]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_authorization.c
xnu-6153.11.26.tar.gz
[apple/xnu.git] / bsd / kern / kern_authorization.c
1 /*
2 * Copyright (c) 2004-2016 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /*
30 * Centralized authorisation framework.
31 */
32
33 #include <sys/appleapiopts.h>
34 #include <sys/param.h> /* XXX trim includes */
35 #include <sys/acct.h>
36 #include <sys/systm.h>
37 #include <sys/ucred.h>
38 #include <sys/proc_internal.h>
39 #include <sys/timeb.h>
40 #include <sys/times.h>
41 #include <sys/malloc.h>
42 #include <sys/vnode_internal.h>
43 #include <sys/kauth.h>
44 #include <sys/stat.h>
45
46 #include <security/audit/audit.h>
47
48 #include <sys/mount.h>
49 #include <sys/sysproto.h>
50 #include <mach/message.h>
51 #include <mach/host_security.h>
52
53 #include <kern/locks.h>
54
55
56 /*
57 * Authorization scopes.
58 */
59
60 lck_grp_t *kauth_lck_grp;
61 static lck_mtx_t *kauth_scope_mtx;
62 #define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx);
63 #define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx);
64
65 /*
66 * We support listeners for scopes that have not been registered yet.
67 * If a listener comes in for a scope that is not active we hang the listener
68 * off our kauth_dangling_listeners list and once the scope becomes active we
69 * remove it from kauth_dangling_listeners and add it to the active scope.
70 */
71 struct kauth_listener {
72 TAILQ_ENTRY(kauth_listener) kl_link;
73 const char * kl_identifier;
74 kauth_scope_callback_t kl_callback;
75 void * kl_idata;
76 };
77
78 /* XXX - kauth_todo - there is a race if a scope listener is removed while we
79 * we are in the kauth_authorize_action code path. We intentionally do not take
80 * a scope lock in order to get the best possible performance. we will fix this
81 * post Tiger.
82 * Until the race is fixed our kext clients are responsible for all active
83 * requests that may be in their callback code or on the way to their callback
84 * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata.
85 * We keep copies of these in our kauth_local_listener in an attempt to limit
86 * our expose to unlisten race.
87 */
88 struct kauth_local_listener {
89 kauth_listener_t kll_listenerp;
90 kauth_scope_callback_t kll_callback;
91 void * kll_idata;
92 };
93 typedef struct kauth_local_listener *kauth_local_listener_t;
94
95 static TAILQ_HEAD(, kauth_listener) kauth_dangling_listeners;
96
97 /*
98 * Scope listeners need to be reworked to be dynamic.
99 * We intentionally used a static table to avoid locking issues with linked
100 * lists. The listeners may be called quite often.
101 * XXX - kauth_todo
102 */
103 #define KAUTH_SCOPE_MAX_LISTENERS 15
104
105 struct kauth_scope {
106 TAILQ_ENTRY(kauth_scope) ks_link;
107 volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS];
108 const char * ks_identifier;
109 kauth_scope_callback_t ks_callback;
110 void * ks_idata;
111 u_int ks_flags;
112 };
113
114 /* values for kauth_scope.ks_flags */
115 #define KS_F_HAS_LISTENERS (1 << 0)
116
117 static TAILQ_HEAD(, kauth_scope) kauth_scopes;
118
119 static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp);
120 static void kauth_scope_init(void);
121 static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata);
122 static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata);
123 #if 0
124 static int kauth_scope_valid(kauth_scope_t scope);
125 #endif
126
127 kauth_scope_t kauth_scope_process;
128 static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
129 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3);
130 kauth_scope_t kauth_scope_generic;
131 static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
132 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
133 kauth_scope_t kauth_scope_fileop;
134
135 extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int);
136 extern char * get_pathbuff(void);
137 extern void release_pathbuff(char *path);
138
139 /*
140 * Initialization.
141 */
142 void
143 kauth_init(void)
144 {
145 lck_grp_attr_t *grp_attributes;
146
147 TAILQ_INIT(&kauth_scopes);
148 TAILQ_INIT(&kauth_dangling_listeners);
149
150 /* set up our lock group */
151 grp_attributes = lck_grp_attr_alloc_init();
152 kauth_lck_grp = lck_grp_alloc_init("kauth", grp_attributes);
153 lck_grp_attr_free(grp_attributes);
154
155 /* bring up kauth subsystem components */
156 kauth_cred_init();
157 #if CONFIG_EXT_RESOLVER
158 kauth_identity_init();
159 kauth_groups_init();
160 #endif
161 kauth_scope_init();
162 #if CONFIG_EXT_RESOLVER
163 kauth_resolver_init();
164 #endif
165 /* can't alloc locks after this */
166 lck_grp_free(kauth_lck_grp);
167 kauth_lck_grp = NULL;
168 }
169
170 static void
171 kauth_scope_init(void)
172 {
173 kauth_scope_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0 /*LCK_ATTR_NULL*/);
174 kauth_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS, kauth_authorize_process_callback, NULL);
175 kauth_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC, kauth_authorize_generic_callback, NULL);
176 kauth_scope_fileop = kauth_register_scope(KAUTH_SCOPE_FILEOP, NULL, NULL);
177 }
178
179 /*
180 * Scope registration.
181 */
182
183 static kauth_scope_t
184 kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
185 {
186 kauth_scope_t sp;
187
188 /*
189 * Allocate and populate the scope structure.
190 */
191 MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK | M_ZERO);
192 if (sp == NULL) {
193 return NULL;
194 }
195 sp->ks_flags = 0;
196 sp->ks_identifier = identifier;
197 sp->ks_idata = idata;
198 sp->ks_callback = callback;
199 return sp;
200 }
201
202 static kauth_listener_t
203 kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata)
204 {
205 kauth_listener_t lsp;
206
207 /*
208 * Allocate and populate the listener structure.
209 */
210 MALLOC(lsp, kauth_listener_t, sizeof(*lsp), M_KAUTH, M_WAITOK);
211 if (lsp == NULL) {
212 return NULL;
213 }
214 lsp->kl_identifier = identifier;
215 lsp->kl_idata = idata;
216 lsp->kl_callback = callback;
217 return lsp;
218 }
219
220 kauth_scope_t
221 kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
222 {
223 kauth_scope_t sp, tsp;
224 kauth_listener_t klp;
225
226 if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL) {
227 return NULL;
228 }
229
230 /*
231 * Lock the list and insert.
232 */
233 KAUTH_SCOPELOCK();
234 TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) {
235 /* duplicate! */
236 if (strncmp(tsp->ks_identifier, identifier,
237 strlen(tsp->ks_identifier) + 1) == 0) {
238 KAUTH_SCOPEUNLOCK();
239 FREE(sp, M_KAUTH);
240 return NULL;
241 }
242 }
243 TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link);
244
245 /*
246 * Look for listeners waiting for this scope, move them to the active scope
247 * listener table.
248 * Note that we have to restart the scan every time we remove an entry
249 * from the list, since we can't remove the current item from the list.
250 */
251 restart:
252 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
253 if (strncmp(klp->kl_identifier, sp->ks_identifier,
254 strlen(klp->kl_identifier) + 1) == 0) {
255 /* found a match on the dangling listener list. add it to the
256 * the active scope.
257 */
258 if (kauth_add_callback_to_scope(sp, klp) == 0) {
259 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
260 } else {
261 #if 0
262 printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier);
263 #endif
264 break;
265 }
266 goto restart;
267 }
268 }
269
270 KAUTH_SCOPEUNLOCK();
271 return sp;
272 }
273
274
275
276 void
277 kauth_deregister_scope(kauth_scope_t scope)
278 {
279 int i;
280
281 KAUTH_SCOPELOCK();
282
283 TAILQ_REMOVE(&kauth_scopes, scope, ks_link);
284
285 /* relocate listeners back to the waiting list */
286 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
287 if (scope->ks_listeners[i].kll_listenerp != NULL) {
288 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link);
289 scope->ks_listeners[i].kll_listenerp = NULL;
290 /*
291 * XXX - kauth_todo - WARNING, do not clear kll_callback or
292 * kll_idata here. they are part of our scope unlisten race hack
293 */
294 }
295 }
296 KAUTH_SCOPEUNLOCK();
297 FREE(scope, M_KAUTH);
298
299 return;
300 }
301
302 kauth_listener_t
303 kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
304 {
305 kauth_listener_t klp;
306 kauth_scope_t sp;
307
308 if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL) {
309 return NULL;
310 }
311
312 /*
313 * Lock the scope list and check to see whether this scope already exists.
314 */
315 KAUTH_SCOPELOCK();
316 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
317 if (strncmp(sp->ks_identifier, identifier,
318 strlen(sp->ks_identifier) + 1) == 0) {
319 /* scope exists, add it to scope listener table */
320 if (kauth_add_callback_to_scope(sp, klp) == 0) {
321 KAUTH_SCOPEUNLOCK();
322 return klp;
323 }
324 /* table already full */
325 KAUTH_SCOPEUNLOCK();
326 FREE(klp, M_KAUTH);
327 return NULL;
328 }
329 }
330
331 /* scope doesn't exist, put on waiting list. */
332 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link);
333
334 KAUTH_SCOPEUNLOCK();
335
336 return klp;
337 }
338
339 void
340 kauth_unlisten_scope(kauth_listener_t listener)
341 {
342 kauth_scope_t sp;
343 kauth_listener_t klp;
344 int i, listener_count, do_free;
345
346 KAUTH_SCOPELOCK();
347
348 /* search the active scope for this listener */
349 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
350 do_free = 0;
351 if ((sp->ks_flags & KS_F_HAS_LISTENERS) != 0) {
352 listener_count = 0;
353 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
354 if (sp->ks_listeners[i].kll_listenerp == listener) {
355 sp->ks_listeners[i].kll_listenerp = NULL;
356 do_free = 1;
357 /*
358 * XXX - kauth_todo - WARNING, do not clear kll_callback or
359 * kll_idata here. they are part of our scope unlisten race hack
360 */
361 } else if (sp->ks_listeners[i].kll_listenerp != NULL) {
362 listener_count++;
363 }
364 }
365 if (do_free) {
366 if (listener_count == 0) {
367 sp->ks_flags &= ~KS_F_HAS_LISTENERS;
368 }
369 KAUTH_SCOPEUNLOCK();
370 FREE(listener, M_KAUTH);
371 return;
372 }
373 }
374 }
375
376 /* if not active, check the dangling list */
377 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
378 if (klp == listener) {
379 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
380 KAUTH_SCOPEUNLOCK();
381 FREE(listener, M_KAUTH);
382 return;
383 }
384 }
385
386 KAUTH_SCOPEUNLOCK();
387 return;
388 }
389
390 /*
391 * Authorization requests.
392 *
393 * Returns: 0 Success
394 * EPERM Operation not permitted
395 *
396 * Imputed: *arg3, modified Callback return - depends on callback
397 * modification of *arg3, if any
398 */
399 int
400 kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action,
401 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
402 {
403 int result, ret, i;
404
405 /* ask the scope */
406 if (scope->ks_callback != NULL) {
407 result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3);
408 } else {
409 result = KAUTH_RESULT_DEFER;
410 }
411
412 /* check with listeners */
413 if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) {
414 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
415 /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger.
416 * Until the race is fixed our kext clients are responsible for all active requests that may
417 * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata.
418 * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to
419 * unlisten race.
420 */
421 if (scope->ks_listeners[i].kll_listenerp == NULL ||
422 scope->ks_listeners[i].kll_callback == NULL) {
423 continue;
424 }
425
426 ret = scope->ks_listeners[i].kll_callback(
427 credential, scope->ks_listeners[i].kll_idata,
428 action, arg0, arg1, arg2, arg3);
429 if ((ret == KAUTH_RESULT_DENY) ||
430 (result == KAUTH_RESULT_DEFER)) {
431 result = ret;
432 }
433 }
434 }
435
436 /* we need an explicit allow, or the auth fails */
437 /* XXX need a mechanism for auth failure to be signalled vs. denial */
438 return result == KAUTH_RESULT_ALLOW ? 0 : EPERM;
439 }
440
441 /*
442 * Default authorization handlers.
443 */
444 int
445 kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action,
446 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
447 {
448 return KAUTH_RESULT_ALLOW;
449 }
450
451 #if 0
452 /*
453 * Debugging support.
454 */
455 static int
456 kauth_scope_valid(kauth_scope_t scope)
457 {
458 kauth_scope_t sp;
459
460 KAUTH_SCOPELOCK();
461 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
462 if (sp == scope) {
463 break;
464 }
465 }
466 KAUTH_SCOPEUNLOCK();
467 return (sp == NULL) ? 0 : 1;
468 }
469 #endif
470
471 /*
472 * Process authorization scope.
473 */
474
475 int
476 kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
477 {
478 return kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3);
479 }
480
481 static int
482 kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
483 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
484 {
485 switch (action) {
486 case KAUTH_PROCESS_CANSIGNAL:
487 panic("KAUTH_PROCESS_CANSIGNAL not implemented");
488 /* XXX credential wrong here */
489 /* arg0 - process to signal
490 * arg1 - signal to send the process
491 */
492 if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1)) {
493 return KAUTH_RESULT_ALLOW;
494 }
495 break;
496 case KAUTH_PROCESS_CANTRACE:
497 /* current_proc() - process that will do the tracing
498 * arg0 - process to be traced
499 * arg1 - pointer to int - reason (errno) for denial
500 */
501 if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1)) {
502 return KAUTH_RESULT_ALLOW;
503 }
504 break;
505 }
506
507 /* no explicit result, so defer to others in the chain */
508 return KAUTH_RESULT_DEFER;
509 }
510
511 /*
512 * File system operation authorization scope. This is really only a notification
513 * of the file system operation, not an authorization check. Thus the result is
514 * not relevant.
515 * arguments passed to KAUTH_FILEOP_OPEN listeners
516 * arg0 is pointer to vnode (vnode *) for given user path.
517 * arg1 is pointer to path (char *) passed in to open.
518 * arguments passed to KAUTH_FILEOP_CLOSE listeners
519 * arg0 is pointer to vnode (vnode *) for file to be closed.
520 * arg1 is pointer to path (char *) of file to be closed.
521 * arg2 is close flags.
522 * arguments passed to KAUTH_FILEOP_WILL_RENAME listeners
523 * arg0 is pointer to vnode (vnode *) of the file being renamed
524 * arg1 is pointer to the "from" path (char *)
525 * arg2 is pointer to the "to" path (char *)
526 * arguments passed to KAUTH_FILEOP_RENAME listeners
527 * arg0 is pointer to "from" path (char *).
528 * arg1 is pointer to "to" path (char *).
529 * arguments passed to KAUTH_FILEOP_EXCHANGE listeners
530 * arg0 is pointer to file 1 path (char *).
531 * arg1 is pointer to file 2 path (char *).
532 * arguments passed to KAUTH_FILEOP_EXEC listeners
533 * arg0 is pointer to vnode (vnode *) for executable.
534 * arg1 is pointer to path (char *) to executable.
535 */
536
537 int
538 kauth_authorize_fileop_has_listeners(void)
539 {
540 /*
541 * return 1 if we have any listeners for the fileop scope
542 * otherwize return 0
543 */
544 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) {
545 return 1;
546 }
547 return 0;
548 }
549
550 int
551 kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1)
552 {
553 char *namep = NULL;
554 int name_len;
555 uintptr_t arg2 = 0;
556
557 /* we do not have a primary handler for the fileop scope so bail out if
558 * there are no listeners.
559 */
560 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) {
561 return 0;
562 }
563
564 if (action == KAUTH_FILEOP_OPEN ||
565 action == KAUTH_FILEOP_CLOSE ||
566 action == KAUTH_FILEOP_EXEC ||
567 action == KAUTH_FILEOP_WILL_RENAME) {
568 /* get path to the given vnode as a convenience to our listeners.
569 */
570 namep = get_pathbuff();
571 name_len = MAXPATHLEN;
572 if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) {
573 release_pathbuff(namep);
574 return 0;
575 }
576 if (action == KAUTH_FILEOP_CLOSE ||
577 action == KAUTH_FILEOP_WILL_RENAME) {
578 /*
579 * - Close has some flags that come in via arg1.
580 * - Will-rename wants to pass the vnode and
581 * both paths to the listeners ("to" path
582 * starts in arg1, moves to arg2).
583 */
584 arg2 = arg1;
585 }
586 arg1 = (uintptr_t)namep;
587 }
588 kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0);
589
590 if (namep != NULL) {
591 release_pathbuff(namep);
592 }
593
594 return 0;
595 }
596
597 /*
598 * Generic authorization scope.
599 */
600
601 int
602 kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action)
603 {
604 if (credential == NULL) {
605 panic("auth against NULL credential");
606 }
607
608 return kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0);
609 }
610
611 static int
612 kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
613 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
614 {
615 switch (action) {
616 case KAUTH_GENERIC_ISSUSER:
617 /* XXX == 0 ? */
618 return (kauth_cred_getuid(credential) == 0) ?
619 KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY;
620 }
621
622 /* no explicit result, so defer to others in the chain */
623 return KAUTH_RESULT_DEFER;
624 }
625
626 /*
627 * ACL evaluator.
628 *
629 * Determines whether the credential has the requested rights for an object secured by the supplied
630 * ACL.
631 *
632 * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested
633 * rights, or granted if all of the requested rights are satisfied by the ACEs so far.
634 */
635 int
636 kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval)
637 {
638 int applies, error, i, gotguid;
639 kauth_ace_t ace;
640 guid_t guid;
641 uint32_t rights;
642 int wkguid;
643
644 /* always allowed to do nothing */
645 if (eval->ae_requested == 0) {
646 eval->ae_result = KAUTH_RESULT_ALLOW;
647 return 0;
648 }
649
650 eval->ae_residual = eval->ae_requested;
651 eval->ae_found_deny = FALSE;
652
653 /*
654 * Get our guid for comparison purposes.
655 */
656 if ((error = kauth_cred_getguid(cred, &guid)) != 0) {
657 KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error);
658 error = 0;
659 gotguid = 0;
660 } else {
661 gotguid = 1;
662 }
663
664 KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual);
665 for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) {
666 /*
667 * Skip inherit-only entries.
668 */
669 if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT) {
670 continue;
671 }
672
673 /*
674 * Expand generic rights, if appropriate.
675 */
676 rights = ace->ace_rights;
677 if (rights & KAUTH_ACE_GENERIC_ALL) {
678 rights |= eval->ae_exp_gall;
679 }
680 if (rights & KAUTH_ACE_GENERIC_READ) {
681 rights |= eval->ae_exp_gread;
682 }
683 if (rights & KAUTH_ACE_GENERIC_WRITE) {
684 rights |= eval->ae_exp_gwrite;
685 }
686 if (rights & KAUTH_ACE_GENERIC_EXECUTE) {
687 rights |= eval->ae_exp_gexec;
688 }
689
690 /*
691 * Determine whether this entry applies to the current request. This
692 * saves us checking the GUID if the entry has nothing to do with what
693 * we're currently doing.
694 */
695 switch (ace->ace_flags & KAUTH_ACE_KINDMASK) {
696 case KAUTH_ACE_PERMIT:
697 if (!(eval->ae_residual & rights)) {
698 continue;
699 }
700 break;
701 case KAUTH_ACE_DENY:
702 if (!(eval->ae_requested & rights)) {
703 continue;
704 }
705 eval->ae_found_deny = TRUE;
706 break;
707 default:
708 /* we don't recognise this ACE, skip it */
709 continue;
710 }
711
712 /*
713 * Verify whether this entry applies to the credential.
714 */
715 wkguid = kauth_wellknown_guid(&ace->ace_applicable);
716 switch (wkguid) {
717 case KAUTH_WKG_OWNER:
718 applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER;
719 break;
720 case KAUTH_WKG_GROUP:
721 if (!gotguid || (eval->ae_options & KAUTH_AEVAL_IN_GROUP_UNKNOWN)) {
722 applies = ((ace->ace_flags & KAUTH_ACE_KINDMASK) == KAUTH_ACE_DENY);
723 } else {
724 applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP;
725 }
726 break;
727 /* we short-circuit these here rather than wasting time calling the group membership code */
728 case KAUTH_WKG_EVERYBODY:
729 applies = 1;
730 break;
731 case KAUTH_WKG_NOBODY:
732 applies = 0;
733 break;
734
735 default:
736 /* check to see whether it's exactly us, or a group we are a member of */
737 applies = !gotguid ? 0 : kauth_guid_equal(&guid, &ace->ace_applicable);
738 KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched",
739 K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not ");
740
741 if (!applies) {
742 error = !gotguid ? ENOENT : kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies);
743 /*
744 * If we can't resolve group membership, we have to limit misbehaviour.
745 * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid
746 * granting excess access). If the ACE is a 'deny' ACE, assume the cred
747 * is a member (avoid failing to deny).
748 */
749 if (error != 0) {
750 KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i);
751 switch (ace->ace_flags & KAUTH_ACE_KINDMASK) {
752 case KAUTH_ACE_PERMIT:
753 applies = 0;
754 break;
755 case KAUTH_ACE_DENY:
756 applies = 1;
757 break;
758 }
759 } else {
760 KAUTH_DEBUG(" ACL - %s group member", applies ? "is" : "not");
761 }
762 } else {
763 KAUTH_DEBUG(" ACL - entry matches caller");
764 }
765 }
766 if (!applies) {
767 continue;
768 }
769
770 /*
771 * Apply ACE to outstanding rights.
772 */
773 switch (ace->ace_flags & KAUTH_ACE_KINDMASK) {
774 case KAUTH_ACE_PERMIT:
775 /* satisfy any rights that this ACE grants */
776 eval->ae_residual = eval->ae_residual & ~rights;
777 KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i, rights, eval->ae_residual);
778 /* all rights satisfied? */
779 if (eval->ae_residual == 0) {
780 eval->ae_result = KAUTH_RESULT_ALLOW;
781 return 0;
782 }
783 break;
784 case KAUTH_ACE_DENY:
785 /* deny the request if any of the requested rights is denied */
786 if (eval->ae_requested & rights) {
787 KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights);
788 eval->ae_result = KAUTH_RESULT_DENY;
789 return 0;
790 }
791 break;
792 default:
793 KAUTH_DEBUG(" ACL - unknown entry kind %d", ace->ace_flags & KAUTH_ACE_KINDMASK);
794 break;
795 }
796 }
797 /* if not permitted, defer to other modes of authorisation */
798 eval->ae_result = KAUTH_RESULT_DEFER;
799 return 0;
800 }
801
802 /*
803 * Perform ACL inheritance and umask-ACL handling.
804 *
805 * Entries are inherited from the ACL on dvp. A caller-supplied
806 * ACL is in initial, and the result is output into product.
807 * If the process has a umask ACL and one is not supplied, we use
808 * the umask ACL.
809 * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file.
810 */
811 int
812 kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx)
813 {
814 int entries, error, index;
815 unsigned int i;
816 struct vnode_attr dva;
817 kauth_acl_t inherit, result;
818
819 /*
820 * Fetch the ACL from the directory. This should never fail.
821 * Note that we don't manage inheritance when the remote server is
822 * doing authorization, since this means server enforcement of
823 * inheritance semantics; we just want to compose the initial
824 * ACL and any inherited ACE entries from the container object.
825 *
826 * XXX TODO: <rdar://3634665> wants a "umask ACL" from the process.
827 */
828 inherit = NULL;
829 /*
830 * If there is no initial ACL, or there is, and the initial ACLs
831 * flags do not request "no inheritance", then we inherit. This allows
832 * initial object creation via open_extended() and mkdir_extended()
833 * to reject inheritance for themselves and for inferior nodes by
834 * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT
835 * flag set in the flags field.
836 */
837 if ((initial == NULL || !(initial->acl_flags & KAUTH_ACL_NO_INHERIT)) &&
838 (dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) {
839 VATTR_INIT(&dva);
840 VATTR_WANTED(&dva, va_acl);
841 if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) {
842 KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance");
843 return error;
844 }
845 if (VATTR_IS_SUPPORTED(&dva, va_acl)) {
846 inherit = dva.va_acl;
847 }
848 }
849
850 /*
851 * Compute the number of entries in the result ACL by scanning the
852 * input lists.
853 */
854 entries = 0;
855 if (inherit != NULL) {
856 for (i = 0; i < inherit->acl_entrycount; i++) {
857 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
858 entries++;
859 }
860 }
861 }
862
863 if (initial == NULL) {
864 /*
865 * XXX 3634665 TODO: if the initial ACL is not specfied by
866 * XXX the caller, fetch the umask ACL from the process,
867 * and use it in place of "initial".
868 */
869 }
870
871 if (initial != NULL) {
872 if (initial->acl_entrycount != KAUTH_FILESEC_NOACL) {
873 entries += initial->acl_entrycount;
874 } else {
875 initial = NULL;
876 }
877 }
878
879 /*
880 * If there is no initial ACL, and no inheritable entries, the
881 * object should be created with no ACL at all.
882 * Note that this differs from the case where the initial ACL
883 * is empty, in which case the object must also have an empty ACL.
884 */
885 if ((entries == 0) && (initial == NULL)) {
886 *product = NULL;
887 error = 0;
888 goto out;
889 }
890
891 /*
892 * Allocate the result buffer.
893 */
894 if ((result = kauth_acl_alloc(entries)) == NULL) {
895 KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL", entries);
896 error = ENOMEM;
897 goto out;
898 }
899
900 /*
901 * Composition is simply:
902 * - initial direct ACEs
903 * - inherited ACEs from new parent
904 */
905 index = 0;
906 if (initial != NULL) {
907 for (i = 0; i < initial->acl_entrycount; i++) {
908 if (!(initial->acl_ace[i].ace_flags & KAUTH_ACE_INHERITED)) {
909 result->acl_ace[index++] = initial->acl_ace[i];
910 }
911 }
912 KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index, initial->acl_entrycount);
913 }
914 if (inherit != NULL) {
915 for (i = 0; i < inherit->acl_entrycount; i++) {
916 /*
917 * Inherit onto this object? We inherit only if
918 * the target object is a container object and the
919 * KAUTH_ACE_DIRECTORY_INHERIT bit is set, OR if
920 * if the target object is not a container, and
921 * the KAUTH_ACE_FILE_INHERIT bit is set.
922 */
923 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
924 result->acl_ace[index] = inherit->acl_ace[i];
925 result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED;
926 result->acl_ace[index].ace_flags &= ~KAUTH_ACE_ONLY_INHERIT;
927 /*
928 * We do not re-inherit inheritance flags
929 * if the ACE from the container has a
930 * KAUTH_ACE_LIMIT_INHERIT, OR if the new
931 * object is not itself a container (since
932 * inheritance is always container-based).
933 */
934 if ((result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT) || !isdir) {
935 result->acl_ace[index].ace_flags &=
936 ~(KAUTH_ACE_INHERIT_CONTROL_FLAGS);
937 }
938 index++;
939 }
940 }
941 }
942 result->acl_entrycount = index;
943 *product = result;
944 KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index);
945 error = 0;
946 out:
947 if (inherit != NULL) {
948 kauth_acl_free(inherit);
949 }
950 return error;
951 }
952
953 /*
954 * Optimistically copy in a kauth_filesec structure
955 *
956 * Parameters: xsecurity user space kauth_filesec_t
957 * xsecdstpp pointer to kauth_filesec_t to be
958 * modified to contain the contain a
959 * pointer to an allocated copy of the
960 * user space argument
961 *
962 * Returns: 0 Success
963 * ENOMEM Insufficient memory for the copy.
964 * EINVAL The user space data was invalid, or
965 * there were too many ACE entries.
966 * EFAULT The user space address was invalid;
967 * this may mean 'fsec_entrycount' in
968 * the user copy is corrupt/incorrect.
969 *
970 * Implicit returns: xsecdestpp, modified (only if successful!)
971 *
972 * Notes: The returned kauth_filesec_t is in host byte order
973 *
974 * The caller is responsible for freeing the returned
975 * kauth_filesec_t in the success case using the function
976 * kauth_filesec_free()
977 *
978 * Our largest initial guess is 32; this needs to move to
979 * a manifest constant in <sys/kauth.h>.
980 */
981 int
982 kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp)
983 {
984 int error;
985 kauth_filesec_t fsec;
986 u_int32_t count;
987 size_t copysize;
988
989 error = 0;
990 fsec = NULL;
991
992 /*
993 * Make a guess at the size of the filesec. We start with the base
994 * pointer, and look at how much room is left on the page, clipped
995 * to a sensible upper bound. If it turns out this isn't enough,
996 * we'll size based on the actual ACL contents and come back again.
997 *
998 * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The
999 * value here is fairly arbitrary. It's ok to have a zero count.
1000 *
1001 * Because we're just using these values to make a guess about the
1002 * number of entries, the actual address doesn't matter, only their
1003 * relative offsets into the page. We take advantage of this to
1004 * avoid an overflow in the rounding step (this is a user-provided
1005 * parameter, so caution pays off).
1006 */
1007 {
1008 user_addr_t known_bound = (xsecurity & PAGE_MASK) + KAUTH_FILESEC_SIZE(0);
1009 user_addr_t uaddr = mach_vm_round_page(known_bound);
1010 count = (uaddr - known_bound) / sizeof(struct kauth_ace);
1011 }
1012 if (count > 32) {
1013 count = 32;
1014 }
1015 restart:
1016 if ((fsec = kauth_filesec_alloc(count)) == NULL) {
1017 error = ENOMEM;
1018 goto out;
1019 }
1020 copysize = KAUTH_FILESEC_SIZE(count);
1021 if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0) {
1022 goto out;
1023 }
1024
1025 /* validate the filesec header */
1026 if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) {
1027 error = EINVAL;
1028 goto out;
1029 }
1030
1031 /*
1032 * Is there an ACL payload, and is it too big?
1033 */
1034 if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) &&
1035 (fsec->fsec_entrycount > count)) {
1036 if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) {
1037 /* XXX This should be E2BIG */
1038 error = EINVAL;
1039 goto out;
1040 }
1041 count = fsec->fsec_entrycount;
1042 kauth_filesec_free(fsec);
1043 goto restart;
1044 }
1045
1046 out:
1047 if (error) {
1048 if (fsec) {
1049 kauth_filesec_free(fsec);
1050 }
1051 } else {
1052 *xsecdestpp = fsec;
1053 AUDIT_ARG(opaque, fsec, copysize);
1054 }
1055 return error;
1056 }
1057
1058 /*
1059 * Allocate a block of memory containing a filesec structure, immediately
1060 * followed by 'count' kauth_ace structures.
1061 *
1062 * Parameters: count Number of kauth_ace structures needed
1063 *
1064 * Returns: !NULL A pointer to the allocated block
1065 * NULL Invalid 'count' or insufficient memory
1066 *
1067 * Notes: Returned memory area assumes that the structures are packed
1068 * densely, so this function may only be used by code that also
1069 * assumes no padding following structures.
1070 *
1071 * The returned structure must be freed by the caller using the
1072 * function kauth_filesec_free(), in case we decide to use an
1073 * allocation mechanism that is aware of the object size at some
1074 * point, since the object size is only available by introspecting
1075 * the object itself.
1076 */
1077 kauth_filesec_t
1078 kauth_filesec_alloc(int count)
1079 {
1080 kauth_filesec_t fsp;
1081
1082 /* if the caller hasn't given us a valid size hint, assume the worst */
1083 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) {
1084 return NULL;
1085 }
1086
1087 MALLOC(fsp, kauth_filesec_t, KAUTH_FILESEC_SIZE(count), M_KAUTH, M_WAITOK);
1088 if (fsp != NULL) {
1089 fsp->fsec_magic = KAUTH_FILESEC_MAGIC;
1090 fsp->fsec_owner = kauth_null_guid;
1091 fsp->fsec_group = kauth_null_guid;
1092 fsp->fsec_entrycount = KAUTH_FILESEC_NOACL;
1093 fsp->fsec_flags = 0;
1094 }
1095 return fsp;
1096 }
1097
1098 /*
1099 * Free a kauth_filesec_t that was previous allocated, either by a direct
1100 * call to kauth_filesec_alloc() or by calling a function that calls it.
1101 *
1102 * Parameters: fsp kauth_filesec_t to free
1103 *
1104 * Returns: (void)
1105 *
1106 * Notes: The kauth_filesec_t to be freed is assumed to be in host
1107 * byte order so that this function can introspect it in the
1108 * future to determine its size, if necesssary.
1109 */
1110 void
1111 kauth_filesec_free(kauth_filesec_t fsp)
1112 {
1113 #ifdef KAUTH_DEBUG_ENABLE
1114 if (fsp == KAUTH_FILESEC_NONE) {
1115 panic("freeing KAUTH_FILESEC_NONE");
1116 }
1117 if (fsp == KAUTH_FILESEC_WANTED) {
1118 panic("freeing KAUTH_FILESEC_WANTED");
1119 }
1120 #endif
1121 FREE(fsp, M_KAUTH);
1122 }
1123
1124 /*
1125 * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the
1126 * ACL interior to 'fsec' instead. If the endianness doesn't change, then
1127 * this function will have no effect.
1128 *
1129 * Parameters: kendian The endianness to set; this is either
1130 * KAUTH_ENDIAN_HOST or KAUTH_ENDIAN_DISK.
1131 * fsec The filesec to convert.
1132 * acl The ACL to convert (optional)
1133 *
1134 * Returns: (void)
1135 *
1136 * Notes: We use ntohl() because it has a transitive property on Intel
1137 * machines and no effect on PPC mancines. This guarantees us
1138 * that the swapping only occurs if the endiannes is wrong.
1139 */
1140 void
1141 kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl)
1142 {
1143 uint32_t compare_magic = KAUTH_FILESEC_MAGIC;
1144 uint32_t invert_magic = ntohl(KAUTH_FILESEC_MAGIC);
1145 uint32_t compare_acl_entrycount;
1146 uint32_t i;
1147
1148 if (compare_magic == invert_magic) {
1149 return;
1150 }
1151
1152 /* If no ACL, use ACL interior to 'fsec' instead */
1153 if (acl == NULL) {
1154 acl = &fsec->fsec_acl;
1155 }
1156
1157 compare_acl_entrycount = acl->acl_entrycount;
1158
1159 /*
1160 * Only convert what needs to be converted, and only if the arguments
1161 * are valid. The following switch and tests effectively reject
1162 * conversions on invalid magic numbers as a desirable side effect.
1163 */
1164 switch (kendian) {
1165 case KAUTH_ENDIAN_HOST: /* not in host, convert to host */
1166 if (fsec->fsec_magic != invert_magic) {
1167 return;
1168 }
1169 /* acl_entrycount is byteswapped */
1170 compare_acl_entrycount = ntohl(acl->acl_entrycount);
1171 break;
1172 case KAUTH_ENDIAN_DISK: /* not in disk, convert to disk */
1173 if (fsec->fsec_magic != compare_magic) {
1174 return;
1175 }
1176 break;
1177 default: /* bad argument */
1178 return;
1179 }
1180
1181 /* We are go for conversion */
1182 fsec->fsec_magic = ntohl(fsec->fsec_magic);
1183 acl->acl_entrycount = ntohl(acl->acl_entrycount);
1184 if (compare_acl_entrycount != KAUTH_FILESEC_NOACL) {
1185 acl->acl_flags = ntohl(acl->acl_flags);
1186
1187 /* swap ACE rights and flags */
1188 for (i = 0; i < compare_acl_entrycount; i++) {
1189 acl->acl_ace[i].ace_flags = ntohl(acl->acl_ace[i].ace_flags);
1190 acl->acl_ace[i].ace_rights = ntohl(acl->acl_ace[i].ace_rights);
1191 }
1192 }
1193 }
1194
1195
1196 /*
1197 * Allocate an ACL buffer.
1198 */
1199 kauth_acl_t
1200 kauth_acl_alloc(int count)
1201 {
1202 kauth_acl_t aclp;
1203
1204 /* if the caller hasn't given us a valid size hint, assume the worst */
1205 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) {
1206 return NULL;
1207 }
1208
1209 MALLOC(aclp, kauth_acl_t, KAUTH_ACL_SIZE(count), M_KAUTH, M_WAITOK);
1210 if (aclp != NULL) {
1211 aclp->acl_entrycount = 0;
1212 aclp->acl_flags = 0;
1213 }
1214 return aclp;
1215 }
1216
1217 void
1218 kauth_acl_free(kauth_acl_t aclp)
1219 {
1220 FREE(aclp, M_KAUTH);
1221 }
1222
1223
1224 /*
1225 * WARNING - caller must hold KAUTH_SCOPELOCK
1226 */
1227 static int
1228 kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp)
1229 {
1230 int i;
1231
1232 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
1233 if (sp->ks_listeners[i].kll_listenerp == NULL) {
1234 sp->ks_listeners[i].kll_callback = klp->kl_callback;
1235 sp->ks_listeners[i].kll_idata = klp->kl_idata;
1236 sp->ks_listeners[i].kll_listenerp = klp;
1237 sp->ks_flags |= KS_F_HAS_LISTENERS;
1238 return 0;
1239 }
1240 }
1241 return ENOSPC;
1242 }