2 * Copyright (c) 2004-2016 Apple Inc. All rights reserved.
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
30 * Centralized authorisation framework.
33 #include <sys/appleapiopts.h>
34 #include <sys/param.h> /* XXX trim includes */
36 #include <sys/systm.h>
37 #include <sys/ucred.h>
38 #include <sys/proc_internal.h>
39 #include <sys/timeb.h>
40 #include <sys/times.h>
41 #include <sys/malloc.h>
42 #include <sys/vnode_internal.h>
43 #include <sys/kauth.h>
46 #include <security/audit/audit.h>
48 #include <sys/mount.h>
49 #include <sys/sysproto.h>
50 #include <mach/message.h>
51 #include <mach/host_security.h>
53 #include <kern/locks.h>
57 * Authorization scopes.
60 lck_grp_t
*kauth_lck_grp
;
61 static lck_mtx_t
*kauth_scope_mtx
;
62 #define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx);
63 #define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx);
66 * We support listeners for scopes that have not been registered yet.
67 * If a listener comes in for a scope that is not active we hang the listener
68 * off our kauth_dangling_listeners list and once the scope becomes active we
69 * remove it from kauth_dangling_listeners and add it to the active scope.
71 struct kauth_listener
{
72 TAILQ_ENTRY(kauth_listener
) kl_link
;
73 const char * kl_identifier
;
74 kauth_scope_callback_t kl_callback
;
78 /* XXX - kauth_todo - there is a race if a scope listener is removed while we
79 * we are in the kauth_authorize_action code path. We intentionally do not take
80 * a scope lock in order to get the best possible performance. we will fix this
82 * Until the race is fixed our kext clients are responsible for all active
83 * requests that may be in their callback code or on the way to their callback
84 * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata.
85 * We keep copies of these in our kauth_local_listener in an attempt to limit
86 * our expose to unlisten race.
88 struct kauth_local_listener
{
89 kauth_listener_t kll_listenerp
;
90 kauth_scope_callback_t kll_callback
;
93 typedef struct kauth_local_listener
*kauth_local_listener_t
;
95 static TAILQ_HEAD(, kauth_listener
) kauth_dangling_listeners
;
98 * Scope listeners need to be reworked to be dynamic.
99 * We intentionally used a static table to avoid locking issues with linked
100 * lists. The listeners may be called quite often.
103 #define KAUTH_SCOPE_MAX_LISTENERS 15
106 TAILQ_ENTRY(kauth_scope
) ks_link
;
107 volatile struct kauth_local_listener ks_listeners
[KAUTH_SCOPE_MAX_LISTENERS
];
108 const char * ks_identifier
;
109 kauth_scope_callback_t ks_callback
;
114 /* values for kauth_scope.ks_flags */
115 #define KS_F_HAS_LISTENERS (1 << 0)
117 static TAILQ_HEAD(, kauth_scope
) kauth_scopes
;
119 static int kauth_add_callback_to_scope(kauth_scope_t sp
, kauth_listener_t klp
);
120 static void kauth_scope_init(void);
121 static kauth_scope_t
kauth_alloc_scope(const char *identifier
, kauth_scope_callback_t callback
, void *idata
);
122 static kauth_listener_t
kauth_alloc_listener(const char *identifier
, kauth_scope_callback_t callback
, void *idata
);
124 static int kauth_scope_valid(kauth_scope_t scope
);
127 kauth_scope_t kauth_scope_process
;
128 static int kauth_authorize_process_callback(kauth_cred_t _credential
, void *_idata
, kauth_action_t _action
,
129 uintptr_t arg0
, uintptr_t arg1
, __unused
uintptr_t arg2
, __unused
uintptr_t arg3
);
130 kauth_scope_t kauth_scope_generic
;
131 static int kauth_authorize_generic_callback(kauth_cred_t _credential
, void *_idata
, kauth_action_t _action
,
132 uintptr_t arg0
, uintptr_t arg1
, uintptr_t arg2
, uintptr_t arg3
);
133 kauth_scope_t kauth_scope_fileop
;
135 extern int cansignal(struct proc
*, kauth_cred_t
, struct proc
*, int);
136 extern char * get_pathbuff(void);
137 extern void release_pathbuff(char *path
);
145 lck_grp_attr_t
*grp_attributes
;
147 TAILQ_INIT(&kauth_scopes
);
148 TAILQ_INIT(&kauth_dangling_listeners
);
150 /* set up our lock group */
151 grp_attributes
= lck_grp_attr_alloc_init();
152 kauth_lck_grp
= lck_grp_alloc_init("kauth", grp_attributes
);
153 lck_grp_attr_free(grp_attributes
);
155 /* bring up kauth subsystem components */
157 #if CONFIG_EXT_RESOLVER
158 kauth_identity_init();
162 #if CONFIG_EXT_RESOLVER
163 kauth_resolver_init();
165 /* can't alloc locks after this */
166 lck_grp_free(kauth_lck_grp
);
167 kauth_lck_grp
= NULL
;
171 kauth_scope_init(void)
173 kauth_scope_mtx
= lck_mtx_alloc_init(kauth_lck_grp
, 0 /*LCK_ATTR_NULL*/);
174 kauth_scope_process
= kauth_register_scope(KAUTH_SCOPE_PROCESS
, kauth_authorize_process_callback
, NULL
);
175 kauth_scope_generic
= kauth_register_scope(KAUTH_SCOPE_GENERIC
, kauth_authorize_generic_callback
, NULL
);
176 kauth_scope_fileop
= kauth_register_scope(KAUTH_SCOPE_FILEOP
, NULL
, NULL
);
180 * Scope registration.
184 kauth_alloc_scope(const char *identifier
, kauth_scope_callback_t callback
, void *idata
)
189 * Allocate and populate the scope structure.
191 MALLOC(sp
, kauth_scope_t
, sizeof(*sp
), M_KAUTH
, M_WAITOK
| M_ZERO
);
196 sp
->ks_identifier
= identifier
;
197 sp
->ks_idata
= idata
;
198 sp
->ks_callback
= callback
;
202 static kauth_listener_t
203 kauth_alloc_listener(const char *identifier
, kauth_scope_callback_t callback
, void *idata
)
205 kauth_listener_t lsp
;
208 * Allocate and populate the listener structure.
210 MALLOC(lsp
, kauth_listener_t
, sizeof(*lsp
), M_KAUTH
, M_WAITOK
);
214 lsp
->kl_identifier
= identifier
;
215 lsp
->kl_idata
= idata
;
216 lsp
->kl_callback
= callback
;
221 kauth_register_scope(const char *identifier
, kauth_scope_callback_t callback
, void *idata
)
223 kauth_scope_t sp
, tsp
;
224 kauth_listener_t klp
;
226 if ((sp
= kauth_alloc_scope(identifier
, callback
, idata
)) == NULL
) {
231 * Lock the list and insert.
234 TAILQ_FOREACH(tsp
, &kauth_scopes
, ks_link
) {
236 if (strncmp(tsp
->ks_identifier
, identifier
,
237 strlen(tsp
->ks_identifier
) + 1) == 0) {
243 TAILQ_INSERT_TAIL(&kauth_scopes
, sp
, ks_link
);
246 * Look for listeners waiting for this scope, move them to the active scope
248 * Note that we have to restart the scan every time we remove an entry
249 * from the list, since we can't remove the current item from the list.
252 TAILQ_FOREACH(klp
, &kauth_dangling_listeners
, kl_link
) {
253 if (strncmp(klp
->kl_identifier
, sp
->ks_identifier
,
254 strlen(klp
->kl_identifier
) + 1) == 0) {
255 /* found a match on the dangling listener list. add it to the
258 if (kauth_add_callback_to_scope(sp
, klp
) == 0) {
259 TAILQ_REMOVE(&kauth_dangling_listeners
, klp
, kl_link
);
262 printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__
, sp
->ks_identifier
);
277 kauth_deregister_scope(kauth_scope_t scope
)
283 TAILQ_REMOVE(&kauth_scopes
, scope
, ks_link
);
285 /* relocate listeners back to the waiting list */
286 for (i
= 0; i
< KAUTH_SCOPE_MAX_LISTENERS
; i
++) {
287 if (scope
->ks_listeners
[i
].kll_listenerp
!= NULL
) {
288 TAILQ_INSERT_TAIL(&kauth_dangling_listeners
, scope
->ks_listeners
[i
].kll_listenerp
, kl_link
);
289 scope
->ks_listeners
[i
].kll_listenerp
= NULL
;
291 * XXX - kauth_todo - WARNING, do not clear kll_callback or
292 * kll_idata here. they are part of our scope unlisten race hack
297 FREE(scope
, M_KAUTH
);
303 kauth_listen_scope(const char *identifier
, kauth_scope_callback_t callback
, void *idata
)
305 kauth_listener_t klp
;
308 if ((klp
= kauth_alloc_listener(identifier
, callback
, idata
)) == NULL
) {
313 * Lock the scope list and check to see whether this scope already exists.
316 TAILQ_FOREACH(sp
, &kauth_scopes
, ks_link
) {
317 if (strncmp(sp
->ks_identifier
, identifier
,
318 strlen(sp
->ks_identifier
) + 1) == 0) {
319 /* scope exists, add it to scope listener table */
320 if (kauth_add_callback_to_scope(sp
, klp
) == 0) {
324 /* table already full */
331 /* scope doesn't exist, put on waiting list. */
332 TAILQ_INSERT_TAIL(&kauth_dangling_listeners
, klp
, kl_link
);
340 kauth_unlisten_scope(kauth_listener_t listener
)
343 kauth_listener_t klp
;
344 int i
, listener_count
, do_free
;
348 /* search the active scope for this listener */
349 TAILQ_FOREACH(sp
, &kauth_scopes
, ks_link
) {
351 if ((sp
->ks_flags
& KS_F_HAS_LISTENERS
) != 0) {
353 for (i
= 0; i
< KAUTH_SCOPE_MAX_LISTENERS
; i
++) {
354 if (sp
->ks_listeners
[i
].kll_listenerp
== listener
) {
355 sp
->ks_listeners
[i
].kll_listenerp
= NULL
;
358 * XXX - kauth_todo - WARNING, do not clear kll_callback or
359 * kll_idata here. they are part of our scope unlisten race hack
361 } else if (sp
->ks_listeners
[i
].kll_listenerp
!= NULL
) {
366 if (listener_count
== 0) {
367 sp
->ks_flags
&= ~KS_F_HAS_LISTENERS
;
370 FREE(listener
, M_KAUTH
);
376 /* if not active, check the dangling list */
377 TAILQ_FOREACH(klp
, &kauth_dangling_listeners
, kl_link
) {
378 if (klp
== listener
) {
379 TAILQ_REMOVE(&kauth_dangling_listeners
, klp
, kl_link
);
381 FREE(listener
, M_KAUTH
);
391 * Authorization requests.
394 * EPERM Operation not permitted
396 * Imputed: *arg3, modified Callback return - depends on callback
397 * modification of *arg3, if any
400 kauth_authorize_action(kauth_scope_t scope
, kauth_cred_t credential
, kauth_action_t action
,
401 uintptr_t arg0
, uintptr_t arg1
, uintptr_t arg2
, uintptr_t arg3
)
406 if (scope
->ks_callback
!= NULL
) {
407 result
= scope
->ks_callback(credential
, scope
->ks_idata
, action
, arg0
, arg1
, arg2
, arg3
);
409 result
= KAUTH_RESULT_DEFER
;
412 /* check with listeners */
413 if ((scope
->ks_flags
& KS_F_HAS_LISTENERS
) != 0) {
414 for (i
= 0; i
< KAUTH_SCOPE_MAX_LISTENERS
; i
++) {
415 /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger.
416 * Until the race is fixed our kext clients are responsible for all active requests that may
417 * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata.
418 * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to
421 if (scope
->ks_listeners
[i
].kll_listenerp
== NULL
||
422 scope
->ks_listeners
[i
].kll_callback
== NULL
) {
426 ret
= scope
->ks_listeners
[i
].kll_callback(
427 credential
, scope
->ks_listeners
[i
].kll_idata
,
428 action
, arg0
, arg1
, arg2
, arg3
);
429 if ((ret
== KAUTH_RESULT_DENY
) ||
430 (result
== KAUTH_RESULT_DEFER
)) {
436 /* we need an explicit allow, or the auth fails */
437 /* XXX need a mechanism for auth failure to be signalled vs. denial */
438 return result
== KAUTH_RESULT_ALLOW
? 0 : EPERM
;
442 * Default authorization handlers.
445 kauth_authorize_allow(__unused kauth_cred_t credential
, __unused
void *idata
, __unused kauth_action_t action
,
446 __unused
uintptr_t arg0
, __unused
uintptr_t arg1
, __unused
uintptr_t arg2
, __unused
uintptr_t arg3
)
448 return KAUTH_RESULT_ALLOW
;
456 kauth_scope_valid(kauth_scope_t scope
)
461 TAILQ_FOREACH(sp
, &kauth_scopes
, ks_link
) {
467 return (sp
== NULL
) ? 0 : 1;
472 * Process authorization scope.
476 kauth_authorize_process(kauth_cred_t credential
, kauth_action_t action
, struct proc
*process
, uintptr_t arg1
, uintptr_t arg2
, uintptr_t arg3
)
478 return kauth_authorize_action(kauth_scope_process
, credential
, action
, (uintptr_t)process
, arg1
, arg2
, arg3
);
482 kauth_authorize_process_callback(kauth_cred_t credential
, __unused
void *idata
, kauth_action_t action
,
483 uintptr_t arg0
, uintptr_t arg1
, __unused
uintptr_t arg2
, __unused
uintptr_t arg3
)
486 case KAUTH_PROCESS_CANSIGNAL
:
487 panic("KAUTH_PROCESS_CANSIGNAL not implemented");
488 /* XXX credential wrong here */
489 /* arg0 - process to signal
490 * arg1 - signal to send the process
492 if (cansignal(current_proc(), credential
, (struct proc
*)arg0
, (int)arg1
)) {
493 return KAUTH_RESULT_ALLOW
;
496 case KAUTH_PROCESS_CANTRACE
:
497 /* current_proc() - process that will do the tracing
498 * arg0 - process to be traced
499 * arg1 - pointer to int - reason (errno) for denial
501 if (cantrace(current_proc(), credential
, (proc_t
)arg0
, (int *)arg1
)) {
502 return KAUTH_RESULT_ALLOW
;
507 /* no explicit result, so defer to others in the chain */
508 return KAUTH_RESULT_DEFER
;
512 * File system operation authorization scope. This is really only a notification
513 * of the file system operation, not an authorization check. Thus the result is
515 * arguments passed to KAUTH_FILEOP_OPEN listeners
516 * arg0 is pointer to vnode (vnode *) for given user path.
517 * arg1 is pointer to path (char *) passed in to open.
518 * arguments passed to KAUTH_FILEOP_CLOSE listeners
519 * arg0 is pointer to vnode (vnode *) for file to be closed.
520 * arg1 is pointer to path (char *) of file to be closed.
521 * arg2 is close flags.
522 * arguments passed to KAUTH_FILEOP_WILL_RENAME listeners
523 * arg0 is pointer to vnode (vnode *) of the file being renamed
524 * arg1 is pointer to the "from" path (char *)
525 * arg2 is pointer to the "to" path (char *)
526 * arguments passed to KAUTH_FILEOP_RENAME listeners
527 * arg0 is pointer to "from" path (char *).
528 * arg1 is pointer to "to" path (char *).
529 * arguments passed to KAUTH_FILEOP_EXCHANGE listeners
530 * arg0 is pointer to file 1 path (char *).
531 * arg1 is pointer to file 2 path (char *).
532 * arguments passed to KAUTH_FILEOP_EXEC listeners
533 * arg0 is pointer to vnode (vnode *) for executable.
534 * arg1 is pointer to path (char *) to executable.
538 kauth_authorize_fileop_has_listeners(void)
541 * return 1 if we have any listeners for the fileop scope
544 if ((kauth_scope_fileop
->ks_flags
& KS_F_HAS_LISTENERS
) != 0) {
551 kauth_authorize_fileop(kauth_cred_t credential
, kauth_action_t action
, uintptr_t arg0
, uintptr_t arg1
)
557 /* we do not have a primary handler for the fileop scope so bail out if
558 * there are no listeners.
560 if ((kauth_scope_fileop
->ks_flags
& KS_F_HAS_LISTENERS
) == 0) {
564 if (action
== KAUTH_FILEOP_OPEN
||
565 action
== KAUTH_FILEOP_CLOSE
||
566 action
== KAUTH_FILEOP_EXEC
||
567 action
== KAUTH_FILEOP_WILL_RENAME
) {
568 /* get path to the given vnode as a convenience to our listeners.
570 namep
= get_pathbuff();
571 name_len
= MAXPATHLEN
;
572 if (vn_getpath((vnode_t
)arg0
, namep
, &name_len
) != 0) {
573 release_pathbuff(namep
);
576 if (action
== KAUTH_FILEOP_CLOSE
||
577 action
== KAUTH_FILEOP_WILL_RENAME
) {
579 * - Close has some flags that come in via arg1.
580 * - Will-rename wants to pass the vnode and
581 * both paths to the listeners ("to" path
582 * starts in arg1, moves to arg2).
586 arg1
= (uintptr_t)namep
;
588 kauth_authorize_action(kauth_scope_fileop
, credential
, action
, arg0
, arg1
, arg2
, 0);
591 release_pathbuff(namep
);
598 * Generic authorization scope.
602 kauth_authorize_generic(kauth_cred_t credential
, kauth_action_t action
)
604 if (credential
== NULL
) {
605 panic("auth against NULL credential");
608 return kauth_authorize_action(kauth_scope_generic
, credential
, action
, 0, 0, 0, 0);
612 kauth_authorize_generic_callback(kauth_cred_t credential
, __unused
void *idata
, kauth_action_t action
,
613 __unused
uintptr_t arg0
, __unused
uintptr_t arg1
, __unused
uintptr_t arg2
, __unused
uintptr_t arg3
)
616 case KAUTH_GENERIC_ISSUSER
:
618 return (kauth_cred_getuid(credential
) == 0) ?
619 KAUTH_RESULT_ALLOW
: KAUTH_RESULT_DENY
;
622 /* no explicit result, so defer to others in the chain */
623 return KAUTH_RESULT_DEFER
;
629 * Determines whether the credential has the requested rights for an object secured by the supplied
632 * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested
633 * rights, or granted if all of the requested rights are satisfied by the ACEs so far.
636 kauth_acl_evaluate(kauth_cred_t cred
, kauth_acl_eval_t eval
)
638 int applies
, error
, i
, gotguid
;
644 /* always allowed to do nothing */
645 if (eval
->ae_requested
== 0) {
646 eval
->ae_result
= KAUTH_RESULT_ALLOW
;
650 eval
->ae_residual
= eval
->ae_requested
;
651 eval
->ae_found_deny
= FALSE
;
654 * Get our guid for comparison purposes.
656 if ((error
= kauth_cred_getguid(cred
, &guid
)) != 0) {
657 KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error
);
664 KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval
->ae_count
, eval
->ae_residual
);
665 for (i
= 0, ace
= eval
->ae_acl
; i
< eval
->ae_count
; i
++, ace
++) {
667 * Skip inherit-only entries.
669 if (ace
->ace_flags
& KAUTH_ACE_ONLY_INHERIT
) {
674 * Expand generic rights, if appropriate.
676 rights
= ace
->ace_rights
;
677 if (rights
& KAUTH_ACE_GENERIC_ALL
) {
678 rights
|= eval
->ae_exp_gall
;
680 if (rights
& KAUTH_ACE_GENERIC_READ
) {
681 rights
|= eval
->ae_exp_gread
;
683 if (rights
& KAUTH_ACE_GENERIC_WRITE
) {
684 rights
|= eval
->ae_exp_gwrite
;
686 if (rights
& KAUTH_ACE_GENERIC_EXECUTE
) {
687 rights
|= eval
->ae_exp_gexec
;
691 * Determine whether this entry applies to the current request. This
692 * saves us checking the GUID if the entry has nothing to do with what
693 * we're currently doing.
695 switch (ace
->ace_flags
& KAUTH_ACE_KINDMASK
) {
696 case KAUTH_ACE_PERMIT
:
697 if (!(eval
->ae_residual
& rights
)) {
702 if (!(eval
->ae_requested
& rights
)) {
705 eval
->ae_found_deny
= TRUE
;
708 /* we don't recognise this ACE, skip it */
713 * Verify whether this entry applies to the credential.
715 wkguid
= kauth_wellknown_guid(&ace
->ace_applicable
);
717 case KAUTH_WKG_OWNER
:
718 applies
= eval
->ae_options
& KAUTH_AEVAL_IS_OWNER
;
720 case KAUTH_WKG_GROUP
:
721 if (!gotguid
|| (eval
->ae_options
& KAUTH_AEVAL_IN_GROUP_UNKNOWN
)) {
722 applies
= ((ace
->ace_flags
& KAUTH_ACE_KINDMASK
) == KAUTH_ACE_DENY
);
724 applies
= eval
->ae_options
& KAUTH_AEVAL_IN_GROUP
;
727 /* we short-circuit these here rather than wasting time calling the group membership code */
728 case KAUTH_WKG_EVERYBODY
:
731 case KAUTH_WKG_NOBODY
:
736 /* check to see whether it's exactly us, or a group we are a member of */
737 applies
= !gotguid
? 0 : kauth_guid_equal(&guid
, &ace
->ace_applicable
);
738 KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT
" caller " K_UUID_FMT
" %smatched",
739 K_UUID_ARG(ace
->ace_applicable
), K_UUID_ARG(guid
), applies
? "" : "not ");
742 error
= !gotguid
? ENOENT
: kauth_cred_ismember_guid(cred
, &ace
->ace_applicable
, &applies
);
744 * If we can't resolve group membership, we have to limit misbehaviour.
745 * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid
746 * granting excess access). If the ACE is a 'deny' ACE, assume the cred
747 * is a member (avoid failing to deny).
750 KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i
);
751 switch (ace
->ace_flags
& KAUTH_ACE_KINDMASK
) {
752 case KAUTH_ACE_PERMIT
:
760 KAUTH_DEBUG(" ACL - %s group member", applies
? "is" : "not");
763 KAUTH_DEBUG(" ACL - entry matches caller");
771 * Apply ACE to outstanding rights.
773 switch (ace
->ace_flags
& KAUTH_ACE_KINDMASK
) {
774 case KAUTH_ACE_PERMIT
:
775 /* satisfy any rights that this ACE grants */
776 eval
->ae_residual
= eval
->ae_residual
& ~rights
;
777 KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i
, rights
, eval
->ae_residual
);
778 /* all rights satisfied? */
779 if (eval
->ae_residual
== 0) {
780 eval
->ae_result
= KAUTH_RESULT_ALLOW
;
785 /* deny the request if any of the requested rights is denied */
786 if (eval
->ae_requested
& rights
) {
787 KAUTH_DEBUG(" ACL[%d] - denying based on %x", i
, rights
);
788 eval
->ae_result
= KAUTH_RESULT_DENY
;
793 KAUTH_DEBUG(" ACL - unknown entry kind %d", ace
->ace_flags
& KAUTH_ACE_KINDMASK
);
797 /* if not permitted, defer to other modes of authorisation */
798 eval
->ae_result
= KAUTH_RESULT_DEFER
;
803 * Perform ACL inheritance and umask-ACL handling.
805 * Entries are inherited from the ACL on dvp. A caller-supplied
806 * ACL is in initial, and the result is output into product.
807 * If the process has a umask ACL and one is not supplied, we use
809 * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file.
812 kauth_acl_inherit(vnode_t dvp
, kauth_acl_t initial
, kauth_acl_t
*product
, int isdir
, vfs_context_t ctx
)
814 int entries
, error
, index
;
816 struct vnode_attr dva
;
817 kauth_acl_t inherit
, result
;
820 * Fetch the ACL from the directory. This should never fail.
821 * Note that we don't manage inheritance when the remote server is
822 * doing authorization, since this means server enforcement of
823 * inheritance semantics; we just want to compose the initial
824 * ACL and any inherited ACE entries from the container object.
826 * XXX TODO: <rdar://3634665> wants a "umask ACL" from the process.
830 * If there is no initial ACL, or there is, and the initial ACLs
831 * flags do not request "no inheritance", then we inherit. This allows
832 * initial object creation via open_extended() and mkdir_extended()
833 * to reject inheritance for themselves and for inferior nodes by
834 * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT
835 * flag set in the flags field.
837 if ((initial
== NULL
|| !(initial
->acl_flags
& KAUTH_ACL_NO_INHERIT
)) &&
838 (dvp
!= NULL
) && !vfs_authopaque(vnode_mount(dvp
))) {
840 VATTR_WANTED(&dva
, va_acl
);
841 if ((error
= vnode_getattr(dvp
, &dva
, ctx
)) != 0) {
842 KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance");
845 if (VATTR_IS_SUPPORTED(&dva
, va_acl
)) {
846 inherit
= dva
.va_acl
;
851 * Compute the number of entries in the result ACL by scanning the
855 if (inherit
!= NULL
) {
856 for (i
= 0; i
< inherit
->acl_entrycount
; i
++) {
857 if (inherit
->acl_ace
[i
].ace_flags
& (isdir
? KAUTH_ACE_DIRECTORY_INHERIT
: KAUTH_ACE_FILE_INHERIT
)) {
863 if (initial
== NULL
) {
865 * XXX 3634665 TODO: if the initial ACL is not specfied by
866 * XXX the caller, fetch the umask ACL from the process,
867 * and use it in place of "initial".
871 if (initial
!= NULL
) {
872 if (initial
->acl_entrycount
!= KAUTH_FILESEC_NOACL
) {
873 entries
+= initial
->acl_entrycount
;
880 * If there is no initial ACL, and no inheritable entries, the
881 * object should be created with no ACL at all.
882 * Note that this differs from the case where the initial ACL
883 * is empty, in which case the object must also have an empty ACL.
885 if ((entries
== 0) && (initial
== NULL
)) {
892 * Allocate the result buffer.
894 if ((result
= kauth_acl_alloc(entries
)) == NULL
) {
895 KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL", entries
);
901 * Composition is simply:
902 * - initial direct ACEs
903 * - inherited ACEs from new parent
906 if (initial
!= NULL
) {
907 for (i
= 0; i
< initial
->acl_entrycount
; i
++) {
908 if (!(initial
->acl_ace
[i
].ace_flags
& KAUTH_ACE_INHERITED
)) {
909 result
->acl_ace
[index
++] = initial
->acl_ace
[i
];
912 KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index
, initial
->acl_entrycount
);
914 if (inherit
!= NULL
) {
915 for (i
= 0; i
< inherit
->acl_entrycount
; i
++) {
917 * Inherit onto this object? We inherit only if
918 * the target object is a container object and the
919 * KAUTH_ACE_DIRECTORY_INHERIT bit is set, OR if
920 * if the target object is not a container, and
921 * the KAUTH_ACE_FILE_INHERIT bit is set.
923 if (inherit
->acl_ace
[i
].ace_flags
& (isdir
? KAUTH_ACE_DIRECTORY_INHERIT
: KAUTH_ACE_FILE_INHERIT
)) {
924 result
->acl_ace
[index
] = inherit
->acl_ace
[i
];
925 result
->acl_ace
[index
].ace_flags
|= KAUTH_ACE_INHERITED
;
926 result
->acl_ace
[index
].ace_flags
&= ~KAUTH_ACE_ONLY_INHERIT
;
928 * We do not re-inherit inheritance flags
929 * if the ACE from the container has a
930 * KAUTH_ACE_LIMIT_INHERIT, OR if the new
931 * object is not itself a container (since
932 * inheritance is always container-based).
934 if ((result
->acl_ace
[index
].ace_flags
& KAUTH_ACE_LIMIT_INHERIT
) || !isdir
) {
935 result
->acl_ace
[index
].ace_flags
&=
936 ~(KAUTH_ACE_INHERIT_CONTROL_FLAGS
);
942 result
->acl_entrycount
= index
;
944 KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index
);
947 if (inherit
!= NULL
) {
948 kauth_acl_free(inherit
);
954 * Optimistically copy in a kauth_filesec structure
956 * Parameters: xsecurity user space kauth_filesec_t
957 * xsecdstpp pointer to kauth_filesec_t to be
958 * modified to contain the contain a
959 * pointer to an allocated copy of the
960 * user space argument
963 * ENOMEM Insufficient memory for the copy.
964 * EINVAL The user space data was invalid, or
965 * there were too many ACE entries.
966 * EFAULT The user space address was invalid;
967 * this may mean 'fsec_entrycount' in
968 * the user copy is corrupt/incorrect.
970 * Implicit returns: xsecdestpp, modified (only if successful!)
972 * Notes: The returned kauth_filesec_t is in host byte order
974 * The caller is responsible for freeing the returned
975 * kauth_filesec_t in the success case using the function
976 * kauth_filesec_free()
978 * Our largest initial guess is 32; this needs to move to
979 * a manifest constant in <sys/kauth.h>.
982 kauth_copyinfilesec(user_addr_t xsecurity
, kauth_filesec_t
*xsecdestpp
)
985 kauth_filesec_t fsec
;
993 * Make a guess at the size of the filesec. We start with the base
994 * pointer, and look at how much room is left on the page, clipped
995 * to a sensible upper bound. If it turns out this isn't enough,
996 * we'll size based on the actual ACL contents and come back again.
998 * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The
999 * value here is fairly arbitrary. It's ok to have a zero count.
1001 * Because we're just using these values to make a guess about the
1002 * number of entries, the actual address doesn't matter, only their
1003 * relative offsets into the page. We take advantage of this to
1004 * avoid an overflow in the rounding step (this is a user-provided
1005 * parameter, so caution pays off).
1008 user_addr_t known_bound
= (xsecurity
& PAGE_MASK
) + KAUTH_FILESEC_SIZE(0);
1009 user_addr_t uaddr
= mach_vm_round_page(known_bound
);
1010 count
= (uaddr
- known_bound
) / sizeof(struct kauth_ace
);
1016 if ((fsec
= kauth_filesec_alloc(count
)) == NULL
) {
1020 copysize
= KAUTH_FILESEC_SIZE(count
);
1021 if ((error
= copyin(xsecurity
, (caddr_t
)fsec
, copysize
)) != 0) {
1025 /* validate the filesec header */
1026 if (fsec
->fsec_magic
!= KAUTH_FILESEC_MAGIC
) {
1032 * Is there an ACL payload, and is it too big?
1034 if ((fsec
->fsec_entrycount
!= KAUTH_FILESEC_NOACL
) &&
1035 (fsec
->fsec_entrycount
> count
)) {
1036 if (fsec
->fsec_entrycount
> KAUTH_ACL_MAX_ENTRIES
) {
1037 /* XXX This should be E2BIG */
1041 count
= fsec
->fsec_entrycount
;
1042 kauth_filesec_free(fsec
);
1049 kauth_filesec_free(fsec
);
1053 AUDIT_ARG(opaque
, fsec
, copysize
);
1059 * Allocate a block of memory containing a filesec structure, immediately
1060 * followed by 'count' kauth_ace structures.
1062 * Parameters: count Number of kauth_ace structures needed
1064 * Returns: !NULL A pointer to the allocated block
1065 * NULL Invalid 'count' or insufficient memory
1067 * Notes: Returned memory area assumes that the structures are packed
1068 * densely, so this function may only be used by code that also
1069 * assumes no padding following structures.
1071 * The returned structure must be freed by the caller using the
1072 * function kauth_filesec_free(), in case we decide to use an
1073 * allocation mechanism that is aware of the object size at some
1074 * point, since the object size is only available by introspecting
1075 * the object itself.
1078 kauth_filesec_alloc(int count
)
1080 kauth_filesec_t fsp
;
1082 /* if the caller hasn't given us a valid size hint, assume the worst */
1083 if ((count
< 0) || (count
> KAUTH_ACL_MAX_ENTRIES
)) {
1087 MALLOC(fsp
, kauth_filesec_t
, KAUTH_FILESEC_SIZE(count
), M_KAUTH
, M_WAITOK
);
1089 fsp
->fsec_magic
= KAUTH_FILESEC_MAGIC
;
1090 fsp
->fsec_owner
= kauth_null_guid
;
1091 fsp
->fsec_group
= kauth_null_guid
;
1092 fsp
->fsec_entrycount
= KAUTH_FILESEC_NOACL
;
1093 fsp
->fsec_flags
= 0;
1099 * Free a kauth_filesec_t that was previous allocated, either by a direct
1100 * call to kauth_filesec_alloc() or by calling a function that calls it.
1102 * Parameters: fsp kauth_filesec_t to free
1106 * Notes: The kauth_filesec_t to be freed is assumed to be in host
1107 * byte order so that this function can introspect it in the
1108 * future to determine its size, if necesssary.
1111 kauth_filesec_free(kauth_filesec_t fsp
)
1113 #ifdef KAUTH_DEBUG_ENABLE
1114 if (fsp
== KAUTH_FILESEC_NONE
) {
1115 panic("freeing KAUTH_FILESEC_NONE");
1117 if (fsp
== KAUTH_FILESEC_WANTED
) {
1118 panic("freeing KAUTH_FILESEC_WANTED");
1125 * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the
1126 * ACL interior to 'fsec' instead. If the endianness doesn't change, then
1127 * this function will have no effect.
1129 * Parameters: kendian The endianness to set; this is either
1130 * KAUTH_ENDIAN_HOST or KAUTH_ENDIAN_DISK.
1131 * fsec The filesec to convert.
1132 * acl The ACL to convert (optional)
1136 * Notes: We use ntohl() because it has a transitive property on Intel
1137 * machines and no effect on PPC mancines. This guarantees us
1138 * that the swapping only occurs if the endiannes is wrong.
1141 kauth_filesec_acl_setendian(int kendian
, kauth_filesec_t fsec
, kauth_acl_t acl
)
1143 uint32_t compare_magic
= KAUTH_FILESEC_MAGIC
;
1144 uint32_t invert_magic
= ntohl(KAUTH_FILESEC_MAGIC
);
1145 uint32_t compare_acl_entrycount
;
1148 if (compare_magic
== invert_magic
) {
1152 /* If no ACL, use ACL interior to 'fsec' instead */
1154 acl
= &fsec
->fsec_acl
;
1157 compare_acl_entrycount
= acl
->acl_entrycount
;
1160 * Only convert what needs to be converted, and only if the arguments
1161 * are valid. The following switch and tests effectively reject
1162 * conversions on invalid magic numbers as a desirable side effect.
1165 case KAUTH_ENDIAN_HOST
: /* not in host, convert to host */
1166 if (fsec
->fsec_magic
!= invert_magic
) {
1169 /* acl_entrycount is byteswapped */
1170 compare_acl_entrycount
= ntohl(acl
->acl_entrycount
);
1172 case KAUTH_ENDIAN_DISK
: /* not in disk, convert to disk */
1173 if (fsec
->fsec_magic
!= compare_magic
) {
1177 default: /* bad argument */
1181 /* We are go for conversion */
1182 fsec
->fsec_magic
= ntohl(fsec
->fsec_magic
);
1183 acl
->acl_entrycount
= ntohl(acl
->acl_entrycount
);
1184 if (compare_acl_entrycount
!= KAUTH_FILESEC_NOACL
) {
1185 acl
->acl_flags
= ntohl(acl
->acl_flags
);
1187 /* swap ACE rights and flags */
1188 for (i
= 0; i
< compare_acl_entrycount
; i
++) {
1189 acl
->acl_ace
[i
].ace_flags
= ntohl(acl
->acl_ace
[i
].ace_flags
);
1190 acl
->acl_ace
[i
].ace_rights
= ntohl(acl
->acl_ace
[i
].ace_rights
);
1197 * Allocate an ACL buffer.
1200 kauth_acl_alloc(int count
)
1204 /* if the caller hasn't given us a valid size hint, assume the worst */
1205 if ((count
< 0) || (count
> KAUTH_ACL_MAX_ENTRIES
)) {
1209 MALLOC(aclp
, kauth_acl_t
, KAUTH_ACL_SIZE(count
), M_KAUTH
, M_WAITOK
);
1211 aclp
->acl_entrycount
= 0;
1212 aclp
->acl_flags
= 0;
1218 kauth_acl_free(kauth_acl_t aclp
)
1220 FREE(aclp
, M_KAUTH
);
1225 * WARNING - caller must hold KAUTH_SCOPELOCK
1228 kauth_add_callback_to_scope(kauth_scope_t sp
, kauth_listener_t klp
)
1232 for (i
= 0; i
< KAUTH_SCOPE_MAX_LISTENERS
; i
++) {
1233 if (sp
->ks_listeners
[i
].kll_listenerp
== NULL
) {
1234 sp
->ks_listeners
[i
].kll_callback
= klp
->kl_callback
;
1235 sp
->ks_listeners
[i
].kll_idata
= klp
->kl_idata
;
1236 sp
->ks_listeners
[i
].kll_listenerp
= klp
;
1237 sp
->ks_flags
|= KS_F_HAS_LISTENERS
;