ifp);
6616 }
6617
6618 // Check link quality
6619 if ((client_flags & NECP_CLIENT_PARAMETER_FLAG_DISCRETIONARY) &&
6620 (rt->rt_ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
6621 rt->rt_ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
6622 *flags |= NECP_CLIENT_RESULT_FLAG_LINK_QUALITY_ABORT;
6623 }
6624
6625 // Check QoS marking (fastlane)
6626 for (size_t route_rule_index = 0; route_rule_index < route_rule_id_array_count; route_rule_index++) {
6627 if (necp_update_qos_marking(rt->rt_ifp, route_rule_id_array[route_rule_index])) {
6628 *flags |= NECP_CLIENT_RESULT_FLAG_ALLOW_QOS_MARKING;
6629 // If the route can use QoS markings, stop iterating route rules
6630 break;
6631 }
6632 }
6633
6634 if (IFNET_IS_LOW_POWER(rt->rt_ifp)) {
6635 *flags |= NECP_CLIENT_RESULT_FLAG_INTERFACE_LOW_POWER;
6636 }
6637
6638 if (traffic_class == SO_TC_BK_SYS) {
6639 // Block BK_SYS traffic if interface is throttled
6640 u_int32_t throttle_level = 0;
6641 if (ifnet_get_throttle(rt->rt_ifp, &throttle_level) == 0) {
6642 if (throttle_level == IFNET_THROTTLE_OPPORTUNISTIC) {
6643 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6644 memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
6645 }
6646 }
6647 }
6648 }
6649 }
6650
6651 if (returned_result->routed_interface_index != 0) {
6652 union necp_sockaddr_union default_address;
6653 struct rtentry *v4Route = NULL;
6654 struct rtentry *v6Route = NULL;
6655
6656 memset(&default_address, 0, sizeof(default_address));
6657
6658 // Reset address to 0.0.0.0
6659 default_address.sa.sa_family = AF_INET;
6660 default_address.sa.sa_len = sizeof(struct sockaddr_in);
6661 v4Route = rtalloc1_scoped((struct sockaddr *)&default_address, 0, 0,
6662 returned_result->routed_interface_index);
6663
6664 // Reset address to ::
6665 default_address.sa.sa_family = AF_INET6;
6666 default_address.sa.sa_len = sizeof(struct sockaddr_in6);
6667 v6Route = rtalloc1_scoped((struct sockaddr *)&default_address, 0, 0,
6668 returned_result->routed_interface_index);
6669
6670 if (v4Route != NULL) {
6671 if (v4Route->rt_ifp != NULL && !IS_INTF_CLAT46(v4Route->rt_ifp)) {
6672 *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV4;
6673 }
6674 if (returned_v4_gateway != NULL &&
6675 v4Route->rt_gateway != NULL &&
6676 v4Route->rt_gateway->sa_len == sizeof(returned_v4_gateway->u.sin)) {
6677 memcpy(&returned_v4_gateway->u.sin, v4Route->rt_gateway, sizeof(returned_v4_gateway->u.sin));
6678 memset(&returned_v4_gateway->u.sin.sin_zero, 0, sizeof(returned_v4_gateway->u.sin.sin_zero));
6679 }
6680 rtfree(v4Route);
6681 v4Route = NULL;
6682 }
6683
6684 if (v6Route != NULL) {
6685 if (v6Route->rt_ifp != NULL) {
6686 *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV6;
6687
6688 if (ifnet_get_nat64prefix(v6Route->rt_ifp, NULL) == 0) {
6689 *flags |= NECP_CLIENT_RESULT_FLAG_HAS_NAT64;
6690 }
6691 }
6692 if (returned_v6_gateway != NULL &&
6693 v6Route->rt_gateway != NULL &&
6694 v6Route->rt_gateway->sa_len == sizeof(returned_v6_gateway->u.sin6)) {
6695 memcpy(&returned_v6_gateway->u.sin6, v6Route->rt_gateway, sizeof(returned_v6_gateway->u.sin6));
6696 }
6697 rtfree(v6Route);
6698 v6Route = NULL;
6699 }
6700 }
6701 }
6702
6703 for (size_t route_rule_index = 0; route_rule_index < route_rule_id_array_count; route_rule_index++) {
6704 u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
6705 bool route_is_allowed = necp_route_is_allowed(rt, NULL, route_rule_id_array[route_rule_index], &interface_type_denied);
6706 if (!route_is_allowed) {
6707 // If the route is blocked, treat the lookup as a drop
6708 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6709 memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
6710
6711 if (interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
6712 if (reason != NULL) {
6713 if (interface_type_denied == IFRTYPE_FUNCTIONAL_CELLULAR) {
6714 *reason = NECP_CLIENT_RESULT_REASON_CELLULAR_DENIED;
6715 } else if (interface_type_denied == IFRTYPE_FUNCTIONAL_WIFI_INFRA) {
6716 *reason = NECP_CLIENT_RESULT_REASON_WIFI_DENIED;
6717 }
6718 }
6719 necp_send_application_interface_denied_event(pid, application_uuid, interface_type_denied);
6720 }
6721 // If the route gets denied, stop matching rules
6722 break;
6723 }
6724 }
6725
6726 if (rt != NULL && rt->rt_ifp != NULL) {
6727 const bool expensive_prohibited = ((client_flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE) &&
6728 IFNET_IS_EXPENSIVE(rt->rt_ifp));
6729 const bool constrained_prohibited = ((client_flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED) &&
6730 IFNET_IS_CONSTRAINED(rt->rt_ifp));
6731 if (reason != NULL) {
6732 if (expensive_prohibited) {
6733 *reason = NECP_CLIENT_RESULT_REASON_EXPENSIVE_PROHIBITED;
6734 } else if (constrained_prohibited) {
6735 *reason = NECP_CLIENT_RESULT_REASON_CONSTRAINED_PROHIBITED;
6736 }
6737 }
6738 if (expensive_prohibited || constrained_prohibited) {
6739 // If the client flags prohibited a property of the interface, treat it as a drop
6740 returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
6741 memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
6742 }
6743 }
6744
6745 if (rt != NULL) {
6746 if (returned_route != NULL) {
6747 *returned_route = rt;
6748 } else {
6749 rtfree(rt);
6750 }
6751 rt = NULL;
6752 }
6753 // Unlock
6754 lck_rw_done(&necp_kernel_policy_lock);
6755
6756 return error;
6757 }
6758
6759 static bool
6760 necp_is_route_local(union necp_sockaddr_union *remote_addr)
6761 {
6762 bool no_remote_addr = FALSE;
6763 u_int8_t remote_family = 0;
6764 struct rtentry *rt = NULL;
6765 bool is_local = FALSE;
6766
6767 if (remote_addr == NULL) {
6768 return NULL;
6769 }
6770
6771 if (remote_addr->sa.sa_len == 0 ||
6772 (remote_addr->sa.sa_family == AF_INET && remote_addr->sin.sin_addr.s_addr == 0) ||
6773 (remote_addr->sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&remote_addr->sin6.sin6_addr))) {
6774 no_remote_addr = TRUE;
6775 remote_family = remote_addr->sa.sa_family;
6776 }
6777
6778 if (no_remote_addr) {
6779 memset(remote_addr, 0, sizeof(union necp_sockaddr_union));
6780 if (remote_family == AF_INET6) {
6781 // Reset address to ::
6782 remote_addr->sa.sa_family = AF_INET6;
6783 remote_addr->sa.sa_len = sizeof(struct sockaddr_in6);
6784 } else {
6785 // Reset address to 0.0.0.0
6786 remote_addr->sa.sa_family = AF_INET;
6787 remote_addr->sa.sa_len = sizeof(struct sockaddr_in);
6788 }
6789 }
6790
6791 // Lookup route regardless of the scoped interface to check if
6792 // remote address is in a local network.
6793 rt = rtalloc1_scoped((struct sockaddr *)remote_addr, 0, 0, 0);
6794
6795 if (rt == NULL) {
6796 goto done;
6797 }
6798 if (remote_addr->sa.sa_family == AF_INET && IS_INTF_CLAT46(rt->rt_ifp)) {
6799 goto free_rt;
6800 }
6801 is_local = IS_NECP_DEST_IN_LOCAL_NETWORKS(rt);
6802
6803 free_rt:
6804 rtfree(rt);
6805
6806 done:
6807 return is_local;
6808 }
6809
6810 static bool
6811 necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_app_id app_id, necp_app_id real_app_id, errno_t cred_result, u_int32_t account_id, struct substring domain, u_int8_t domain_dot_count, pid_t pid, uid_t uid, u_int32_t bound_interface_index, u_int32_t traffic_class, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, bool has_client, uint32_t client_flags, int is_platform_binary, proc_t proc, struct rtentry *rt)
6812 {
6813 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
6814 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
6815 u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_bound_interface->if_index : 0;
6816 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
6817 if (bound_interface_index == cond_bound_interface_index) {
6818 // No match, matches forbidden interface
6819 return FALSE;
6820 }
6821 } else {
6822 if (bound_interface_index != cond_bound_interface_index) {
6823 // No match, does not match required interface
6824 return FALSE;
6825 }
6826 }
6827 } else {
6828 if (bound_interface_index != 0) {
6829 // No match, requires a non-bound packet
6830 return FALSE;
6831 }
6832 }
6833 }
6834
6835 if (kernel_policy->condition_mask == 0) {
6836 return TRUE;
6837 }
6838
6839 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
6840 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
6841 if (app_id == kernel_policy->cond_app_id) {
6842 // No match, matches forbidden application
6843 return FALSE;
6844 }
6845 } else {
6846 if (app_id != kernel_policy->cond_app_id) {
6847 // No match, does not match required application
6848 return FALSE;
6849 }
6850 }
6851 }
6852
6853 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
6854 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
6855 if (real_app_id == kernel_policy->cond_real_app_id) {
6856 // No match, matches forbidden application
6857 return FALSE;
6858 }
6859 } else {
6860 if (real_app_id != kernel_policy->cond_real_app_id) {
6861 // No match, does not match required application
6862 return FALSE;
6863 }
6864 }
6865 }
6866
6867 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
6868 if (!has_client) {
6869 return FALSE;
6870 }
6871 }
6872
6873 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
6874 if (cred_result != 0) {
6875 // Process is missing entitlement
6876 return FALSE;
6877 }
6878 }
6879
6880 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
6881 if (is_platform_binary == 0) {
6882 // Process is not platform binary
6883 return FALSE;
6884 }
6885 }
6886
6887 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
6888 if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_false) {
6889 // Process is missing entitlement based on previous check
6890 return FALSE;
6891 } else if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_unknown) {
6892 if (kernel_policy->cond_custom_entitlement != NULL) {
6893 if (proc == NULL) {
6894 // No process found, cannot check entitlement
6895 return FALSE;
6896 }
6897 task_t task = proc_task(proc);
6898 if (task == NULL ||
6899 !IOTaskHasEntitlement(task, kernel_policy->cond_custom_entitlement)) {
6900 // Process is missing custom entitlement
6901 kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_false;
6902 return FALSE;
6903 } else {
6904 kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_true;
6905 }
6906 }
6907 }
6908 }
6909
6910 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
6911 bool domain_matches = necp_hostname_matches_domain(domain, domain_dot_count, kernel_policy->cond_domain, kernel_policy->cond_domain_dot_count);
6912 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN) {
6913 if (domain_matches) {
6914 // No match, matches forbidden domain
6915 return FALSE;
6916 }
6917 } else {
6918 if (!domain_matches) {
6919 // No match, does not match required domain
6920 return FALSE;
6921 }
6922 }
6923 }
6924
6925 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
6926 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
6927 if (account_id == kernel_policy->cond_account_id) {
6928 // No match, matches forbidden account
6929 return FALSE;
6930 }
6931 } else {
6932 if (account_id != kernel_policy->cond_account_id) {
6933 // No match, does not match required account
6934 return FALSE;
6935 }
6936 }
6937 }
6938
6939 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PID) {
6940 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PID) {
6941 if (pid == kernel_policy->cond_pid) {
6942 // No match, matches forbidden pid
6943 return FALSE;
6944 }
6945 } else {
6946 if (pid != kernel_policy->cond_pid) {
6947 // No match, does not match required pid
6948 return FALSE;
6949 }
6950 }
6951 }
6952
6953 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_UID) {
6954 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_UID) {
6955 if (uid == kernel_policy->cond_uid) {
6956 // No match, matches forbidden uid
6957 return FALSE;
6958 }
6959 } else {
6960 if (uid != kernel_policy->cond_uid) {
6961 // No match, does not match required uid
6962 return FALSE;
6963 }
6964 }
6965 }
6966
6967 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
6968 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
6969 if (traffic_class >= kernel_policy->cond_traffic_class.start_tc &&
6970 traffic_class <= kernel_policy->cond_traffic_class.end_tc) {
6971 // No match, matches forbidden traffic class
6972 return FALSE;
6973 }
6974 } else {
6975 if (traffic_class < kernel_policy->cond_traffic_class.start_tc ||
6976 traffic_class > kernel_policy->cond_traffic_class.end_tc) {
6977 // No match, does not match required traffic class
6978 return FALSE;
6979 }
6980 }
6981 }
6982
6983 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
6984 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
6985 if (protocol == kernel_policy->cond_protocol) {
6986 // No match, matches forbidden protocol
6987 return FALSE;
6988 }
6989 } else {
6990 if (protocol != kernel_policy->cond_protocol) {
6991 // No match, does not match required protocol
6992 return FALSE;
6993 }
6994 }
6995 }
6996
6997 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
6998 bool matches_agent_type = FALSE;
6999 for (u_int32_t i = 0; i < num_required_agent_types; i++) {
7000 struct necp_client_parameter_netagent_type *required_agent_type = &required_agent_types[i];
7001 if ((strlen(kernel_policy->cond_agent_type.agent_domain) == 0 ||
7002 strncmp(required_agent_type->netagent_domain, kernel_policy->cond_agent_type.agent_domain, NETAGENT_DOMAINSIZE) == 0) &&
7003 (strlen(kernel_policy->cond_agent_type.agent_type) == 0 ||
7004 strncmp(required_agent_type->netagent_type, kernel_policy->cond_agent_type.agent_type, NETAGENT_TYPESIZE) == 0)) {
7005 // Found a required agent that matches
7006 matches_agent_type = TRUE;
7007 break;
7008 }
7009 }
7010 if (!matches_agent_type) {
7011 return FALSE;
7012 }
7013 }
7014
7015 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
7016 bool is_local = FALSE;
7017
7018 if (rt != NULL) {
7019 is_local = IS_NECP_DEST_IN_LOCAL_NETWORKS(rt);
7020 } else {
7021 is_local = necp_is_route_local(remote);
7022 }
7023
7024 if (!is_local) {
7025 // Either no route to validate or no match for local networks
7026 return FALSE;
7027 }
7028 }
7029
7030 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
7031 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
7032 bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
7033 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
7034 if (inRange) {
7035 return FALSE;
7036 }
7037 } else {
7038 if (!inRange) {
7039 return FALSE;
7040 }
7041 }
7042 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
7043 bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
7044 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
7045 if (inSubnet) {
7046 return FALSE;
7047 }
7048 } else {
7049 if (!inSubnet) {
7050 return FALSE;
7051 }
7052 }
7053 }
7054 }
7055
7056 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
7057 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
7058 bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
7059 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
7060 if (inRange) {
7061 return FALSE;
7062 }
7063 } else {
7064 if (!inRange) {
7065 return FALSE;
7066 }
7067 }
7068 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
7069 bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
7070 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
7071 if (inSubnet) {
7072 return FALSE;
7073 }
7074 } else {
7075 if (!inSubnet) {
7076 return FALSE;
7077 }
7078 }
7079 }
7080 }
7081
7082 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
7083 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
7084 if ((client_flags & kernel_policy->cond_client_flags) == kernel_policy->cond_client_flags) {
7085 // Flags do match, and condition is negative, fail.
7086 return FALSE;
7087 }
7088 } else {
7089 if ((client_flags & kernel_policy->cond_client_flags) != kernel_policy->cond_client_flags) {
7090 // Flags do not match, fail.
7091 return FALSE;
7092 }
7093 }
7094 }
7095
7096 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
7097 bool isEmpty = necp_addr_is_empty((struct sockaddr *)local);
7098 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
7099 if (isEmpty) {
7100 return FALSE;
7101 }
7102 } else {
7103 if (!isEmpty) {
7104 return FALSE;
7105 }
7106 }
7107 }
7108
7109 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
7110 bool isEmpty = necp_addr_is_empty((struct sockaddr *)remote);
7111 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
7112 if (isEmpty) {
7113 return FALSE;
7114 }
7115 } else {
7116 if (!isEmpty) {
7117 return FALSE;
7118 }
7119 }
7120 }
7121
7122 return TRUE;
7123 }
7124
7125 static inline u_int32_t
7126 necp_socket_calc_flowhash_locked(struct necp_socket_info *info)
7127 {
7128 return net_flowhash(info, sizeof(*info), necp_kernel_socket_policies_gencount);
7129 }
7130
7131 static void
7132 necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface, u_int32_t drop_order, struct necp_socket_info *info)
7133 {
7134 struct socket *so = NULL;
7135
7136 memset(info, 0, sizeof(struct necp_socket_info));
7137
7138 so = inp->inp_socket;
7139
7140 info->drop_order = drop_order;
7141
7142 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PID) {
7143 info->pid = ((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid);
7144 }
7145
7146 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_UID) {
7147 info->uid = kauth_cred_getuid(so->so_cred);
7148 }
7149
7150 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
7151 info->traffic_class = so->so_traffic_class;
7152 }
7153
7154 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
7155 info->has_client = !uuid_is_null(inp->necp_client_uuid);
7156 }
7157
7158 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
7159 info->client_flags = 0;
7160 if (INP_NO_CONSTRAINED(inp)) {
7161 info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED;
7162 }
7163 if (INP_NO_EXPENSIVE(inp)) {
7164 info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE;
7165 }
7166 if (inp->inp_socket->so_flags1 & SOF1_CELLFALLBACK) {
7167 info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_FALLBACK_TRAFFIC;
7168 }
7169 if (inp->inp_socket->so_flags1 & SOF1_INBOUND) {
7170 info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_INBOUND;
7171 }
7172 if (inp->inp_socket->so_options & SO_ACCEPTCONN ||
7173 inp->inp_flags2 & INP2_EXTERNAL_PORT) {
7174 info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_LISTENER;
7175 }
7176 }
7177
7178 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
7179 if (inp->inp_ip_p) {
7180 info->protocol = inp->inp_ip_p;
7181 } else {
7182 info->protocol = SOCK_PROTO(so);
7183 }
7184 }
7185
7186 if (inp->inp_flags2 & INP2_WANT_APP_POLICY && necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
7187 struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(((so->so_flags & SOF_DELEGATED) ? so->e_uuid : so->last_uuid));
7188 if (existing_mapping) {
7189 info->application_id = existing_mapping->id;
7190 }
7191
7192 if (!(so->so_flags & SOF_DELEGATED)) {
7193 info->real_application_id = info->application_id;
7194 } else if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
7195 struct necp_uuid_id_mapping *real_existing_mapping = necp_uuid_lookup_app_id_locked(so->last_uuid);
7196 if (real_existing_mapping) {
7197 info->real_application_id = real_existing_mapping->id;
7198 }
7199 }
7200
7201 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
7202 info->cred_result = priv_check_cred(so->so_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
7203 if (info->cred_result != 0) {
7204 // Process does not have entitlement, check the parent process
7205 necp_get_parent_cred_result(NULL, info);
7206 }
7207 }
7208
7209 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
7210 info->is_platform_binary = csproc_get_platform_binary(current_proc()) ? true : false;
7211 }
7212 }
7213
7214 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && inp->inp_necp_attributes.inp_account != NULL) {
7215 struct necp_string_id_mapping *existing_mapping = necp_lookup_string_to_id_locked(&necp_account_id_list, inp->inp_necp_attributes.inp_account);
7216 if (existing_mapping) {
7217 info->account_id = existing_mapping->id;
7218 }
7219 }
7220
7221 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
7222 info->domain = inp->inp_necp_attributes.inp_domain;
7223 }
7224
7225 if (override_bound_interface) {
7226 info->bound_interface_index = override_bound_interface;
7227 } else {
7228 if ((inp->inp_flags & INP_BOUND_IF) && inp->inp_boundifp) {
7229 info->bound_interface_index = inp->inp_boundifp->if_index;
7230 }
7231 }
7232
7233 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
7234 if (override_local_addr != NULL) {
7235 if (override_local_addr->sa_family == AF_INET6 && override_local_addr->sa_len <= sizeof(struct sockaddr_in6)) {
7236 memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
7237 if (IN6_IS_ADDR_V4MAPPED(&(info->local_addr.sin6.sin6_addr))) {
7238 struct sockaddr_in sin;
7239 in6_sin6_2_sin(&sin, &(info->local_addr.sin6));
7240 memset(&info->local_addr, 0, sizeof(union necp_sockaddr_union));
7241 memcpy(&info->local_addr, &sin, sin.sin_len);
7242 }
7243 } else if (override_local_addr->sa_family == AF_INET && override_local_addr->sa_len <= sizeof(struct sockaddr_in)) {
7244 memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
7245 }
7246 } else {
7247 if (inp->inp_vflag & INP_IPV4) {
7248 ((struct sockaddr_in *)&info->local_addr)->sin_family = AF_INET;
7249 ((struct sockaddr_in *)&info->local_addr)->sin_len = sizeof(struct sockaddr_in);
7250 ((struct sockaddr_in *)&info->local_addr)->sin_port = inp->inp_lport;
7251 memcpy(&((struct sockaddr_in *)&info->local_addr)->sin_addr, &inp->inp_laddr, sizeof(struct in_addr));
7252 } else if (inp->inp_vflag & INP_IPV6) {
7253 ((struct sockaddr_in6 *)&info->local_addr)->sin6_family = AF_INET6;
7254 ((struct sockaddr_in6 *)&info->local_addr)->sin6_len = sizeof(struct sockaddr_in6);
7255 ((struct sockaddr_in6 *)&info->local_addr)->sin6_port = inp->inp_lport;
7256 memcpy(&((struct sockaddr_in6 *)&info->local_addr)->sin6_addr, &inp->in6p_laddr, sizeof(struct in6_addr));
7257 }
7258 }
7259
7260 if (override_remote_addr != NULL) {
7261 if (override_remote_addr->sa_family == AF_INET6 && override_remote_addr->sa_len <= sizeof(struct sockaddr_in6)) {
7262 memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
7263 if (IN6_IS_ADDR_V4MAPPED(&(info->remote_addr.sin6.sin6_addr))) {
7264 struct sockaddr_in sin;
7265 in6_sin6_2_sin(&sin, &(info->remote_addr.sin6));
7266 memset(&info->remote_addr, 0, sizeof(union necp_sockaddr_union));
7267 memcpy(&info->remote_addr, &sin, sin.sin_len);
7268 }
7269 } else if (override_remote_addr->sa_family == AF_INET && override_remote_addr->sa_len <= sizeof(struct sockaddr_in)) {
7270 memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
7271 }
7272 } else {
7273 if (inp->inp_vflag & INP_IPV4) {
7274 ((struct sockaddr_in *)&info->remote_addr)->sin_family = AF_INET;
7275 ((struct sockaddr_in *)&info->remote_addr)->sin_len = sizeof(struct sockaddr_in);
7276 ((struct sockaddr_in *)&info->remote_addr)->sin_port = inp->inp_fport;
7277 memcpy(&((struct sockaddr_in *)&info->remote_addr)->sin_addr, &inp->inp_faddr, sizeof(struct in_addr));
7278 } else if (inp->inp_vflag & INP_IPV6) {
7279 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_family = AF_INET6;
7280 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_len = sizeof(struct sockaddr_in6);
7281 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_port = inp->inp_fport;
7282 memcpy(&((struct sockaddr_in6 *)&info->remote_addr)->sin6_addr, &inp->in6p_faddr, sizeof(struct in6_addr));
7283 }
7284 }
7285 }
7286 }
7287
7288 static inline struct necp_kernel_socket_policy *
7289 necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info,
7290 necp_kernel_policy_filter *return_filter,
7291 u_int32_t *return_route_rule_id_array, size_t *return_route_rule_id_array_count, size_t route_rule_id_array_count,
7292 necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service,
7293 u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count,
7294 struct necp_client_parameter_netagent_type *required_agent_types,
7295 u_int32_t num_required_agent_types, proc_t proc, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt,
7296 necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass)
7297 {
7298 struct necp_kernel_socket_policy *matched_policy = NULL;
7299 u_int32_t skip_order = 0;
7300 u_int32_t skip_session_order = 0;
7301 size_t route_rule_id_count = 0;
7302 int i;
7303 size_t netagent_cursor = 0;
7304 necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
7305 if (return_drop_all_bypass != NULL) {
7306 *return_drop_all_bypass = drop_all_bypass;
7307 }
7308
7309 // Pre-process domain for quick matching
7310 struct substring domain_substring = necp_trim_dots_and_stars(info->domain, info->domain ? strlen(info->domain) : 0);
7311 u_int8_t domain_dot_count = necp_count_dots(domain_substring.string, domain_substring.length);
7312
7313 if (return_filter != NULL) {
7314 *return_filter = 0;
7315 }
7316
7317 if (return_route_rule_id_array_count != NULL) {
7318 *return_route_rule_id_array_count = 0;
7319 }
7320
7321 if (return_service_action != NULL) {
7322 *return_service_action = 0;
7323 }
7324
7325 if (return_service != NULL) {
7326 return_service->identifier = 0;
7327 return_service->data = 0;
7328 }
7329
7330 // Do not subject layer-2 filter to NECP policies, return a PASS policy
7331 if (necp_pass_interpose > 0 && info->client_flags & NECP_CLIENT_PARAMETER_FLAG_INTERPOSE) {
7332 return &pass_policy;
7333 }
7334
7335 *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
7336
7337 if (policy_search_array != NULL) {
7338 for (i = 0; policy_search_array[i] != NULL; i++) {
7339 if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
7340 // We've hit a drop all rule
7341 if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
7342 drop_all_bypass = necp_check_drop_all_bypass_result(proc);
7343 if (return_drop_all_bypass != NULL) {
7344 *return_drop_all_bypass = drop_all_bypass;
7345 }
7346 }
7347 if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
7348 break;
7349 }
7350 }
7351 if (necp_drop_dest_policy.entry_count != 0 &&
7352 necp_address_matches_drop_dest_policy(&info->remote_addr, policy_search_array[i]->session_order)) {
7353 // We've hit a drop by destination address rule
7354 *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_DROP;
7355 break;
7356 }
7357 if (info->drop_order != 0 && policy_search_array[i]->session_order >= info->drop_order) {
7358 // We've hit a drop order for this socket
7359 break;
7360 }
7361 if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
7362 // Done skipping
7363 skip_order = 0;
7364 skip_session_order = 0;
7365 }
7366 if (skip_order) {
7367 if (policy_search_array[i]->order < skip_order) {
7368 // Skip this policy
7369 continue;
7370 } else {
7371 // Done skipping
7372 skip_order = 0;
7373 skip_session_order = 0;
7374 }
7375 } else if (skip_session_order) {
7376 // Skip this policy
7377 continue;
7378 }
7379
7380 if (necp_socket_check_policy(policy_search_array[i], info->application_id, info->real_application_id, info->cred_result, info->account_id, domain_substring, domain_dot_count, info->pid, info->uid, info->bound_interface_index, info->traffic_class, info->protocol, &info->local_addr, &info->remote_addr, required_agent_types, num_required_agent_types, info->has_client, info->client_flags, info->is_platform_binary, proc, rt)) {
7381 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER) {
7382 if (return_filter && *return_filter != NECP_FILTER_UNIT_NO_FILTER) {
7383 necp_kernel_policy_filter control_unit = policy_search_array[i]->result_parameter.filter_control_unit;
7384 if (control_unit == NECP_FILTER_UNIT_NO_FILTER) {
7385 *return_filter = control_unit;
7386 } else {
7387 *return_filter |= control_unit;
7388 }
7389 if (necp_debug > 1) {
7390 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Filter %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.filter_control_unit);
7391 }
7392 }
7393 continue;
7394 } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
7395 if (return_route_rule_id_array && route_rule_id_count < route_rule_id_array_count) {
7396 return_route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
7397 if (necp_debug > 1) {
7398 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Route Rule %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.route_rule_id);
7399 }
7400 }
7401 continue;
7402 } else if (necp_kernel_socket_result_is_trigger_service_type(policy_search_array[i])) {
7403 if (return_service_action && *return_service_action == 0) {
7404 *return_service_action = policy_search_array[i]->result;
7405 if (necp_debug > 1) {
7406 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Service Action %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result);
7407 }
7408 }
7409 if (return_service && return_service->identifier == 0) {
7410 return_service->identifier = policy_search_array[i]->result_parameter.service.identifier;
7411 return_service->data = policy_search_array[i]->result_parameter.service.data;
7412 if (necp_debug > 1) {
7413 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Service ID %d Data %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.service.identifier, policy_search_array[i]->result_parameter.service.data);
7414 }
7415 }
7416 continue;
7417 } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ||
7418 policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED) {
7419 if (return_netagent_array != NULL &&
7420 netagent_cursor < netagent_array_count) {
7421 return_netagent_array[netagent_cursor] = policy_search_array[i]->result_parameter.netagent_id;
7422 if (return_netagent_use_flags_array != NULL &&
7423 policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED) {
7424 return_netagent_use_flags_array[netagent_cursor] |= NECP_AGENT_USE_FLAG_SCOPE;
7425 }
7426 netagent_cursor++;
7427 if (necp_debug > 1) {
7428 NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) %s Netagent %d",
7429 info->application_id, info->real_application_id, info->bound_interface_index, info->protocol,
7430 policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ? "Use" : "Scope",
7431 policy_search_array[i]->result_parameter.netagent_id);
7432 }
7433 }
7434 continue;
7435 }
7436
7437 // Matched policy is a skip. Do skip and continue.
7438 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
7439 skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
7440 skip_session_order = policy_search_array[i]->session_order + 1;
7441 if (skip_policy_id) {
7442 *skip_policy_id = policy_search_array[i]->id;
7443 }
7444 continue;
7445 }
7446
7447 // Matched an allow unentitled, which clears any drop order
7448 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ALLOW_UNENTITLED) {
7449 info->drop_order = 0;
7450 continue;
7451 }
7452
7453 // Passed all tests, found a match
7454 matched_policy = policy_search_array[i];
7455 break;
7456 }
7457 }
7458 }
7459
7460 if (return_route_rule_id_array_count != NULL) {
7461 *return_route_rule_id_array_count = route_rule_id_count;
7462 }
7463 return matched_policy;
7464 }
7465
7466 static bool
7467 necp_socket_uses_interface(struct inpcb *inp, u_int32_t interface_index)
7468 {
7469 bool found_match = FALSE;
7470 errno_t result = 0;
7471 ifaddr_t *addresses = NULL;
7472 union necp_sockaddr_union address_storage;
7473 int i;
7474 int family = AF_INET;
7475 ifnet_t interface = ifindex2ifnet[interface_index];
7476
7477 if (inp == NULL || interface == NULL) {
7478 return FALSE;
7479 }
7480
7481 if (inp->inp_vflag & INP_IPV4) {
7482 family = AF_INET;
7483 } else if (inp->inp_vflag & INP_IPV6) {
7484 family = AF_INET6;
7485 }
7486
7487 result = ifnet_get_address_list_family(interface, &addresses, family);
7488 if (result != 0) {
7489 NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
7490 return FALSE;
7491 }
7492
7493 for (i = 0; addresses[i] != NULL; i++) {
7494 if (ifaddr_address(addresses[i], &address_storage.sa, sizeof(address_storage)) == 0) {
7495 if (family == AF_INET) {
7496 if (memcmp(&address_storage.sin.sin_addr, &inp->inp_laddr, sizeof(inp->inp_laddr)) == 0) {
7497 found_match = TRUE;
7498 goto done;
7499 }
7500 } else if (family == AF_INET6) {
7501 if (memcmp(&address_storage.sin6.sin6_addr, &inp->in6p_laddr, sizeof(inp->in6p_laddr)) == 0) {
7502 found_match = TRUE;
7503 goto done;
7504 }
7505 }
7506 }
7507 }
7508
7509 done:
7510 ifnet_free_address_list(addresses);
7511 addresses = NULL;
7512 return found_match;
7513 }
7514
7515 static inline bool
7516 necp_socket_is_connected(struct inpcb *inp)
7517 {
7518 return inp->inp_socket->so_state & (SS_ISCONNECTING | SS_ISCONNECTED | SS_ISDISCONNECTING);
7519 }
7520
7521 static inline bool
7522 necp_socket_bypass(struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, struct inpcb *inp)
7523 {
7524 if (necp_pass_loopback > 0 && necp_is_loopback(override_local_addr, override_remote_addr, inp, NULL, IFSCOPE_NONE)) {
7525 return true;
7526 } else if (necp_is_intcoproc(inp, NULL)) {
7527 return true;
7528 }
7529
7530 return false;
7531 }
7532
7533 necp_kernel_policy_id
7534 necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface)
7535 {
7536 struct socket *so = NULL;
7537 necp_kernel_policy_filter filter_control_unit = 0;
7538 struct necp_kernel_socket_policy *matched_policy = NULL;
7539 necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
7540 necp_kernel_policy_result service_action = 0;
7541 necp_kernel_policy_service service = { 0, 0 };
7542 u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
7543 necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
7544
7545 u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
7546 memset(&netagent_ids, 0, sizeof(netagent_ids));
7547 int netagent_cursor;
7548
7549 struct necp_socket_info info;
7550
7551 if (inp == NULL) {
7552 return NECP_KERNEL_POLICY_ID_NONE;
7553 }
7554
7555 // Ignore invalid addresses
7556 if (override_local_addr != NULL &&
7557 !necp_address_is_valid(override_local_addr)) {
7558 override_local_addr = NULL;
7559 }
7560 if (override_remote_addr != NULL &&
7561 !necp_address_is_valid(override_remote_addr)) {
7562 override_remote_addr = NULL;
7563 }
7564
7565 so = inp->inp_socket;
7566
7567 u_int32_t drop_order = necp_process_drop_order(so->so_cred);
7568
7569 // Don't lock. Possible race condition, but we don't want the performance hit.
7570 if (necp_kernel_socket_policies_count == 0 ||
7571 (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
7572 if (necp_drop_all_order > 0 || drop_order > 0) {
7573 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7574 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7575 inp->inp_policyresult.policy_gencount = 0;
7576 inp->inp_policyresult.app_id = 0;
7577 inp->inp_policyresult.flowhash = 0;
7578 inp->inp_policyresult.results.filter_control_unit = 0;
7579 inp->inp_policyresult.results.route_rule_id = 0;
7580 if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
7581 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
7582 } else {
7583 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
7584 }
7585 }
7586 return NECP_KERNEL_POLICY_ID_NONE;
7587 }
7588
7589 // Check for loopback exception
7590 if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
7591 // Mark socket as a pass
7592 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7593 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7594 inp->inp_policyresult.policy_gencount = 0;
7595 inp->inp_policyresult.app_id = 0;
7596 inp->inp_policyresult.flowhash = 0;
7597 inp->inp_policyresult.results.filter_control_unit = 0;
7598 inp->inp_policyresult.results.route_rule_id = 0;
7599 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
7600 return NECP_KERNEL_POLICY_ID_NONE;
7601 }
7602
7603 // Lock
7604 lck_rw_lock_shared(&necp_kernel_policy_lock);
7605
7606 necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, override_bound_interface, drop_order, &info);
7607 inp->inp_policyresult.app_id = info.application_id;
7608
7609 // Check info
7610 u_int32_t flowhash = necp_socket_calc_flowhash_locked(&info);
7611 if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
7612 inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
7613 inp->inp_policyresult.flowhash == flowhash) {
7614 // If already matched this socket on this generation of table, skip
7615
7616 // Unlock
7617 lck_rw_done(&necp_kernel_policy_lock);
7618
7619 return inp->inp_policyresult.policy_id;
7620 }
7621
7622 // Match socket to policy
7623 necp_kernel_policy_id skip_policy_id;
7624 u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
7625 size_t route_rule_id_array_count = 0;
7626 matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, current_proc(), &skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass);
7627
7628 // If the socket matched a scoped service policy, mark as Drop if not registered.
7629 // This covers the cases in which a service is required (on demand) but hasn't started yet.
7630 if ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
7631 service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
7632 service.identifier != 0 &&
7633 service.identifier != NECP_NULL_SERVICE_ID) {
7634 bool service_is_registered = FALSE;
7635 struct necp_service_registration *service_registration = NULL;
7636 LIST_FOREACH(service_registration, &necp_registered_service_list, kernel_chain) {
7637 if (service.identifier == service_registration->service_id) {
7638 service_is_registered = TRUE;
7639 break;
7640 }
7641 }
7642 if (!service_is_registered) {
7643 // Mark socket as a drop if service is not registered
7644 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7645 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7646 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7647 inp->inp_policyresult.flowhash = flowhash;
7648 inp->inp_policyresult.results.filter_control_unit = 0;
7649 inp->inp_policyresult.results.route_rule_id = 0;
7650 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
7651
7652 if (necp_debug > 1) {
7653 NECPLOG(LOG_DEBUG, "Socket Policy: (BoundInterface %d Proto %d) Dropping packet because service is not registered", info.bound_interface_index, info.protocol);
7654 }
7655
7656 // Unlock
7657 lck_rw_done(&necp_kernel_policy_lock);
7658 return NECP_KERNEL_POLICY_ID_NONE;
7659 }
7660 }
7661 // Verify netagents
7662 for (netagent_cursor = 0; netagent_cursor < NECP_MAX_NETAGENTS; netagent_cursor++) {
7663 struct necp_uuid_id_mapping *mapping = NULL;
7664 u_int32_t netagent_id = netagent_ids[netagent_cursor];
7665 if (netagent_id == 0) {
7666 break;
7667 }
7668 mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
7669 if (mapping != NULL) {
7670 u_int32_t agent_flags = 0;
7671 agent_flags = netagent_get_flags(mapping->uuid);
7672 if (agent_flags & NETAGENT_FLAG_REGISTERED) {
7673 if (agent_flags & NETAGENT_FLAG_ACTIVE) {
7674 continue;
7675 } else if ((agent_flags & NETAGENT_FLAG_VOLUNTARY) == 0) {
7676 if (agent_flags & NETAGENT_FLAG_KERNEL_ACTIVATED) {
7677 int trigger_error = 0;
7678 trigger_error = netagent_kernel_trigger(mapping->uuid);
7679 if (necp_debug > 1) {
7680 NECPLOG(LOG_DEBUG, "Socket Policy: Triggering inactive agent, error %d", trigger_error);
7681 }
7682 }
7683
7684 // Mark socket as a drop if required agent is not active
7685 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7686 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7687 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7688 inp->inp_policyresult.flowhash = flowhash;
7689 inp->inp_policyresult.results.filter_control_unit = 0;
7690 inp->inp_policyresult.results.route_rule_id = 0;
7691 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
7692
7693 if (necp_debug > 1) {
7694 NECPLOG(LOG_DEBUG, "Socket Policy: (BoundInterface %d Proto %d) Dropping packet because agent is not active", info.bound_interface_index, info.protocol);
7695 }
7696
7697 // Unlock
7698 lck_rw_done(&necp_kernel_policy_lock);
7699 return NECP_KERNEL_POLICY_ID_NONE;
7700 }
7701 }
7702 }
7703 }
7704
7705 u_int32_t route_rule_id = 0;
7706 if (route_rule_id_array_count == 1) {
7707 route_rule_id = route_rule_id_array[0];
7708 } else if (route_rule_id_array_count > 1) {
7709 route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
7710 }
7711
7712 bool reset_tcp_mss = false;
7713 if (matched_policy) {
7714 matched_policy_id = matched_policy->id;
7715 inp->inp_policyresult.policy_id = matched_policy->id;
7716 inp->inp_policyresult.skip_policy_id = skip_policy_id;
7717 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7718 inp->inp_policyresult.flowhash = flowhash;
7719 inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
7720 inp->inp_policyresult.results.route_rule_id = route_rule_id;
7721 inp->inp_policyresult.results.result = matched_policy->result;
7722 memcpy(&inp->inp_policyresult.results.result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
7723
7724 if (necp_socket_is_connected(inp) &&
7725 (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
7726 (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && !necp_socket_uses_interface(inp, matched_policy->result_parameter.tunnel_interface_index)))) {
7727 if (necp_debug) {
7728 NECPLOG(LOG_DEBUG, "Marking socket in state %d as defunct", so->so_state);
7729 }
7730 sosetdefunct(current_proc(), so, SHUTDOWN_SOCKET_LEVEL_NECP | SHUTDOWN_SOCKET_LEVEL_DISCONNECT_ALL, TRUE);
7731 } else if (necp_socket_is_connected(inp) &&
7732 matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
7733 info.protocol == IPPROTO_TCP) {
7734 // Reset MSS on TCP socket if tunnel policy changes
7735 reset_tcp_mss = true;
7736 }
7737
7738 if (necp_debug > 1) {
7739 NECPLOG(LOG_DEBUG, "Socket Policy: %p (BoundInterface %d Proto %d) Policy %d Result %d Parameter %d", inp->inp_socket, info.bound_interface_index, info.protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
7740 }
7741 } else {
7742 bool drop_all = false;
7743 if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
7744 // Mark socket as a drop if set
7745 drop_all = true;
7746 if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
7747 drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
7748 }
7749 }
7750 if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
7751 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7752 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7753 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7754 inp->inp_policyresult.flowhash = flowhash;
7755 inp->inp_policyresult.results.filter_control_unit = 0;
7756 inp->inp_policyresult.results.route_rule_id = 0;
7757 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
7758 } else {
7759 // Mark non-matching socket so we don't re-check it
7760 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7761 inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
7762 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
7763 inp->inp_policyresult.flowhash = flowhash;
7764 inp->inp_policyresult.results.filter_control_unit = filter_control_unit; // We may have matched a filter, so mark it!
7765 inp->inp_policyresult.results.route_rule_id = route_rule_id; // We may have matched a route rule, so mark it!
7766 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_NONE;
7767 }
7768 }
7769
7770 // Unlock
7771 lck_rw_done(&necp_kernel_policy_lock);
7772
7773 if (reset_tcp_mss) {
7774 // Update MSS when not holding the policy lock to avoid recursive locking
7775 tcp_mtudisc(inp, 0);
7776 }
7777
7778 return matched_policy_id;
7779 }
7780
7781 static bool
7782 necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct rtentry *rt)
7783 {
7784 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
7785 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
7786 u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_bound_interface->if_index : 0;
7787 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
7788 if (bound_interface_index == cond_bound_interface_index) {
7789 // No match, matches forbidden interface
7790 return FALSE;
7791 }
7792 } else {
7793 if (bound_interface_index != cond_bound_interface_index) {
7794 // No match, does not match required interface
7795 return FALSE;
7796 }
7797 }
7798 } else {
7799 if (bound_interface_index != 0) {
7800 // No match, requires a non-bound packet
7801 return FALSE;
7802 }
7803 }
7804 }
7805
7806 if (kernel_policy->condition_mask == 0) {
7807 return TRUE;
7808 }
7809
7810 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) {
7811 necp_kernel_policy_id matched_policy_id =
7812 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP ? socket_skip_policy_id : socket_policy_id;
7813 if (matched_policy_id != kernel_policy->cond_policy_id) {
7814 // No match, does not match required id
7815 return FALSE;
7816 }
7817 }
7818
7819 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) {
7820 if (last_interface_index != kernel_policy->cond_last_interface_index) {
7821 return FALSE;
7822 }
7823 }
7824
7825 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
7826 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
7827 if (protocol == kernel_policy->cond_protocol) {
7828 // No match, matches forbidden protocol
7829 return FALSE;
7830 }
7831 } else {
7832 if (protocol != kernel_policy->cond_protocol) {
7833 // No match, does not match required protocol
7834 return FALSE;
7835 }
7836 }
7837 }
7838
7839 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
7840 bool is_local = FALSE;
7841
7842 if (rt != NULL) {
7843 is_local = IS_NECP_DEST_IN_LOCAL_NETWORKS(rt);
7844 } else {
7845 is_local = necp_is_route_local(remote);
7846 }
7847
7848 if (!is_local) {
7849 // Either no route to validate or no match for local networks
7850 return FALSE;
7851 }
7852 }
7853
7854 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
7855 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
7856 bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
7857 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
7858 if (inRange) {
7859 return FALSE;
7860 }
7861 } else {
7862 if (!inRange) {
7863 return FALSE;
7864 }
7865 }
7866 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
7867 bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
7868 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
7869 if (inSubnet) {
7870 return FALSE;
7871 }
7872 } else {
7873 if (!inSubnet) {
7874 return FALSE;
7875 }
7876 }
7877 }
7878 }
7879
7880 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
7881 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
7882 bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
7883 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
7884 if (inRange) {
7885 return FALSE;
7886 }
7887 } else {
7888 if (!inRange) {
7889 return FALSE;
7890 }
7891 }
7892 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
7893 bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
7894 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
7895 if (inSubnet) {
7896 return FALSE;
7897 }
7898 } else {
7899 if (!inSubnet) {
7900 return FALSE;
7901 }
7902 }
7903 }
7904 }
7905
7906 return TRUE;
7907 }
7908
7909 static inline struct necp_kernel_ip_output_policy *
7910 necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, struct rtentry *rt, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass)
7911 {
7912 u_int32_t skip_order = 0;
7913 u_int32_t skip_session_order = 0;
7914 struct necp_kernel_ip_output_policy *matched_policy = NULL;
7915 struct necp_kernel_ip_output_policy **policy_search_array = necp_kernel_ip_output_policies_map[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(socket_policy_id)];
7916 u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
7917 size_t route_rule_id_count = 0;
7918 necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
7919 if (return_drop_all_bypass != NULL) {
7920 *return_drop_all_bypass = drop_all_bypass;
7921 }
7922
7923 if (return_route_rule_id != NULL) {
7924 *return_route_rule_id = 0;
7925 }
7926
7927 *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
7928
7929 if (policy_search_array != NULL) {
7930 for (int i = 0; policy_search_array[i] != NULL; i++) {
7931 if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
7932 // We've hit a drop all rule
7933 if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
7934 drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
7935 if (return_drop_all_bypass != NULL) {
7936 *return_drop_all_bypass = drop_all_bypass;
7937 }
7938 }
7939 if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
7940 break;
7941 }
7942 }
7943 if (necp_drop_dest_policy.entry_count > 0 &&
7944 necp_address_matches_drop_dest_policy(remote_addr, policy_search_array[i]->session_order)) {
7945 // We've hit a drop by destination address rule
7946 *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_DROP;
7947 break;
7948 }
7949 if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
7950 // Done skipping
7951 skip_order = 0;
7952 skip_session_order = 0;
7953 }
7954 if (skip_order) {
7955 if (policy_search_array[i]->order < skip_order) {
7956 // Skip this policy
7957 continue;
7958 } else {
7959 // Done skipping
7960 skip_order = 0;
7961 skip_session_order = 0;
7962 }
7963 } else if (skip_session_order) {
7964 // Skip this policy
7965 continue;
7966 }
7967
7968 if (necp_ip_output_check_policy(policy_search_array[i], socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, local_addr, remote_addr, rt)) {
7969 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
7970 if (return_route_rule_id != NULL && route_rule_id_count < MAX_AGGREGATE_ROUTE_RULES) {
7971 route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
7972 }
7973 continue;
7974 } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
7975 skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
7976 skip_session_order = policy_search_array[i]->session_order + 1;
7977 continue;
7978 }
7979
7980 // Passed all tests, found a match
7981 matched_policy = policy_search_array[i];
7982 break;
7983 }
7984 }
7985 }
7986
7987 if (route_rule_id_count == 1) {
7988 *return_route_rule_id = route_rule_id_array[0];
7989 } else if (route_rule_id_count > 1) {
7990 *return_route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
7991 }
7992
7993 return matched_policy;
7994 }
7995
7996 static inline bool
7997 necp_output_bypass(struct mbuf *packet)
7998 {
7999 if (necp_pass_loopback > 0 && necp_is_loopback(NULL, NULL, NULL, packet, IFSCOPE_NONE)) {
8000 return true;
8001 }
8002 if (necp_pass_keepalives > 0 && necp_get_is_keepalive_from_packet(packet)) {
8003 return true;
8004 }
8005 if (necp_is_intcoproc(NULL, packet)) {
8006 return true;
8007 }
8008 return false;
8009 }
8010
8011 necp_kernel_policy_id
8012 necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_args *ipoa, struct rtentry *rt,
8013 necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
8014 {
8015 struct ip *ip = NULL;
8016 int hlen = sizeof(struct ip);
8017 necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8018 necp_kernel_policy_id socket_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8019 necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8020 struct necp_kernel_ip_output_policy *matched_policy = NULL;
8021 u_int16_t protocol = 0;
8022 u_int32_t bound_interface_index = 0;
8023 u_int32_t last_interface_index = 0;
8024 union necp_sockaddr_union local_addr;
8025 union necp_sockaddr_union remote_addr;
8026 u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
8027 necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
8028
8029 if (result) {
8030 *result = 0;
8031 }
8032
8033 if (result_parameter) {
8034 memset(result_parameter, 0, sizeof(*result_parameter));
8035 }
8036
8037 if (packet == NULL) {
8038 return NECP_KERNEL_POLICY_ID_NONE;
8039 }
8040
8041 socket_policy_id = necp_get_policy_id_from_packet(packet);
8042 socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
8043
8044 // Exit early for an empty list
8045 // Don't lock. Possible race condition, but we don't want the performance hit.
8046 if (necp_kernel_ip_output_policies_count == 0 ||
8047 (socket_policy_id == NECP_KERNEL_POLICY_ID_NONE && necp_kernel_ip_output_policies_non_id_count == 0 && necp_drop_dest_policy.entry_count == 0)) {
8048 if (necp_drop_all_order > 0) {
8049 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8050 if (result) {
8051 if (necp_output_bypass(packet)) {
8052 *result = NECP_KERNEL_POLICY_RESULT_PASS;
8053 } else {
8054 *result = NECP_KERNEL_POLICY_RESULT_DROP;
8055 }
8056 }
8057 }
8058
8059 return matched_policy_id;
8060 }
8061
8062 // Check for loopback exception
8063 if (necp_output_bypass(packet)) {
8064 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8065 if (result) {
8066 *result = NECP_KERNEL_POLICY_RESULT_PASS;
8067 }
8068 return matched_policy_id;
8069 }
8070
8071 last_interface_index = necp_get_last_interface_index_from_packet(packet);
8072
8073 // Process packet to get relevant fields
8074 ip = mtod(packet, struct ip *);
8075 #ifdef _IP_VHL
8076 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
8077 #else
8078 hlen = ip->ip_hl << 2;
8079 #endif
8080
8081 protocol = ip->ip_p;
8082
8083 if ((flags & IP_OUTARGS) && (ipoa != NULL) &&
8084 (ipoa->ipoa_flags & IPOAF_BOUND_IF) &&
8085 ipoa->ipoa_boundif != IFSCOPE_NONE) {
8086 bound_interface_index = ipoa->ipoa_boundif;
8087 }
8088
8089 local_addr.sin.sin_family = AF_INET;
8090 local_addr.sin.sin_len = sizeof(struct sockaddr_in);
8091 memcpy(&local_addr.sin.sin_addr, &ip->ip_src, sizeof(ip->ip_src));
8092
8093 remote_addr.sin.sin_family = AF_INET;
8094 remote_addr.sin.sin_len = sizeof(struct sockaddr_in);
8095 memcpy(&((struct sockaddr_in *)&remote_addr)->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
8096
8097 switch (protocol) {
8098 case IPPROTO_TCP: {
8099 struct tcphdr th;
8100 if ((int)(hlen + sizeof(th)) <= packet->m_pkthdr.len) {
8101 m_copydata(packet, hlen, sizeof(th), (u_int8_t *)&th);
8102 ((struct sockaddr_in *)&local_addr)->sin_port = th.th_sport;
8103 ((struct sockaddr_in *)&remote_addr)->sin_port = th.th_dport;
8104 }
8105 break;
8106 }
8107 case IPPROTO_UDP: {
8108 struct udphdr uh;
8109 if ((int)(hlen + sizeof(uh)) <= packet->m_pkthdr.len) {
8110 m_copydata(packet, hlen, sizeof(uh), (u_int8_t *)&uh);
8111 ((struct sockaddr_in *)&local_addr)->sin_port = uh.uh_sport;
8112 ((struct sockaddr_in *)&remote_addr)->sin_port = uh.uh_dport;
8113 }
8114 break;
8115 }
8116 default: {
8117 ((struct sockaddr_in *)&local_addr)->sin_port = 0;
8118 ((struct sockaddr_in *)&remote_addr)->sin_port = 0;
8119 break;
8120 }
8121 }
8122
8123 // Match packet to policy
8124 lck_rw_lock_shared(&necp_kernel_policy_lock);
8125 u_int32_t route_rule_id = 0;
8126 matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
8127 if (matched_policy) {
8128 matched_policy_id = matched_policy->id;
8129 if (result) {
8130 *result = matched_policy->result;
8131 }
8132
8133 if (result_parameter) {
8134 memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
8135 }
8136
8137 if (route_rule_id != 0 &&
8138 packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
8139 packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
8140 }
8141
8142 if (necp_debug > 1) {
8143 NECPLOG(LOG_DEBUG, "IP Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d Route Rule %u", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index, route_rule_id);
8144 }
8145 } else {
8146 bool drop_all = false;
8147 /*
8148 * Apply drop-all only to packets which have never matched a primary policy (check
8149 * if the packet saved policy id is none or falls within the socket policy id range).
8150 */
8151 if (socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP &&
8152 (necp_drop_all_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP)) {
8153 drop_all = true;
8154 if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
8155 drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
8156 }
8157 }
8158 if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
8159 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8160 if (result) {
8161 *result = NECP_KERNEL_POLICY_RESULT_DROP;
8162 }
8163 } else if (route_rule_id != 0 &&
8164 packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
8165 // If we matched a route rule, mark it
8166 packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
8167 }
8168 }
8169
8170 lck_rw_done(&necp_kernel_policy_lock);
8171
8172 return matched_policy_id;
8173 }
8174
8175 necp_kernel_policy_id
8176 necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out_args *ip6oa, struct rtentry *rt,
8177 necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
8178 {
8179 struct ip6_hdr *ip6 = NULL;
8180 int next = -1;
8181 int offset = 0;
8182 necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8183 necp_kernel_policy_id socket_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8184 necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8185 struct necp_kernel_ip_output_policy *matched_policy = NULL;
8186 u_int16_t protocol = 0;
8187 u_int32_t bound_interface_index = 0;
8188 u_int32_t last_interface_index = 0;
8189 union necp_sockaddr_union local_addr;
8190 union necp_sockaddr_union remote_addr;
8191 u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
8192 necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
8193
8194 if (result) {
8195 *result = 0;
8196 }
8197
8198 if (result_parameter) {
8199 memset(result_parameter, 0, sizeof(*result_parameter));
8200 }
8201
8202 if (packet == NULL) {
8203 return NECP_KERNEL_POLICY_ID_NONE;
8204 }
8205
8206 socket_policy_id = necp_get_policy_id_from_packet(packet);
8207 socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
8208
8209 // Exit early for an empty list
8210 // Don't lock. Possible race condition, but we don't want the performance hit.
8211 if (necp_kernel_ip_output_policies_count == 0 ||
8212 (socket_policy_id == NECP_KERNEL_POLICY_ID_NONE && necp_kernel_ip_output_policies_non_id_count == 0 && necp_drop_dest_policy.entry_count == 0)) {
8213 if (necp_drop_all_order > 0) {
8214 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8215 if (result) {
8216 if (necp_output_bypass(packet)) {
8217 *result = NECP_KERNEL_POLICY_RESULT_PASS;
8218 } else {
8219 *result = NECP_KERNEL_POLICY_RESULT_DROP;
8220 }
8221 }
8222 }
8223
8224 return matched_policy_id;
8225 }
8226
8227 // Check for loopback exception
8228 if (necp_output_bypass(packet)) {
8229 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8230 if (result) {
8231 *result = NECP_KERNEL_POLICY_RESULT_PASS;
8232 }
8233 return matched_policy_id;
8234 }
8235
8236 last_interface_index = necp_get_last_interface_index_from_packet(packet);
8237
8238 // Process packet to get relevant fields
8239 ip6 = mtod(packet, struct ip6_hdr *);
8240
8241 if ((flags & IPV6_OUTARGS) && (ip6oa != NULL) &&
8242 (ip6oa->ip6oa_flags & IP6OAF_BOUND_IF) &&
8243 ip6oa->ip6oa_boundif != IFSCOPE_NONE) {
8244 bound_interface_index = ip6oa->ip6oa_boundif;
8245 }
8246
8247 ((struct sockaddr_in6 *)&local_addr)->sin6_family = AF_INET6;
8248 ((struct sockaddr_in6 *)&local_addr)->sin6_len = sizeof(struct sockaddr_in6);
8249 memcpy(&((struct sockaddr_in6 *)&local_addr)->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
8250
8251 ((struct sockaddr_in6 *)&remote_addr)->sin6_family = AF_INET6;
8252 ((struct sockaddr_in6 *)&remote_addr)->sin6_len = sizeof(struct sockaddr_in6);
8253 memcpy(&((struct sockaddr_in6 *)&remote_addr)->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
8254
8255 offset = ip6_lasthdr(packet, 0, IPPROTO_IPV6, &next);
8256 if (offset >= 0 && packet->m_pkthdr.len >= offset) {
8257 protocol = next;
8258 switch (protocol) {
8259 case IPPROTO_TCP: {
8260 struct tcphdr th;
8261 if ((int)(offset + sizeof(th)) <= packet->m_pkthdr.len) {
8262 m_copydata(packet, offset, sizeof(th), (u_int8_t *)&th);
8263 ((struct sockaddr_in6 *)&local_addr)->sin6_port = th.th_sport;
8264 ((struct sockaddr_in6 *)&remote_addr)->sin6_port = th.th_dport;
8265 }
8266 break;
8267 }
8268 case IPPROTO_UDP: {
8269 struct udphdr uh;
8270 if ((int)(offset + sizeof(uh)) <= packet->m_pkthdr.len) {
8271 m_copydata(packet, offset, sizeof(uh), (u_int8_t *)&uh);
8272 ((struct sockaddr_in6 *)&local_addr)->sin6_port = uh.uh_sport;
8273 ((struct sockaddr_in6 *)&remote_addr)->sin6_port = uh.uh_dport;
8274 }
8275 break;
8276 }
8277 default: {
8278 ((struct sockaddr_in6 *)&local_addr)->sin6_port = 0;
8279 ((struct sockaddr_in6 *)&remote_addr)->sin6_port = 0;
8280 break;
8281 }
8282 }
8283 }
8284
8285 // Match packet to policy
8286 lck_rw_lock_shared(&necp_kernel_policy_lock);
8287 u_int32_t route_rule_id = 0;
8288 matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
8289 if (matched_policy) {
8290 matched_policy_id = matched_policy->id;
8291 if (result) {
8292 *result = matched_policy->result;
8293 }
8294
8295 if (result_parameter) {
8296 memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
8297 }
8298
8299 if (route_rule_id != 0 &&
8300 packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
8301 packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
8302 }
8303
8304 if (necp_debug > 1) {
8305 NECPLOG(LOG_DEBUG, "IP6 Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d Route Rule %u", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index, route_rule_id);
8306 }
8307 } else {
8308 bool drop_all = false;
8309 /*
8310 * Apply drop-all only to packets which have never matched a primary policy (check
8311 * if the packet saved policy id is none or falls within the socket policy id range).
8312 */
8313 if (socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP &&
8314 (necp_drop_all_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP)) {
8315 drop_all = true;
8316 if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
8317 drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
8318 }
8319 }
8320 if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
8321 matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
8322 if (result) {
8323 *result = NECP_KERNEL_POLICY_RESULT_DROP;
8324 }
8325 } else if (route_rule_id != 0 &&
8326 packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
8327 // If we matched a route rule, mark it
8328 packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
8329 }
8330 }
8331
8332 lck_rw_done(&necp_kernel_policy_lock);
8333
8334 return matched_policy_id;
8335 }
8336
8337 // Utilities
8338 static bool
8339 necp_is_addr_in_range(struct sockaddr *addr, struct sockaddr *range_start, struct sockaddr *range_end)
8340 {
8341 int cmp = 0;
8342
8343 if (addr == NULL || range_start == NULL || range_end == NULL) {
8344 return FALSE;
8345 }
8346
8347 /* Must be greater than or equal to start */
8348 cmp = necp_addr_compare(addr, range_start, 1);
8349 if (cmp != 0 && cmp != 1) {
8350 return FALSE;
8351 }
8352
8353 /* Must be less than or equal to end */
8354 cmp = necp_addr_compare(addr, range_end, 1);
8355 if (cmp != 0 && cmp != -1) {
8356 return FALSE;
8357 }
8358
8359 return TRUE;
8360 }
8361
8362 static bool
8363 necp_is_range_in_range(struct sockaddr *inner_range_start, struct sockaddr *inner_range_end, struct sockaddr *range_start, struct sockaddr *range_end)
8364 {
8365 int cmp = 0;
8366
8367 if (inner_range_start == NULL || inner_range_end == NULL || range_start == NULL || range_end == NULL) {
8368 return FALSE;
8369 }
8370
8371 /* Must be greater than or equal to start */
8372 cmp = necp_addr_compare(inner_range_start, range_start, 1);
8373 if (cmp != 0 && cmp != 1) {
8374 return FALSE;
8375 }
8376
8377 /* Must be less than or equal to end */
8378 cmp = necp_addr_compare(inner_range_end, range_end, 1);
8379 if (cmp != 0 && cmp != -1) {
8380 return FALSE;
8381 }
8382
8383 return TRUE;
8384 }
8385
8386 static bool
8387 necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix)
8388 {
8389 if (addr == NULL || subnet_addr == NULL) {
8390 return FALSE;
8391 }
8392
8393 if (addr->sa_family != subnet_addr->sa_family || addr->sa_len != subnet_addr->sa_len) {
8394 return FALSE;
8395 }
8396
8397 switch (addr->sa_family) {
8398 case AF_INET: {
8399 if (satosin(subnet_addr)->sin_port != 0 &&
8400 satosin(addr)->sin_port != satosin(subnet_addr)->sin_port) {
8401 return FALSE;
8402 }
8403 return necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin(addr)->sin_addr, (u_int8_t *)&satosin(subnet_addr)->sin_addr, subnet_prefix);
8404 }
8405 case AF_INET6: {
8406 if (satosin6(subnet_addr)->sin6_port != 0 &&
8407 satosin6(addr)->sin6_port != satosin6(subnet_addr)->sin6_port) {
8408 return FALSE;
8409 }
8410 if (satosin6(addr)->sin6_scope_id &&
8411 satosin6(subnet_addr)->sin6_scope_id &&
8412 satosin6(addr)->sin6_scope_id != satosin6(subnet_addr)->sin6_scope_id) {
8413 return FALSE;
8414 }
8415 return necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin6(addr)->sin6_addr, (u_int8_t *)&satosin6(subnet_addr)->sin6_addr, subnet_prefix);
8416 }
8417 default: {
8418 return FALSE;
8419 }
8420 }
8421
8422 return FALSE;
8423 }
8424
8425 /*
8426 * Return values:
8427 * -1: sa1 < sa2
8428 * 0: sa1 == sa2
8429 * 1: sa1 > sa2
8430 * 2: Not comparable or error
8431 */
8432 static int
8433 necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port)
8434 {
8435 int result = 0;
8436 int port_result = 0;
8437
8438 if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) {
8439 return 2;
8440 }
8441
8442 if (sa1->sa_len == 0) {
8443 return 0;
8444 }
8445
8446 switch (sa1->sa_family) {
8447 case AF_INET: {
8448 if (sa1->sa_len != sizeof(struct sockaddr_in)) {
8449 return 2;
8450 }
8451
8452 result = memcmp(&satosin(sa1)->sin_addr.s_addr, &satosin(sa2)->sin_addr.s_addr, sizeof(satosin(sa1)->sin_addr.s_addr));
8453
8454 if (check_port) {
8455 if (satosin(sa1)->sin_port < satosin(sa2)->sin_port) {
8456 port_result = -1;
8457 } else if (satosin(sa1)->sin_port > satosin(sa2)->sin_port) {
8458 port_result = 1;
8459 }
8460
8461 if (result == 0) {
8462 result = port_result;
8463 } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
8464 return 2;
8465 }
8466 }
8467
8468 break;
8469 }
8470 case AF_INET6: {
8471 if (sa1->sa_len != sizeof(struct sockaddr_in6)) {
8472 return 2;
8473 }
8474
8475 if (satosin6(sa1)->sin6_scope_id != satosin6(sa2)->sin6_scope_id) {
8476 return 2;
8477 }
8478
8479 result = memcmp(&satosin6(sa1)->sin6_addr.s6_addr[0], &satosin6(sa2)->sin6_addr.s6_addr[0], sizeof(struct in6_addr));
8480
8481 if (check_port) {
8482 if (satosin6(sa1)->sin6_port < satosin6(sa2)->sin6_port) {
8483 port_result = -1;
8484 } else if (satosin6(sa1)->sin6_port > satosin6(sa2)->sin6_port) {
8485 port_result = 1;
8486 }
8487
8488 if (result == 0) {
8489 result = port_result;
8490 } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
8491 return 2;
8492 }
8493 }
8494
8495 break;
8496 }
8497 default: {
8498 result = memcmp(sa1, sa2, sa1->sa_len);
8499 break;
8500 }
8501 }
8502
8503 if (result < 0) {
8504 result = (-1);
8505 } else if (result > 0) {
8506 result = (1);
8507 }
8508
8509 return result;
8510 }
8511
8512 static bool
8513 necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits)
8514 {
8515 u_int8_t mask;
8516
8517 /* Handle null pointers */
8518 if (p1 == NULL || p2 == NULL) {
8519 return p1 == p2;
8520 }
8521
8522 while (bits >= 8) {
8523 if (*p1++ != *p2++) {
8524 return FALSE;
8525 }
8526 bits -= 8;
8527 }
8528
8529 if (bits > 0) {
8530 mask = ~((1 << (8 - bits)) - 1);
8531 if ((*p1 & mask) != (*p2 & mask)) {
8532 return FALSE;
8533 }
8534 }
8535 return TRUE;
8536 }
8537
8538 static bool
8539 necp_addr_is_empty(struct sockaddr *addr)
8540 {
8541 if (addr == NULL) {
8542 return TRUE;
8543 }
8544
8545 if (addr->sa_len == 0) {
8546 return TRUE;
8547 }
8548
8549 switch (addr->sa_family) {
8550 case AF_INET: {
8551 static struct sockaddr_in ipv4_empty_address = {
8552 .sin_len = sizeof(struct sockaddr_in),
8553 .sin_family = AF_INET,
8554 .sin_port = 0,
8555 .sin_addr = { .s_addr = 0 }, // 0.0.0.0
8556 .sin_zero = {0},
8557 };
8558 if (necp_addr_compare(addr, (struct sockaddr *)&ipv4_empty_address, 0) == 0) {
8559 return TRUE;
8560 } else {
8561 return FALSE;
8562 }
8563 }
8564 case AF_INET6: {
8565 static struct sockaddr_in6 ipv6_empty_address = {
8566 .sin6_len = sizeof(struct sockaddr_in6),
8567 .sin6_family = AF_INET6,
8568 .sin6_port = 0,
8569 .sin6_flowinfo = 0,
8570 .sin6_addr = IN6ADDR_ANY_INIT, // ::
8571 .sin6_scope_id = 0,
8572 };
8573 if (necp_addr_compare(addr, (struct sockaddr *)&ipv6_empty_address, 0) == 0) {
8574 return TRUE;
8575 } else {
8576 return FALSE;
8577 }
8578 }
8579 default:
8580 return FALSE;
8581 }
8582
8583 return FALSE;
8584 }
8585
8586 static bool
8587 necp_update_qos_marking(struct ifnet *ifp, u_int32_t route_rule_id)
8588 {
8589 bool qos_marking = FALSE;
8590 int exception_index = 0;
8591 struct necp_route_rule *route_rule = NULL;
8592
8593 route_rule = necp_lookup_route_rule_locked(&necp_route_rules, route_rule_id);
8594 if (route_rule == NULL) {
8595 qos_marking = FALSE;
8596 goto done;
8597 }
8598
8599 qos_marking = (route_rule->default_action == NECP_ROUTE_RULE_QOS_MARKING) ? TRUE : FALSE;
8600
8601 if (ifp == NULL) {
8602 goto done;
8603 }
8604
8605 for (exception_index = 0; exception_index < MAX_ROUTE_RULE_INTERFACES; exception_index++) {
8606 if (route_rule->exception_if_indices[exception_index] == 0) {
8607 break;
8608 }
8609 if (route_rule->exception_if_actions[exception_index] != NECP_ROUTE_RULE_QOS_MARKING) {
8610 continue;
8611 }
8612 if (route_rule->exception_if_indices[exception_index] == ifp->if_index) {
8613 qos_marking = TRUE;
8614 if (necp_debug > 2) {
8615 NECPLOG(LOG_DEBUG, "QoS Marking : Interface match %d for Rule %d Allowed %d",
8616 route_rule->exception_if_indices[exception_index], route_rule_id, qos_marking);
8617 }
8618 goto done;
8619 }
8620 }
8621
8622 if ((route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_CELLULAR(ifp)) ||
8623 (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIFI(ifp)) ||
8624 (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIRED(ifp)) ||
8625 (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_EXPENSIVE(ifp)) ||
8626 (route_rule->constrained_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_CONSTRAINED(ifp))) {
8627 qos_marking = TRUE;
8628 if (necp_debug > 2) {
8629 NECPLOG(LOG_DEBUG, "QoS Marking: C:%d WF:%d W:%d E:%d Cn:%d for Rule %d Allowed %d",
8630 route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action,
8631 route_rule->expensive_action, route_rule->constrained_action, route_rule_id, qos_marking);
8632 }
8633 goto done;
8634 }
8635 done:
8636 if (necp_debug > 1) {
8637 NECPLOG(LOG_DEBUG, "QoS Marking: Rule %d ifp %s Allowed %d",
8638 route_rule_id, ifp ? ifp->if_xname : "", qos_marking);
8639 }
8640 return qos_marking;
8641 }
8642
8643 void
8644 necp_socket_update_qos_marking(struct inpcb *inp, struct rtentry *route, struct ifnet *interface, u_int32_t route_rule_id)
8645 {
8646 bool qos_marking = FALSE;
8647 struct ifnet *ifp = interface = NULL;
8648
8649 if (net_qos_policy_restricted == 0) {
8650 return;
8651 }
8652 if (inp->inp_socket == NULL) {
8653 return;
8654 }
8655 if ((inp->inp_socket->so_flags1 & SOF1_QOSMARKING_POLICY_OVERRIDE)) {
8656 return;
8657 }
8658 /*
8659 * This is racy but we do not need the performance hit of taking necp_kernel_policy_lock
8660 */
8661 if (inp->inp_policyresult.results.qos_marking_gencount == necp_kernel_socket_policies_gencount) {
8662 return;
8663 }
8664
8665 lck_rw_lock_shared(&necp_kernel_policy_lock);
8666
8667 if (ifp == NULL && route != NULL) {
8668 ifp = route->rt_ifp;
8669 }
8670 /*
8671 * By default, until we have a interface, do not mark and reevaluate the Qos marking policy
8672 */
8673 if (ifp == NULL || route_rule_id == 0) {
8674 qos_marking = FALSE;
8675 goto done;
8676 }
8677
8678 if (ROUTE_RULE_IS_AGGREGATE(route_rule_id)) {
8679 struct necp_aggregate_route_rule *aggregate_route_rule = necp_lookup_aggregate_route_rule_locked(route_rule_id);
8680 if (aggregate_route_rule != NULL) {
8681 int index = 0;
8682 for (index = 0; index < MAX_AGGREGATE_ROUTE_RULES; index++) {
8683 u_int32_t sub_route_rule_id = aggregate_route_rule->rule_ids[index];
8684 if (sub_route_rule_id == 0) {
8685 break;
8686 }
8687 qos_marking = necp_update_qos_marking(ifp, sub_route_rule_id);
8688 if (qos_marking == TRUE) {
8689 break;
8690 }
8691 }
8692 }
8693 } else {
8694 qos_marking = necp_update_qos_marking(ifp, route_rule_id);
8695 }
8696 /*
8697 * Now that we have an interface we remember the gencount
8698 */
8699 inp->inp_policyresult.results.qos_marking_gencount = necp_kernel_socket_policies_gencount;
8700
8701 done:
8702 lck_rw_done(&necp_kernel_policy_lock);
8703
8704 if (qos_marking == TRUE) {
8705 inp->inp_socket->so_flags1 |= SOF1_QOSMARKING_ALLOWED;
8706 } else {
8707 inp->inp_socket->so_flags1 &= ~SOF1_QOSMARKING_ALLOWED;
8708 }
8709 }
8710
8711 static bool
8712 necp_route_is_lqm_abort(struct ifnet *ifp, struct ifnet *delegated_ifp)
8713 {
8714 if (ifp != NULL &&
8715 (ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
8716 ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
8717 return true;
8718 }
8719 if (delegated_ifp != NULL &&
8720 (delegated_ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
8721 delegated_ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
8722 return true;
8723 }
8724 return false;
8725 }
8726
8727 static bool
8728 necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t route_rule_id, u_int32_t *interface_type_denied)
8729 {
8730 bool default_is_allowed = TRUE;
8731 u_int8_t type_aggregate_action = NECP_ROUTE_RULE_NONE;
8732 int exception_index = 0;
8733 struct ifnet *delegated_ifp = NULL;
8734 struct necp_route_rule *route_rule = NULL;
8735
8736 route_rule = necp_lookup_route_rule_locked(&necp_route_rules, route_rule_id);
8737 if (route_rule == NULL) {
8738 return TRUE;
8739 }
8740
8741 default_is_allowed = (route_rule->default_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
8742 if (ifp == NULL) {
8743 ifp = route->rt_ifp;
8744 }
8745 if (ifp == NULL) {
8746 if (necp_debug > 1 && !default_is_allowed) {
8747 NECPLOG(LOG_DEBUG, "Route Allowed: No interface for route, using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
8748 }
8749 return default_is_allowed;
8750 }
8751
8752 delegated_ifp = ifp->if_delegated.ifp;
8753 for (exception_index = 0; exception_index < MAX_ROUTE_RULE_INTERFACES; exception_index++) {
8754 if (route_rule->exception_if_indices[exception_index] == 0) {
8755 break;
8756 }
8757 if (route_rule->exception_if_indices[exception_index] == ifp->if_index ||
8758 (delegated_ifp != NULL && route_rule->exception_if_indices[exception_index] == delegated_ifp->if_index)) {
8759 if (route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8760 const bool lqm_abort = necp_route_is_lqm_abort(ifp, delegated_ifp);
8761 if (necp_debug > 1 && lqm_abort) {
8762 NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Deny LQM Abort",
8763 route_rule->exception_if_indices[exception_index], route_rule_id);
8764 }
8765 return false;
8766 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->exception_if_actions[exception_index])) {
8767 if (necp_debug > 1) {
8768 NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Allowed %d", route_rule->exception_if_indices[exception_index], route_rule_id, ((route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
8769 }
8770 return (route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
8771 }
8772 }
8773 }
8774
8775 if (IFNET_IS_CELLULAR(ifp)) {
8776 if (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8777 if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
8778 if (interface_type_denied != NULL) {
8779 *interface_type_denied = IFRTYPE_FUNCTIONAL_CELLULAR;
8780 }
8781 // Mark aggregate action as deny
8782 type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
8783 }
8784 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->cellular_action)) {
8785 if (interface_type_denied != NULL) {
8786 *interface_type_denied = IFRTYPE_FUNCTIONAL_CELLULAR;
8787 }
8788 if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
8789 (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
8790 route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
8791 // Deny wins if there is a conflict
8792 type_aggregate_action = route_rule->cellular_action;
8793 }
8794 }
8795 }
8796
8797 if (IFNET_IS_WIFI(ifp)) {
8798 if (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8799 if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
8800 if (interface_type_denied != NULL) {
8801 *interface_type_denied = IFRTYPE_FUNCTIONAL_WIFI_INFRA;
8802 }
8803 // Mark aggregate action as deny
8804 type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
8805 }
8806 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wifi_action)) {
8807 if (interface_type_denied != NULL) {
8808 *interface_type_denied = IFRTYPE_FUNCTIONAL_WIFI_INFRA;
8809 }
8810 if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
8811 (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
8812 route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
8813 // Deny wins if there is a conflict
8814 type_aggregate_action = route_rule->wifi_action;
8815 }
8816 }
8817 }
8818
8819 if (IFNET_IS_WIRED(ifp)) {
8820 if (route_rule->wired_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8821 if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
8822 if (interface_type_denied != NULL) {
8823 *interface_type_denied = IFRTYPE_FUNCTIONAL_WIRED;
8824 }
8825 // Mark aggregate action as deny
8826 type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
8827 }
8828 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wired_action)) {
8829 if (interface_type_denied != NULL) {
8830 *interface_type_denied = IFRTYPE_FUNCTIONAL_WIRED;
8831 }
8832 if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
8833 (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
8834 route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
8835 // Deny wins if there is a conflict
8836 type_aggregate_action = route_rule->wired_action;
8837 }
8838 }
8839 }
8840
8841 if (IFNET_IS_EXPENSIVE(ifp)) {
8842 if (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8843 if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
8844 // Mark aggregate action as deny
8845 type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
8846 }
8847 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->expensive_action)) {
8848 if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
8849 (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
8850 route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
8851 // Deny wins if there is a conflict
8852 type_aggregate_action = route_rule->expensive_action;
8853 }
8854 }
8855 }
8856
8857 if (IFNET_IS_CONSTRAINED(ifp)) {
8858 if (route_rule->constrained_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
8859 if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
8860 // Mark aggregate action as deny
8861 type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
8862 }
8863 } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->constrained_action)) {
8864 if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
8865 (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
8866 route_rule->constrained_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
8867 // Deny wins if there is a conflict
8868 type_aggregate_action = route_rule->constrained_action;
8869 }
8870 }
8871 }
8872
8873 if (type_aggregate_action != NECP_ROUTE_RULE_NONE) {
8874 if (necp_debug > 1) {
8875 NECPLOG(LOG_DEBUG, "Route Allowed: C:%d WF:%d W:%d E:%d for Rule %d Allowed %d", route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action, route_rule->expensive_action, route_rule_id, ((type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
8876 }
8877 return (type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
8878 }
8879
8880 if (necp_debug > 1 && !default_is_allowed) {
8881 NECPLOG(LOG_DEBUG, "Route Allowed: Using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
8882 }
8883 return default_is_allowed;
8884 }
8885
8886 static bool
8887 necp_route_is_allowed(struct rtentry *route, struct ifnet *interface, u_int32_t route_rule_id, u_int32_t *interface_type_denied)
8888 {
8889 if ((route == NULL && interface == NULL) || route_rule_id == 0) {
8890 if (necp_debug > 1) {
8891 NECPLOG(LOG_DEBUG, "Route Allowed: no route or interface, Rule %d Allowed %d", route_rule_id, TRUE);
8892 }
8893 return TRUE;
8894 }
8895
8896 if (ROUTE_RULE_IS_AGGREGATE(route_rule_id)) {
8897 struct necp_aggregate_route_rule *aggregate_route_rule = necp_lookup_aggregate_route_rule_locked(route_rule_id);
8898 if (aggregate_route_rule != NULL) {
8899 int index = 0;
8900 for (index = 0; index < MAX_AGGREGATE_ROUTE_RULES; index++) {
8901 u_int32_t sub_route_rule_id = aggregate_route_rule->rule_ids[index];
8902 if (sub_route_rule_id == 0) {
8903 break;
8904 }
8905 if (!necp_route_is_allowed_inner(route, interface, sub_route_rule_id, interface_type_denied)) {
8906 return FALSE;
8907 }
8908 }
8909 }
8910 } else {
8911 return necp_route_is_allowed_inner(route, interface, route_rule_id, interface_type_denied);
8912 }
8913
8914 return TRUE;
8915 }
8916
8917 bool
8918 necp_packet_is_allowed_over_interface(struct mbuf *packet, struct ifnet *interface)
8919 {
8920 bool is_allowed = TRUE;
8921 u_int32_t route_rule_id = necp_get_route_rule_id_from_packet(packet);
8922 if (route_rule_id != 0 &&
8923 interface != NULL) {
8924 lck_rw_lock_shared(&necp_kernel_policy_lock);
8925 is_allowed = necp_route_is_allowed(NULL, interface, necp_get_route_rule_id_from_packet(packet), NULL);
8926 lck_rw_done(&necp_kernel_policy_lock);
8927 }
8928 return is_allowed;
8929 }
8930
8931 static bool
8932 necp_netagents_allow_traffic(u_int32_t *netagent_ids, size_t netagent_id_count)
8933 {
8934 size_t netagent_cursor;
8935 for (netagent_cursor = 0; netagent_cursor < netagent_id_count; netagent_cursor++) {
8936 struct necp_uuid_id_mapping *mapping = NULL;
8937 u_int32_t netagent_id = netagent_ids[netagent_cursor];
8938 if (netagent_id == 0) {
8939 break;
8940 }
8941 mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
8942 if (mapping != NULL) {
8943 u_int32_t agent_flags = 0;
8944 agent_flags = netagent_get_flags(mapping->uuid);
8945 if (agent_flags & NETAGENT_FLAG_REGISTERED) {
8946 if (agent_flags & NETAGENT_FLAG_ACTIVE) {
8947 continue;
8948 } else if ((agent_flags & NETAGENT_FLAG_VOLUNTARY) == 0) {
8949 return FALSE;
8950 }
8951 }
8952 }
8953 }
8954 return TRUE;
8955 }
8956
8957 static bool
8958 necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
8959 {
8960 u_int32_t verifyifindex = interface ? interface->if_index : 0;
8961 bool allowed_to_receive = TRUE;
8962 struct necp_socket_info info;
8963 u_int32_t flowhash = 0;
8964 necp_kernel_policy_result service_action = 0;
8965 necp_kernel_policy_service service = { 0, 0 };
8966 u_int32_t route_rule_id = 0;
8967 struct rtentry *route = NULL;
8968 u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
8969 necp_kernel_policy_result drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
8970 necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
8971 u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
8972 memset(&netagent_ids, 0, sizeof(netagent_ids));
8973
8974 if (return_policy_id) {
8975 *return_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8976 }
8977 if (return_skip_policy_id) {
8978 *return_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
8979 }
8980 if (return_route_rule_id) {
8981 *return_route_rule_id = 0;
8982 }
8983
8984 if (inp == NULL) {
8985 goto done;
8986 }
8987
8988 route = inp->inp_route.ro_rt;
8989
8990 struct socket *so = inp->inp_socket;
8991
8992 u_int32_t drop_order = necp_process_drop_order(so->so_cred);
8993
8994 // Don't lock. Possible race condition, but we don't want the performance hit.
8995 if (necp_kernel_socket_policies_count == 0 ||
8996 (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
8997 if (necp_drop_all_order > 0 || drop_order > 0) {
8998 if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
8999 allowed_to_receive = TRUE;
9000 } else {
9001 allowed_to_receive = FALSE;
9002 }
9003 }
9004 goto done;
9005 }
9006
9007 // If this socket is connected, or we are not taking addresses into account, try to reuse last result
9008 if ((necp_socket_is_connected(inp) || (override_local_addr == NULL && override_remote_addr == NULL)) && inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE) {
9009 bool policies_have_changed = FALSE;
9010 bool route_allowed = TRUE;
9011
9012 if (inp->inp_policyresult.policy_gencount != necp_kernel_socket_policies_gencount) {
9013 policies_have_changed = TRUE;
9014 } else {
9015 if (inp->inp_policyresult.results.route_rule_id != 0) {
9016 lck_rw_lock_shared(&necp_kernel_policy_lock);
9017 if (!necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied)) {
9018 route_allowed = FALSE;
9019 }
9020 lck_rw_done(&necp_kernel_policy_lock);
9021 }
9022 }
9023
9024 if (!policies_have_changed) {
9025 if (!route_allowed ||
9026 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
9027 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
9028 (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
9029 inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex)) {
9030 allowed_to_receive = FALSE;
9031 } else {
9032 if (return_policy_id) {
9033 *return_policy_id = inp->inp_policyresult.policy_id;
9034 }
9035 if (return_skip_policy_id) {
9036 *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
9037 }
9038 if (return_route_rule_id) {
9039 *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
9040 }
9041 }
9042 goto done;
9043 }
9044 }
9045
9046 // Check for loopback exception
9047 if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
9048 allowed_to_receive = TRUE;
9049 goto done;
9050 }
9051
9052 // Actually calculate policy result
9053 lck_rw_lock_shared(&necp_kernel_policy_lock);
9054 necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, 0, drop_order, &info);
9055
9056 flowhash = necp_socket_calc_flowhash_locked(&info);
9057 if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
9058 inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
9059 inp->inp_policyresult.flowhash == flowhash) {
9060 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
9061 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
9062 (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
9063 inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex) ||
9064 (inp->inp_policyresult.results.route_rule_id != 0 &&
9065 !necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied))) {
9066 allowed_to_receive = FALSE;
9067 } else {
9068 if (return_policy_id) {
9069 *return_policy_id = inp->inp_policyresult.policy_id;
9070 }
9071 if (return_route_rule_id) {
9072 *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
9073 }
9074 if (return_skip_policy_id) {
9075 *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
9076 }
9077 }
9078 lck_rw_done(&necp_kernel_policy_lock);
9079 goto done;
9080 }
9081
9082 u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
9083 size_t route_rule_id_array_count = 0;
9084 struct necp_kernel_socket_policy *matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, NULL, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, current_proc(), return_skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass);
9085
9086 if (route_rule_id_array_count == 1) {
9087 route_rule_id = route_rule_id_array[0];
9088 } else if (route_rule_id_array_count > 1) {
9089 route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
9090 }
9091
9092 if (matched_policy != NULL) {
9093 if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
9094 matched_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
9095 (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
9096 matched_policy->result_parameter.tunnel_interface_index != verifyifindex) ||
9097 ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
9098 service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
9099 service.identifier != 0 && service.identifier != NECP_NULL_SERVICE_ID) ||
9100 (route_rule_id != 0 &&
9101 !necp_route_is_allowed(route, interface, route_rule_id, &interface_type_denied)) ||
9102 !necp_netagents_allow_traffic(netagent_ids, NECP_MAX_NETAGENTS)) {
9103 allowed_to_receive = FALSE;
9104 } else {
9105 if (return_policy_id) {
9106 *return_policy_id = matched_policy->id;
9107 }
9108 if (return_route_rule_id) {
9109 *return_route_rule_id = route_rule_id;
9110 }
9111 }
9112 lck_rw_done(&necp_kernel_policy_lock);
9113
9114 if (necp_debug > 1 && matched_policy->id != inp->inp_policyresult.policy_id) {
9115 NECPLOG(LOG_DEBUG, "Socket Send/Recv Policy: Policy %d Allowed %d", return_policy_id ? *return_policy_id : 0, allowed_to_receive);
9116 }
9117 goto done;
9118 } else {
9119 bool drop_all = false;
9120 if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
9121 drop_all = true;
9122 if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
9123 drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
9124 }
9125 }
9126 if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
9127 allowed_to_receive = FALSE;
9128 } else {
9129 if (return_policy_id) {
9130 *return_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
9131 }
9132 if (return_route_rule_id) {
9133 *return_route_rule_id = route_rule_id;
9134 }
9135 }
9136 }
9137
9138 lck_rw_done(&necp_kernel_policy_lock);
9139
9140 done:
9141 if (!allowed_to_receive && interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
9142 soevent(inp->inp_socket, (SO_FILT_HINT_LOCKED | SO_FILT_HINT_IFDENIED));
9143 }
9144
9145 return allowed_to_receive;
9146 }
9147
9148 bool
9149 necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in_addr *local_addr, struct in_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
9150 {
9151 struct sockaddr_in local = {};
9152 struct sockaddr_in remote = {};
9153 local.sin_family = remote.sin_family = AF_INET;
9154 local.sin_len = remote.sin_len = sizeof(struct sockaddr_in);
9155 local.sin_port = local_port;
9156 remote.sin_port = remote_port;
9157 memcpy(&local.sin_addr, local_addr, sizeof(local.sin_addr));
9158 memcpy(&remote.sin_addr, remote_addr, sizeof(remote.sin_addr));
9159
9160 return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
9161 return_policy_id, return_route_rule_id, return_skip_policy_id);
9162 }
9163
9164 bool
9165 necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in6_addr *local_addr, struct in6_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
9166 {
9167 struct sockaddr_in6 local = {};
9168 struct sockaddr_in6 remote = {};
9169 local.sin6_family = remote.sin6_family = AF_INET6;
9170 local.sin6_len = remote.sin6_len = sizeof(struct sockaddr_in6);
9171 local.sin6_port = local_port;
9172 remote.sin6_port = remote_port;
9173 memcpy(&local.sin6_addr, local_addr, sizeof(local.sin6_addr));
9174 memcpy(&remote.sin6_addr, remote_addr, sizeof(remote.sin6_addr));
9175
9176 return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
9177 return_policy_id, return_route_rule_id, return_skip_policy_id);
9178 }
9179
9180 bool
9181 necp_socket_is_allowed_to_send_recv(struct inpcb *inp, ifnet_t interface, necp_kernel_policy_id *return_policy_id,
9182 u_int32_t *return_route_rule_id,
9183 necp_kernel_policy_id *return_skip_policy_id)
9184 {
9185 return necp_socket_is_allowed_to_send_recv_internal(inp, NULL, NULL, interface,
9186 return_policy_id, return_route_rule_id,
9187 return_skip_policy_id);
9188 }
9189
9190 int
9191 necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel_policy_id policy_id, u_int32_t route_rule_id,
9192 necp_kernel_policy_id skip_policy_id)
9193 {
9194 if (packet == NULL || inp == NULL || !(packet->m_flags & M_PKTHDR)) {
9195 return EINVAL;
9196 }
9197
9198 // Mark ID for Pass and IP Tunnel
9199 if (policy_id != NECP_KERNEL_POLICY_ID_NONE) {
9200 packet->m_pkthdr.necp_mtag.necp_policy_id = policy_id;
9201 } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS ||
9202 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
9203 packet->m_pkthdr.necp_mtag.necp_policy_id = inp->inp_policyresult.policy_id;
9204 } else {
9205 packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
9206 }
9207 packet->m_pkthdr.necp_mtag.necp_last_interface_index = 0;
9208 if (route_rule_id != 0) {
9209 packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
9210 } else {
9211 packet->m_pkthdr.necp_mtag.necp_route_rule_id = inp->inp_policyresult.results.route_rule_id;
9212 }
9213 packet->m_pkthdr.necp_mtag.necp_app_id = inp->inp_policyresult.app_id;
9214
9215 if (skip_policy_id != NECP_KERNEL_POLICY_ID_NONE &&
9216 skip_policy_id != NECP_KERNEL_POLICY_ID_NO_MATCH) {
9217 // Only mark the skip policy if it is a valid policy ID
9218 packet->m_pkthdr.necp_mtag.necp_skip_policy_id = skip_policy_id;
9219 } else if (inp->inp_policyresult.results.filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
9220 // Overload the meaning of "NECP_KERNEL_POLICY_ID_NO_MATCH"
9221 // to indicate that NECP_FILTER_UNIT_NO_FILTER was set
9222 // See necp_get_skip_policy_id_from_packet() and
9223 // necp_packet_should_skip_filters().
9224 packet->m_pkthdr.necp_mtag.necp_skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
9225 } else {
9226 packet->m_pkthdr.necp_mtag.necp_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
9227 }
9228
9229 return 0;
9230 }
9231
9232 int
9233 necp_mark_packet_from_ip(struct mbuf *packet, necp_kernel_policy_id policy_id)
9234 {
9235 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9236 return EINVAL;
9237 }
9238
9239 // Mark ID for Pass and IP Tunnel
9240 if (policy_id != NECP_KERNEL_POLICY_ID_NONE) {
9241 packet->m_pkthdr.necp_mtag.necp_policy_id = policy_id;
9242 } else {
9243 packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
9244 }
9245
9246 return 0;
9247 }
9248
9249 int
9250 necp_mark_packet_from_interface(struct mbuf *packet, ifnet_t interface)
9251 {
9252 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9253 return EINVAL;
9254 }
9255
9256 // Mark ID for Pass and IP Tunnel
9257 if (interface != NULL) {
9258 packet->m_pkthdr.necp_mtag.necp_last_interface_index = interface->if_index;
9259 }
9260
9261 return 0;
9262 }
9263
9264 int
9265 necp_mark_packet_as_keepalive(struct mbuf *packet, bool is_keepalive)
9266 {
9267 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9268 return EINVAL;
9269 }
9270
9271 if (is_keepalive) {
9272 packet->m_pkthdr.pkt_flags |= PKTF_KEEPALIVE;
9273 } else {
9274 packet->m_pkthdr.pkt_flags &= ~PKTF_KEEPALIVE;
9275 }
9276
9277 return 0;
9278 }
9279
9280 necp_kernel_policy_id
9281 necp_get_policy_id_from_packet(struct mbuf *packet)
9282 {
9283 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9284 return NECP_KERNEL_POLICY_ID_NONE;
9285 }
9286
9287 return packet->m_pkthdr.necp_mtag.necp_policy_id;
9288 }
9289
9290 necp_kernel_policy_id
9291 necp_get_skip_policy_id_from_packet(struct mbuf *packet)
9292 {
9293 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9294 return NECP_KERNEL_POLICY_ID_NONE;
9295 }
9296
9297 // Check for overloaded value. See necp_mark_packet_from_socket().
9298 if (packet->m_pkthdr.necp_mtag.necp_skip_policy_id == NECP_KERNEL_POLICY_ID_NO_MATCH) {
9299 return NECP_KERNEL_POLICY_ID_NONE;
9300 }
9301
9302 return packet->m_pkthdr.necp_mtag.necp_skip_policy_id;
9303 }
9304
9305 bool
9306 necp_packet_should_skip_filters(struct mbuf *packet)
9307 {
9308 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9309 return false;
9310 }
9311
9312 // Check for overloaded value. See necp_mark_packet_from_socket().
9313 return packet->m_pkthdr.necp_mtag.necp_skip_policy_id == NECP_KERNEL_POLICY_ID_NO_MATCH;
9314 }
9315
9316 u_int32_t
9317 necp_get_last_interface_index_from_packet(struct mbuf *packet)
9318 {
9319 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9320 return 0;
9321 }
9322
9323 return packet->m_pkthdr.necp_mtag.necp_last_interface_index;
9324 }
9325
9326 u_int32_t
9327 necp_get_route_rule_id_from_packet(struct mbuf *packet)
9328 {
9329 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9330 return 0;
9331 }
9332
9333 return packet->m_pkthdr.necp_mtag.necp_route_rule_id;
9334 }
9335
9336 int
9337 necp_get_app_uuid_from_packet(struct mbuf *packet,
9338 uuid_t app_uuid)
9339 {
9340 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9341 return EINVAL;
9342 }
9343
9344 bool found_mapping = FALSE;
9345 if (packet->m_pkthdr.necp_mtag.necp_app_id != 0) {
9346 lck_rw_lock_shared(&necp_kernel_policy_lock);
9347 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(packet->m_pkthdr.necp_mtag.necp_app_id);
9348 if (entry != NULL) {
9349 uuid_copy(app_uuid, entry->uuid);
9350 found_mapping = true;
9351 }
9352 lck_rw_done(&necp_kernel_policy_lock);
9353 }
9354 if (!found_mapping) {
9355 uuid_clear(app_uuid);
9356 }
9357 return 0;
9358 }
9359
9360 bool
9361 necp_get_is_keepalive_from_packet(struct mbuf *packet)
9362 {
9363 if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
9364 return FALSE;
9365 }
9366
9367 return packet->m_pkthdr.pkt_flags & PKTF_KEEPALIVE;
9368 }
9369
9370 u_int32_t
9371 necp_socket_get_content_filter_control_unit(struct socket *so)
9372 {
9373 struct inpcb *inp = sotoinpcb(so);
9374
9375 if (inp == NULL) {
9376 return 0;
9377 }
9378 return inp->inp_policyresult.results.filter_control_unit;
9379 }
9380
9381 bool
9382 necp_socket_should_use_flow_divert(struct inpcb *inp)
9383 {
9384 if (inp == NULL) {
9385 return FALSE;
9386 }
9387
9388 return inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT;
9389 }
9390
9391 u_int32_t
9392 necp_socket_get_flow_divert_control_unit(struct inpcb *inp)
9393 {
9394 if (inp == NULL) {
9395 return 0;
9396 }
9397
9398 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
9399 return inp->inp_policyresult.results.result_parameter.flow_divert_control_unit;
9400 }
9401
9402 return 0;
9403 }
9404
9405 bool
9406 necp_socket_should_rescope(struct inpcb *inp)
9407 {
9408 if (inp == NULL) {
9409 return FALSE;
9410 }
9411
9412 return inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED ||
9413 inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT;
9414 }
9415
9416 u_int
9417 necp_socket_get_rescope_if_index(struct inpcb *inp)
9418 {
9419 if (inp == NULL) {
9420 return 0;
9421 }
9422
9423 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
9424 return inp->inp_policyresult.results.result_parameter.scoped_interface_index;
9425 } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT) {
9426 return necp_get_primary_direct_interface_index();
9427 }
9428
9429 return 0;
9430 }
9431
9432 u_int32_t
9433 necp_socket_get_effective_mtu(struct inpcb *inp, u_int32_t current_mtu)
9434 {
9435 if (inp == NULL) {
9436 return current_mtu;
9437 }
9438
9439 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
9440 (inp->inp_flags & INP_BOUND_IF) &&
9441 inp->inp_boundifp) {
9442 u_int bound_interface_index = inp->inp_boundifp->if_index;
9443 u_int tunnel_interface_index = inp->inp_policyresult.results.result_parameter.tunnel_interface_index;
9444
9445 // The result is IP Tunnel, and is rescoping from one interface to another. Recalculate MTU.
9446 if (bound_interface_index != tunnel_interface_index) {
9447 ifnet_t tunnel_interface = NULL;
9448
9449 ifnet_head_lock_shared();
9450 tunnel_interface = ifindex2ifnet[tunnel_interface_index];
9451 ifnet_head_done();
9452
9453 if (tunnel_interface != NULL) {
9454 u_int32_t direct_tunnel_mtu = tunnel_interface->if_mtu;
9455 u_int32_t delegate_tunnel_mtu = (tunnel_interface->if_delegated.ifp != NULL) ? tunnel_interface->if_delegated.ifp->if_mtu : 0;
9456 if (delegate_tunnel_mtu != 0 &&
9457 strncmp(tunnel_interface->if_name, "ipsec", strlen("ipsec")) == 0) {
9458 // For ipsec interfaces, calculate the overhead from the delegate interface
9459 u_int32_t tunnel_overhead = (u_int32_t)(esp_hdrsiz(NULL) + sizeof(struct ip6_hdr));
9460 if (delegate_tunnel_mtu > tunnel_overhead) {
9461 delegate_tunnel_mtu -= tunnel_overhead;
9462 }
9463
9464 if (delegate_tunnel_mtu < direct_tunnel_mtu) {
9465 // If the (delegate - overhead) < direct, return (delegate - overhead)
9466 return delegate_tunnel_mtu;
9467 } else {
9468 // Otherwise return direct
9469 return direct_tunnel_mtu;
9470 }
9471 } else {
9472 // For non-ipsec interfaces, just return the tunnel MTU
9473 return direct_tunnel_mtu;
9474 }
9475 }
9476 }
9477 }
9478
9479 // By default, just return the MTU passed in
9480 return current_mtu;
9481 }
9482
9483 ifnet_t
9484 necp_get_ifnet_from_result_parameter(necp_kernel_policy_result_parameter *result_parameter)
9485 {
9486 if (result_parameter == NULL) {
9487 return NULL;
9488 }
9489
9490 return ifindex2ifnet[result_parameter->tunnel_interface_index];
9491 }
9492
9493 bool
9494 necp_packet_can_rebind_to_ifnet(struct mbuf *packet, struct ifnet *interface, struct route *new_route, int family)
9495 {
9496 bool found_match = FALSE;
9497 errno_t result = 0;
9498 ifaddr_t *addresses = NULL;
9499 union necp_sockaddr_union address_storage;
9500 int i;
9501
9502 if (packet == NULL || interface == NULL || new_route == NULL || (family != AF_INET && family != AF_INET6)) {
9503 return FALSE;
9504 }
9505
9506 result = ifnet_get_address_list_family(interface, &addresses, family);
9507 if (result != 0) {
9508 NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
9509 return FALSE;
9510 }
9511
9512 for (i = 0; addresses[i] != NULL; i++) {
9513 ROUTE_RELEASE(new_route);
9514 if (ifaddr_address(addresses[i], &address_storage.sa, sizeof(address_storage)) == 0) {
9515 if (family == AF_INET) {
9516 struct ip *ip = mtod(packet, struct ip *);
9517 if (memcmp(&address_storage.sin.sin_addr, &ip->ip_src, sizeof(ip->ip_src)) == 0) {
9518 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)&new_route->ro_dst;
9519 dst4->sin_family = AF_INET;
9520 dst4->sin_len = sizeof(struct sockaddr_in);
9521 dst4->sin_addr = ip->ip_dst;
9522 rtalloc_scoped(new_route, interface->if_index);
9523 if (!ROUTE_UNUSABLE(new_route)) {
9524 found_match = TRUE;
9525 goto done;
9526 }
9527 }
9528 } else if (family == AF_INET6) {
9529 struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
9530 if (memcmp(&address_storage.sin6.sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src)) == 0) {
9531 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)&new_route->ro_dst;
9532 dst6->sin6_family = AF_INET6;
9533 dst6->sin6_len = sizeof(struct sockaddr_in6);
9534 dst6->sin6_addr = ip6->ip6_dst;
9535 rtalloc_scoped(new_route, interface->if_index);
9536 if (!ROUTE_UNUSABLE(new_route)) {
9537 found_match = TRUE;
9538 goto done;
9539 }
9540 }
9541 }
9542 }
9543 }
9544
9545 done:
9546 ifnet_free_address_list(addresses);
9547 addresses = NULL;
9548 return found_match;
9549 }
9550
9551 static bool
9552 necp_addr_is_loopback(struct sockaddr *address)
9553 {
9554 if (address == NULL) {
9555 return FALSE;
9556 }
9557
9558 if (address->sa_family == AF_INET) {
9559 return ntohl(((struct sockaddr_in *)(void *)address)->sin_addr.s_addr) == INADDR_LOOPBACK;
9560 } else if (address->sa_family == AF_INET6) {
9561 return IN6_IS_ADDR_LOOPBACK(&((struct sockaddr_in6 *)(void *)address)->sin6_addr);
9562 }
9563
9564 return FALSE;
9565 }
9566
9567 static bool
9568 necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet, u_int32_t bound_interface_index)
9569 {
9570 // Note: This function only checks for the loopback addresses.
9571 // In the future, we may want to expand to also allow any traffic
9572 // going through the loopback interface, but until then, this
9573 // check is cheaper.
9574
9575 if (local_addr != NULL && necp_addr_is_loopback(local_addr)) {
9576 return TRUE;
9577 }
9578
9579 if (remote_addr != NULL && necp_addr_is_loopback(remote_addr)) {
9580 return TRUE;
9581 }
9582
9583 if (inp != NULL) {
9584 if ((inp->inp_flags & INP_BOUND_IF) && inp->inp_boundifp && (inp->inp_boundifp->if_flags & IFF_LOOPBACK)) {
9585 return TRUE;
9586 }
9587 if (inp->inp_vflag & INP_IPV4) {
9588 if (ntohl(inp->inp_laddr.s_addr) == INADDR_LOOPBACK ||
9589 ntohl(inp->inp_faddr.s_addr) == INADDR_LOOPBACK) {
9590 return TRUE;
9591 }
9592 } else if (inp->inp_vflag & INP_IPV6) {
9593 if (IN6_IS_ADDR_LOOPBACK(&inp->in6p_laddr) ||
9594 IN6_IS_ADDR_LOOPBACK(&inp->in6p_faddr)) {
9595 return TRUE;
9596 }
9597 }
9598 } else if (bound_interface_index != IFSCOPE_NONE && lo_ifp->if_index == bound_interface_index) {
9599 return TRUE;
9600 }
9601
9602 if (packet != NULL) {
9603 struct ip *ip = mtod(packet, struct ip *);
9604 if (ip->ip_v == 4) {
9605 if (ntohl(ip->ip_src.s_addr) == INADDR_LOOPBACK) {
9606 return TRUE;
9607 }
9608 if (ntohl(ip->ip_dst.s_addr) == INADDR_LOOPBACK) {
9609 return TRUE;
9610 }
9611 } else if (ip->ip_v == 6) {
9612 struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
9613 if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src)) {
9614 return TRUE;
9615 }
9616 if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
9617 return TRUE;
9618 }
9619 }
9620 }
9621
9622 return FALSE;
9623 }
9624
9625 static bool
9626 necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet)
9627 {
9628 if (inp != NULL) {
9629 if (!(inp->inp_vflag & INP_IPV6)) {
9630 return false;
9631 }
9632 if (INP_INTCOPROC_ALLOWED(inp)) {
9633 return true;
9634 }
9635 if ((inp->inp_flags & INP_BOUND_IF) &&
9636 IFNET_IS_INTCOPROC(inp->inp_boundifp)) {
9637 return true;
9638 }
9639 return false;
9640 }
9641 if (packet != NULL) {
9642 struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
9643 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION &&
9644 IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst) &&
9645 ip6->ip6_dst.s6_addr32[2] == ntohl(0xaede48ff) &&
9646 ip6->ip6_dst.s6_addr32[3] == ntohl(0xfe334455)) {
9647 return true;
9648 }
9649 }
9650
9651 return false;
9652 }
9653
9654 static bool
9655 necp_address_matches_drop_dest_policy(union necp_sockaddr_union *sau, u_int32_t session_order)
9656 {
9657 char dest_str[MAX_IPv6_STR_LEN];
9658
9659 if (necp_drop_dest_debug > 0) {
9660 if (sau->sa.sa_family == AF_INET) {
9661 (void) inet_ntop(AF_INET, &sau->sin.sin_addr, dest_str, sizeof(dest_str));
9662 } else if (sau->sa.sa_family == AF_INET6) {
9663 (void) inet_ntop(AF_INET6, &sau->sin6.sin6_addr, dest_str, sizeof(dest_str));
9664 } else {
9665 dest_str[0] = 0;
9666 }
9667 }
9668 for (u_int32_t i = 0; i < necp_drop_dest_policy.entry_count; i++) {
9669 struct necp_drop_dest_entry *necp_drop_dest_entry = &necp_drop_dest_policy.entries[i];
9670 struct necp_policy_condition_addr *npca = &necp_drop_dest_entry->cond_addr;
9671
9672 if (session_order >= necp_drop_dest_entry->order && necp_is_addr_in_subnet(&sau->sa, &npca->address.sa, npca->prefix)) {
9673 if (necp_drop_dest_debug > 0) {
9674 char subnet_str[MAX_IPv6_STR_LEN];
9675 struct proc *p = current_proc();
9676 pid_t pid = proc_pid(p);
9677
9678 if (sau->sa.sa_family == AF_INET) {
9679 (void) inet_ntop(AF_INET, &npca->address.sin, subnet_str, sizeof(subnet_str));
9680 os_log(OS_LOG_DEFAULT, "%s (process %s:%u) %s matches %s/%u", __func__, proc_best_name(p), pid, dest_str, subnet_str, npca->prefix);
9681 } else if (sau->sa.sa_family == AF_INET6) {
9682 (void) inet_ntop(AF_INET6, &npca->address.sin6, subnet_str, sizeof(subnet_str));
9683 os_log(OS_LOG_DEFAULT, "%s (process %s:%u) %s matches %s/%u", __func__, proc_best_name(p), pid, dest_str, subnet_str, npca->prefix);
9684 }
9685 }
9686 return true;
9687 }
9688 }
9689 if (necp_drop_dest_debug > 1) {
9690 struct proc *p = current_proc();
9691 pid_t pid = proc_pid(p);
9692
9693 os_log(OS_LOG_DEFAULT, "%s (process %s:%u) %s no match", __func__, proc_best_name(p), pid, dest_str);
9694 }
9695 return false;
9696 }
9697
9698 static int
9699 sysctl_handle_necp_drop_dest_level SYSCTL_HANDLER_ARGS
9700 {
9701 #pragma unused(arg1, arg2, oidp)
9702 int changed = 0;
9703 int error = 0;
9704 struct necp_drop_dest_policy tmp_drop_dest_policy;
9705 struct proc *p = current_proc();
9706 pid_t pid = proc_pid(p);
9707
9708 if (req->newptr != USER_ADDR_NULL && proc_suser(current_proc()) != 0 &&
9709 priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0) != 0) {
9710 NECPLOG(LOG_ERR, "%s (process %s:%u) not permitted", __func__, proc_best_name(p), pid);
9711 return EPERM;
9712 }
9713 if (req->newptr != USER_ADDR_NULL && req->newlen != sizeof(struct necp_drop_dest_policy)) {
9714 NECPLOG(LOG_ERR, "%s (process %s:%u) bad newlen %lu", __func__, proc_best_name(p), pid, req->newlen);
9715 return EINVAL;
9716 }
9717
9718 memcpy(&tmp_drop_dest_policy, &necp_drop_dest_policy, sizeof(struct necp_drop_dest_policy));
9719 error = sysctl_io_opaque(req, &tmp_drop_dest_policy, sizeof(struct necp_drop_dest_policy), &changed);
9720 if (error != 0) {
9721 NECPLOG(LOG_ERR, "%s (process %s:%u) sysctl_io_opaque() error %d", __func__, proc_best_name(p), pid, error);
9722 return error;
9723 }
9724 if (changed == 0 || req->newptr == USER_ADDR_NULL) {
9725 return error;
9726 }
9727
9728 //
9729 // Validate the passed parameters
9730 //
9731 if (tmp_drop_dest_policy.entry_count >= MAX_NECP_DROP_DEST_LEVEL_ADDRS) {
9732 NECPLOG(LOG_ERR, "%s (process %s:%u) bad entry_count %u", __func__, proc_best_name(p), pid, tmp_drop_dest_policy.entry_count);
9733 return EINVAL;
9734 }
9735 for (u_int32_t i = 0; i < tmp_drop_dest_policy.entry_count; i++) {
9736 struct necp_drop_dest_entry *tmp_drop_dest_entry = &tmp_drop_dest_policy.entries[i];
9737 struct necp_policy_condition_addr *npca = &tmp_drop_dest_entry->cond_addr;
9738
9739 switch (tmp_drop_dest_entry->level) {
9740 case NECP_SESSION_PRIORITY_UNKNOWN:
9741 if (tmp_drop_dest_policy.entry_count != 0) {
9742 NECPLOG(LOG_ERR, "%s (process %s:%u) NECP_SESSION_PRIORITY_UNKNOWN bad entry_count %u", __func__, proc_best_name(p), pid, tmp_drop_dest_policy.entry_count);
9743 return EINVAL;
9744 }
9745 break;
9746 case NECP_SESSION_PRIORITY_CONTROL:
9747 case NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL:
9748 case NECP_SESSION_PRIORITY_HIGH:
9749 case NECP_SESSION_PRIORITY_DEFAULT:
9750 case NECP_SESSION_PRIORITY_LOW:
9751 if (tmp_drop_dest_policy.entry_count == 0) {
9752 NECPLOG(LOG_ERR, "%s (process %s:%u) priority %u entry_count 0", __func__, proc_best_name(p), pid, tmp_drop_dest_entry->level);
9753 return EINVAL;
9754 }
9755 break;
9756 default: {
9757 NECPLOG(LOG_ERR, "%s (process %s:%u) bad level %u", __func__, proc_best_name(p), pid, tmp_drop_dest_entry->level);
9758 return EINVAL;
9759 }
9760 }
9761
9762 switch (npca->address.sa.sa_family) {
9763 case AF_INET: {
9764 if (npca->prefix > 32) {
9765 NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET bad prefix %u", __func__, proc_best_name(p), pid, npca->prefix);
9766 return EINVAL;
9767 }
9768 if (npca->address.sin.sin_len != sizeof(struct sockaddr_in)) {
9769 NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET bad sin_len %u", __func__, proc_best_name(p), pid, npca->address.sin.sin_len);
9770 return EINVAL;
9771 }
9772 if (npca->address.sin.sin_port != 0) {
9773 NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET bad sin_port %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin.sin_port);
9774 return EINVAL;
9775 }
9776 break;
9777 }
9778 case AF_INET6: {
9779 if (npca->prefix > 128) {
9780 NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad prefix %u", __func__, proc_best_name(p), pid, npca->prefix);
9781 return EINVAL;
9782 }
9783 if (npca->address.sin6.sin6_len != sizeof(struct sockaddr_in6)) {
9784 NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_len %u", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_len);
9785 return EINVAL;
9786 }
9787 if (npca->address.sin6.sin6_port != 0) {
9788 NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_port %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_port);
9789 return EINVAL;
9790 }
9791 if (npca->address.sin6.sin6_flowinfo != 0) {
9792 NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_flowinfo %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_flowinfo);
9793 return EINVAL;
9794 }
9795 if (npca->address.sin6.sin6_scope_id != 0) {
9796 NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_scope_id %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_scope_id);
9797 return EINVAL;
9798 }
9799 break;
9800 }
9801 default: {
9802 return EINVAL;
9803 }
9804 }
9805 }
9806
9807 //
9808 // Commit the changed policy
9809 //
9810 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
9811 memset(&necp_drop_dest_policy, 0, sizeof(struct necp_drop_dest_policy));
9812
9813 necp_drop_dest_policy.entry_count = tmp_drop_dest_policy.entry_count;
9814 for (u_int32_t i = 0; i < tmp_drop_dest_policy.entry_count; i++) {
9815 struct necp_drop_dest_entry *tmp_drop_dest_entry = &tmp_drop_dest_policy.entries[i];
9816 struct necp_drop_dest_entry *necp_drop_dest_entry = &necp_drop_dest_policy.entries[i];
9817
9818 memcpy(necp_drop_dest_entry, tmp_drop_dest_entry, sizeof(struct necp_drop_dest_entry));
9819
9820 necp_drop_dest_entry->order = necp_get_first_order_for_priority(necp_drop_dest_entry->level);
9821 }
9822 lck_rw_done(&necp_kernel_policy_lock);
9823
9824 return 0;
9825 }
mirror of XNU