]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_authorization.c
projects / apple / xnu.git / blob
? search:


e7410c57b35c097204891b5a47739bad62582f7a
[apple/xnu.git] / bsd / kern / kern_authorization.c
1 /*
2 * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * Centralized authorisation framework.
26 */
27
28 #include <sys/appleapiopts.h>
29 #include <sys/param.h> /* XXX trim includes */
30 #include <sys/acct.h>
31 #include <sys/systm.h>
32 #include <sys/ucred.h>
33 #include <sys/proc_internal.h>
34 #include <sys/timeb.h>
35 #include <sys/times.h>
36 #include <sys/malloc.h>
37 #include <sys/vnode_internal.h>
38 #include <sys/kauth.h>
39 #include <sys/stat.h>
40
41 #include <bsm/audit_kernel.h>
42
43 #include <sys/mount.h>
44 #include <sys/sysproto.h>
45 #include <mach/message.h>
46 #include <mach/host_security.h>
47
48 #include <kern/locks.h>
49
50
51 /*
52 * Authorization scopes.
53 */
54
55 lck_grp_t *kauth_lck_grp;
56 static lck_mtx_t *kauth_scope_mtx;
57 #define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx);
58 #define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx);
59
60 /*
61 * We support listeners for scopes that have not been registered yet.
62 * If a listener comes in for a scope that is not active we hang the listener
63 * off our kauth_dangling_listeners list and once the scope becomes active we
64 * remove it from kauth_dangling_listeners and add it to the active scope.
65 */
66 struct kauth_listener {
67 TAILQ_ENTRY(kauth_listener) kl_link;
68 const char * kl_identifier;
69 kauth_scope_callback_t kl_callback;
70 void * kl_idata;
71 };
72
73 /* XXX - kauth_todo - there is a race if a scope listener is removed while we
74 * we are in the kauth_authorize_action code path. We intentionally do not take
75 * a scope lock in order to get the best possible performance. we will fix this
76 * post Tiger.
77 * Until the race is fixed our kext clients are responsible for all active
78 * requests that may be in their callback code or on the way to their callback
79 * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata.
80 * We keep copies of these in our kauth_local_listener in an attempt to limit
81 * our expose to unlisten race.
82 */
83 struct kauth_local_listener {
84 kauth_listener_t kll_listenerp;
85 kauth_scope_callback_t kll_callback;
86 void * kll_idata;
87 };
88 typedef struct kauth_local_listener *kauth_local_listener_t;
89
90 static TAILQ_HEAD(,kauth_listener) kauth_dangling_listeners;
91
92 /*
93 * Scope listeners need to be reworked to be dynamic.
94 * We intentionally used a static table to avoid locking issues with linked
95 * lists. The listeners may be called quite often.
96 * XXX - kauth_todo
97 */
98 #define KAUTH_SCOPE_MAX_LISTENERS 15
99
100 struct kauth_scope {
101 TAILQ_ENTRY(kauth_scope) ks_link;
102 volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS];
103 const char * ks_identifier;
104 kauth_scope_callback_t ks_callback;
105 void * ks_idata;
106 u_int ks_flags;
107 };
108
109 /* values for kauth_scope.ks_flags */
110 #define KS_F_HAS_LISTENERS (1 << 0)
111
112 static TAILQ_HEAD(,kauth_scope) kauth_scopes;
113
114 static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp);
115 static void kauth_scope_init(void);
116 static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata);
117 static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata);
118 #if 0
119 static int kauth_scope_valid(kauth_scope_t scope);
120 #endif
121
122 kauth_scope_t kauth_scope_process;
123 static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
124 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3);
125 kauth_scope_t kauth_scope_generic;
126 static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
127 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
128 kauth_scope_t kauth_scope_fileop;
129
130 extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int);
131 extern char * get_pathbuff(void);
132 extern void release_pathbuff(char *path);
133
134 /*
135 * Initialization.
136 */
137 void
138 kauth_init(void)
139 {
140 lck_grp_attr_t *grp_attributes;
141
142 TAILQ_INIT(&kauth_scopes);
143 TAILQ_INIT(&kauth_dangling_listeners);
144
145 /* set up our lock group */
146 grp_attributes = lck_grp_attr_alloc_init();
147 kauth_lck_grp = lck_grp_alloc_init("kauth", grp_attributes);
148 lck_grp_attr_free(grp_attributes);
149
150 /* bring up kauth subsystem components */
151 kauth_cred_init();
152 kauth_identity_init();
153 kauth_groups_init();
154 kauth_scope_init();
155 kauth_resolver_init();
156
157 /* can't alloc locks after this */
158 lck_grp_free(kauth_lck_grp);
159 kauth_lck_grp = NULL;
160 }
161
162 static void
163 kauth_scope_init(void)
164 {
165 kauth_scope_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0 /*LCK_ATTR_NULL*/);
166 kauth_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS, kauth_authorize_process_callback, NULL);
167 kauth_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC, kauth_authorize_generic_callback, NULL);
168 kauth_scope_fileop = kauth_register_scope(KAUTH_SCOPE_FILEOP, NULL, NULL);
169 }
170
171 /*
172 * Scope registration.
173 */
174
175 static kauth_scope_t
176 kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
177 {
178 kauth_scope_t sp;
179
180 /*
181 * Allocate and populate the scope structure.
182 */
183 MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK);
184 if (sp == NULL)
185 return(NULL);
186 bzero(&sp->ks_listeners, sizeof(sp->ks_listeners));
187 sp->ks_flags = 0;
188 sp->ks_identifier = identifier;
189 sp->ks_idata = idata;
190 sp->ks_callback = callback;
191 return(sp);
192 }
193
194 static kauth_listener_t
195 kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata)
196 {
197 kauth_listener_t lsp;
198
199 /*
200 * Allocate and populate the listener structure.
201 */
202 MALLOC(lsp, kauth_listener_t, sizeof(*lsp), M_KAUTH, M_WAITOK);
203 if (lsp == NULL)
204 return(NULL);
205 lsp->kl_identifier = identifier;
206 lsp->kl_idata = idata;
207 lsp->kl_callback = callback;
208 return(lsp);
209 }
210
211 kauth_scope_t
212 kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
213 {
214 kauth_scope_t sp, tsp;
215 kauth_listener_t klp;
216
217 if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL)
218 return(NULL);
219
220 /*
221 * Lock the list and insert.
222 */
223 KAUTH_SCOPELOCK();
224 TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) {
225 /* duplicate! */
226 if (strcmp(tsp->ks_identifier, identifier) == 0) {
227 KAUTH_SCOPEUNLOCK();
228 FREE(sp, M_KAUTH);
229 return(NULL);
230 }
231 }
232 TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link);
233
234 /*
235 * Look for listeners waiting for this scope, move them to the active scope
236 * listener table.
237 * Note that we have to restart the scan every time we remove an entry
238 * from the list, since we can't remove the current item from the list.
239 */
240 restart:
241 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
242 if (strcmp(klp->kl_identifier, sp->ks_identifier) == 0) {
243 /* found a match on the dangling listener list. add it to the
244 * the active scope.
245 */
246 if (kauth_add_callback_to_scope(sp, klp) == 0) {
247 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
248 }
249 else {
250 #if 0
251 printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier);
252 #endif
253 break;
254 }
255 goto restart;
256 }
257 }
258
259 KAUTH_SCOPEUNLOCK();
260 return(sp);
261 }
262
263
264
265 void
266 kauth_deregister_scope(kauth_scope_t scope)
267 {
268 int i;
269
270 KAUTH_SCOPELOCK();
271
272 TAILQ_REMOVE(&kauth_scopes, scope, ks_link);
273
274 /* relocate listeners back to the waiting list */
275 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
276 if (scope->ks_listeners[i].kll_listenerp != NULL) {
277 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link);
278 scope->ks_listeners[i].kll_listenerp = NULL;
279 /*
280 * XXX - kauth_todo - WARNING, do not clear kll_callback or
281 * kll_idata here. they are part of our scope unlisten race hack
282 */
283 }
284 }
285 KAUTH_SCOPEUNLOCK();
286 FREE(scope, M_KAUTH);
287
288 return;
289 }
290
291 kauth_listener_t
292 kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
293 {
294 kauth_listener_t klp;
295 kauth_scope_t sp;
296
297 if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL)
298 return(NULL);
299
300 /*
301 * Lock the scope list and check to see whether this scope already exists.
302 */
303 KAUTH_SCOPELOCK();
304 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
305 if (strcmp(sp->ks_identifier, identifier) == 0) {
306 /* scope exists, add it to scope listener table */
307 if (kauth_add_callback_to_scope(sp, klp) == 0) {
308 KAUTH_SCOPEUNLOCK();
309 return(klp);
310 }
311 /* table already full */
312 KAUTH_SCOPEUNLOCK();
313 FREE(klp, M_KAUTH);
314 return(NULL);
315 }
316 }
317
318 /* scope doesn't exist, put on waiting list. */
319 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link);
320
321 KAUTH_SCOPEUNLOCK();
322
323 return(klp);
324 }
325
326 void
327 kauth_unlisten_scope(kauth_listener_t listener)
328 {
329 kauth_scope_t sp;
330 kauth_listener_t klp;
331 int i, listener_count, do_free;
332
333 KAUTH_SCOPELOCK();
334
335 /* search the active scope for this listener */
336 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
337 do_free = 0;
338 if ((sp->ks_flags & KS_F_HAS_LISTENERS) != 0) {
339 listener_count = 0;
340 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
341 if (sp->ks_listeners[i].kll_listenerp == listener) {
342 sp->ks_listeners[i].kll_listenerp = NULL;
343 do_free = 1;
344 /*
345 * XXX - kauth_todo - WARNING, do not clear kll_callback or
346 * kll_idata here. they are part of our scope unlisten race hack
347 */
348 }
349 else if (sp->ks_listeners[i].kll_listenerp != NULL) {
350 listener_count++;
351 }
352 }
353 if (do_free) {
354 if (listener_count == 0) {
355 sp->ks_flags &= ~KS_F_HAS_LISTENERS;
356 }
357 KAUTH_SCOPEUNLOCK();
358 FREE(listener, M_KAUTH);
359 return;
360 }
361 }
362 }
363
364 /* if not active, check the dangling list */
365 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
366 if (klp == listener) {
367 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
368 KAUTH_SCOPEUNLOCK();
369 FREE(listener, M_KAUTH);
370 return;
371 }
372 }
373
374 KAUTH_SCOPEUNLOCK();
375 return;
376 }
377
378 /*
379 * Authorization requests.
380 */
381 int
382 kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action,
383 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
384 {
385 int result, ret, i;
386
387 /* ask the scope */
388 if (scope->ks_callback != NULL)
389 result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3);
390 else
391 result = KAUTH_RESULT_DEFER;
392
393 /* check with listeners */
394 if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) {
395 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
396 /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger.
397 * Until the race is fixed our kext clients are responsible for all active requests that may
398 * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata.
399 * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to
400 * unlisten race.
401 */
402 if (scope->ks_listeners[i].kll_listenerp == NULL ||
403 scope->ks_listeners[i].kll_callback == NULL)
404 continue;
405
406 ret = scope->ks_listeners[i].kll_callback(
407 credential, scope->ks_listeners[i].kll_idata,
408 action, arg0, arg1, arg2, arg3);
409 if ((ret == KAUTH_RESULT_DENY) ||
410 (result == KAUTH_RESULT_DEFER))
411 result = ret;
412 }
413 }
414
415 /* we need an explicit allow, or the auth fails */
416 /* XXX need a mechanism for auth failure to be signalled vs. denial */
417 return(result == KAUTH_RESULT_ALLOW ? 0 : EPERM);
418 }
419
420 /*
421 * Default authorization handlers.
422 */
423 int
424 kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action,
425 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
426 {
427
428 return(KAUTH_RESULT_ALLOW);
429 }
430
431 #if 0
432 /*
433 * Debugging support.
434 */
435 static int
436 kauth_scope_valid(kauth_scope_t scope)
437 {
438 kauth_scope_t sp;
439
440 KAUTH_SCOPELOCK();
441 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
442 if (sp == scope)
443 break;
444 }
445 KAUTH_SCOPEUNLOCK();
446 return((sp == NULL) ? 0 : 1);
447 }
448 #endif
449
450 /*
451 * Process authorization scope.
452 */
453
454 int
455 kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
456 {
457 return(kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3));
458 }
459
460 static int
461 kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
462 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
463 {
464 switch(action) {
465 case KAUTH_PROCESS_CANSIGNAL:
466 panic("KAUTH_PROCESS_CANSIGNAL not implemented");
467 /* XXX credential wrong here */
468 /* arg0 - process to signal
469 * arg1 - signal to send the process
470 */
471 if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1))
472 return(KAUTH_RESULT_ALLOW);
473 break;
474 case KAUTH_PROCESS_CANTRACE:
475 /* current_proc() - process that will do the tracing
476 * arg0 - process to be traced
477 * arg1 - pointer to int - reason (errno) for denial
478 */
479 if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1))
480 return(KAUTH_RESULT_ALLOW);
481 break;
482 }
483
484 /* no explicit result, so defer to others in the chain */
485 return(KAUTH_RESULT_DEFER);
486 }
487
488 /*
489 * File system operation authorization scope. This is really only a notification
490 * of the file system operation, not an authorization check. Thus the result is
491 * not relevant.
492 * arguments passed to KAUTH_FILEOP_OPEN listeners
493 * arg0 is pointer to vnode (vnode *) for given user path.
494 * arg1 is pointer to path (char *) passed in to open.
495 * arguments passed to KAUTH_FILEOP_CLOSE listeners
496 * arg0 is pointer to vnode (vnode *) for file to be closed.
497 * arg1 is pointer to path (char *) of file to be closed.
498 * arg2 is close flags.
499 * arguments passed to KAUTH_FILEOP_RENAME listeners
500 * arg0 is pointer to "from" path (char *).
501 * arg1 is pointer to "to" path (char *).
502 * arguments passed to KAUTH_FILEOP_EXCHANGE listeners
503 * arg0 is pointer to file 1 path (char *).
504 * arg1 is pointer to file 2 path (char *).
505 * arguments passed to KAUTH_FILEOP_EXEC listeners
506 * arg0 is pointer to vnode (vnode *) for executable.
507 * arg1 is pointer to path (char *) to executable.
508 */
509
510 int
511 kauth_authorize_fileop_has_listeners(void)
512 {
513 /*
514 * return 1 if we have any listeners for the fileop scope
515 * otherwize return 0
516 */
517 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) {
518 return(1);
519 }
520 return (0);
521 }
522
523 int
524 kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1)
525 {
526 char *namep = NULL;
527 int name_len;
528 uintptr_t arg2 = 0;
529
530 /* we do not have a primary handler for the fileop scope so bail out if
531 * there are no listeners.
532 */
533 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) {
534 return(0);
535 }
536
537 if (action == KAUTH_FILEOP_OPEN || action == KAUTH_FILEOP_CLOSE || action == KAUTH_FILEOP_EXEC) {
538 /* get path to the given vnode as a convenience to our listeners.
539 */
540 namep = get_pathbuff();
541 name_len = MAXPATHLEN;
542 if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) {
543 release_pathbuff(namep);
544 return(0);
545 }
546 if (action == KAUTH_FILEOP_CLOSE) {
547 arg2 = arg1; /* close has some flags that come in via arg1 */
548 }
549 arg1 = (uintptr_t)namep;
550 }
551 kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0);
552
553 if (namep != NULL) {
554 release_pathbuff(namep);
555 }
556
557 return(0);
558 }
559
560 /*
561 * Generic authorization scope.
562 */
563
564 int
565 kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action)
566 {
567 if (credential == NULL)
568 panic("auth against NULL credential");
569
570 return(kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0));
571
572 }
573
574 static int
575 kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
576 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
577 {
578 switch(action) {
579 case KAUTH_GENERIC_ISSUSER:
580 /* XXX == 0 ? */
581 return((kauth_cred_getuid(credential) == 0) ?
582 KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY);
583 break;
584 }
585
586 /* no explicit result, so defer to others in the chain */
587 return(KAUTH_RESULT_DEFER);
588 }
589
590 /*
591 * ACL evaluator.
592 *
593 * Determines whether the credential has the requested rights for an object secured by the supplied
594 * ACL.
595 *
596 * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested
597 * rights, or granted if all of the requested rights are satisfied by the ACEs so far.
598 */
599 int
600 kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval)
601 {
602 int applies, error, i;
603 kauth_ace_t ace;
604 guid_t guid;
605 uint32_t rights;
606 int wkguid;
607
608 /* always allowed to do nothing */
609 if (eval->ae_requested == 0) {
610 eval->ae_result = KAUTH_RESULT_ALLOW;
611 return(0);
612 }
613
614 eval->ae_residual = eval->ae_requested;
615
616 /*
617 * Get our guid for comparison purposes.
618 */
619 if ((error = kauth_cred_getguid(cred, &guid)) != 0) {
620 eval->ae_result = KAUTH_RESULT_DENY;
621 KAUTH_DEBUG(" ACL - can't get credential GUID (%d), ACL denied", error);
622 return(error);
623 }
624
625 KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual);
626 for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) {
627
628 /*
629 * Skip inherit-only entries.
630 */
631 if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT)
632 continue;
633
634 /*
635 * Expand generic rights, if appropriate.
636 */
637 rights = ace->ace_rights;
638 if (rights & KAUTH_ACE_GENERIC_ALL)
639 rights |= eval->ae_exp_gall;
640 if (rights & KAUTH_ACE_GENERIC_READ)
641 rights |= eval->ae_exp_gread;
642 if (rights & KAUTH_ACE_GENERIC_WRITE)
643 rights |= eval->ae_exp_gwrite;
644 if (rights & KAUTH_ACE_GENERIC_EXECUTE)
645 rights |= eval->ae_exp_gexec;
646
647 /*
648 * Determine whether this entry applies to the current request. This
649 * saves us checking the GUID if the entry has nothing to do with what
650 * we're currently doing.
651 */
652 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
653 case KAUTH_ACE_PERMIT:
654 if (!(eval->ae_residual & rights))
655 continue;
656 break;
657 case KAUTH_ACE_DENY:
658 if (!(eval->ae_requested & rights))
659 continue;
660 break;
661 default:
662 /* we don't recognise this ACE, skip it */
663 continue;
664 }
665
666 /*
667 * Verify whether this entry applies to the credential.
668 */
669 wkguid = kauth_wellknown_guid(&ace->ace_applicable);
670 switch(wkguid) {
671 case KAUTH_WKG_OWNER:
672 applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER;
673 break;
674 case KAUTH_WKG_GROUP:
675 applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP;
676 break;
677 /* we short-circuit these here rather than wasting time calling the group membership code */
678 case KAUTH_WKG_EVERYBODY:
679 applies = 1;
680 break;
681 case KAUTH_WKG_NOBODY:
682 applies = 0;
683 break;
684
685 default:
686 /* check to see whether it's exactly us, or a group we are a member of */
687 applies = kauth_guid_equal(&guid, &ace->ace_applicable);
688 KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched",
689 K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not ");
690
691 if (!applies) {
692 error = kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies);
693 /*
694 * If we can't resolve group membership, we have to limit misbehaviour.
695 * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid
696 * granting excess access). If the ACE is a 'deny' ACE, assume the cred
697 * is a member (avoid failing to deny).
698 */
699 if (error != 0) {
700 KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i);
701 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
702 case KAUTH_ACE_PERMIT:
703 applies = 0;
704 break;
705 case KAUTH_ACE_DENY:
706 applies = 1;
707 break;
708 }
709 } else {
710 KAUTH_DEBUG(" ACL - %s group member", applies ? "is" : "not");
711 }
712 } else {
713 KAUTH_DEBUG(" ACL - entry matches caller");
714 }
715 }
716 if (!applies)
717 continue;
718
719 /*
720 * Apply ACE to outstanding rights.
721 */
722 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
723 case KAUTH_ACE_PERMIT:
724 /* satisfy any rights that this ACE grants */
725 eval->ae_residual = eval->ae_residual & ~rights;
726 KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i, rights, eval->ae_residual);
727 /* all rights satisfied? */
728 if (eval->ae_residual == 0) {
729 eval->ae_result = KAUTH_RESULT_ALLOW;
730 return(0);
731 }
732 break;
733 case KAUTH_ACE_DENY:
734 /* deny the request if any of the requested rights is denied */
735 if (eval->ae_requested & rights) {
736 KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights);
737 eval->ae_result = KAUTH_RESULT_DENY;
738 return(0);
739 }
740 break;
741 default:
742 KAUTH_DEBUG(" ACL - unknown entry kind %d", ace->ace_flags & KAUTH_ACE_KINDMASK);
743 break;
744 }
745 }
746 /* if not permitted, defer to other modes of authorisation */
747 eval->ae_result = KAUTH_RESULT_DEFER;
748 return(0);
749 }
750
751 /*
752 * Perform ACL inheritance and umask-ACL handling.
753 *
754 * Entries are inherited from the ACL on dvp. A caller-supplied
755 * ACL is in initial, and the result is output into product.
756 * If the process has a umask ACL and one is not supplied, we use
757 * the umask ACL.
758 * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file.
759 */
760 int
761 kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx)
762 {
763 int entries, error, index;
764 unsigned int i;
765 struct vnode_attr dva;
766 kauth_acl_t inherit, result;
767
768 /*
769 * Fetch the ACL from the directory. This should never fail. Note that we don't
770 * manage inheritance when the remote server is doing authorization; we just
771 * want to compose the umask-ACL and any initial ACL.
772 */
773 inherit = NULL;
774 if ((dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) {
775 VATTR_INIT(&dva);
776 VATTR_WANTED(&dva, va_acl);
777 if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) {
778 KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance");
779 return(error);
780 }
781 if (VATTR_IS_SUPPORTED(&dva, va_acl))
782 inherit = dva.va_acl;
783 }
784
785 /*
786 * Compute the number of entries in the result ACL by scanning the input lists.
787 */
788 entries = 0;
789 if (inherit != NULL) {
790 for (i = 0; i < inherit->acl_entrycount; i++) {
791 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT))
792 entries++;
793 }
794 }
795
796 if (initial == NULL) {
797 /* XXX 3634665 TODO: fetch umask ACL from the process, set in initial */
798 }
799
800 if (initial != NULL) {
801 entries += initial->acl_entrycount;
802 }
803
804 /*
805 * If there is no initial ACL, and no inheritable entries, the
806 * object should have no ACL at all.
807 * Note that this differs from the case where the initial ACL
808 * is empty, in which case the object must also have an empty ACL.
809 */
810 if ((entries == 0) && (initial == NULL)) {
811 *product = NULL;
812 error = 0;
813 goto out;
814 }
815
816 /*
817 * Allocate the result buffer.
818 */
819 if ((result = kauth_acl_alloc(entries)) == NULL) {
820 KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL");
821 error = ENOMEM;
822 goto out;
823 }
824
825 /*
826 * Composition is simply:
827 * - initial
828 * - inherited
829 */
830 index = 0;
831 if (initial != NULL) {
832 for (i = 0; i < initial->acl_entrycount; i++)
833 result->acl_ace[index++] = initial->acl_ace[i];
834 KAUTH_DEBUG(" INHERIT - applied %d initial entries", index);
835 }
836 if (inherit != NULL) {
837 for (i = 0; i < inherit->acl_entrycount; i++) {
838 /* inherit onto this object? */
839 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
840 result->acl_ace[index] = inherit->acl_ace[i];
841 result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED;
842 /* don't re-inherit? */
843 if (result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT)
844 result->acl_ace[index].ace_flags &=
845 ~(KAUTH_ACE_DIRECTORY_INHERIT | KAUTH_ACE_FILE_INHERIT | KAUTH_ACE_LIMIT_INHERIT);
846 index++;
847 }
848 }
849 }
850 result->acl_entrycount = index;
851 *product = result;
852 KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index);
853 error = 0;
854 out:
855 if (inherit != NULL)
856 kauth_acl_free(inherit);
857 return(error);
858 }
859
860 /*
861 * Optimistically copy in a kauth_filesec structure
862 * Parameters: xsecurity user space kauth_filesec_t
863 * xsecdstpp pointer to kauth_filesec_t
864 *
865 * Returns: 0 on success, EINVAL or EFAULT depending on failure mode.
866 * Modifies: xsecdestpp, which contains a pointer to an allocated
867 * and copied-in kauth_filesec_t
868 */
869
870 int
871 kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp)
872 {
873 user_addr_t uaddr, known_bound;
874 int error;
875 kauth_filesec_t fsec;
876 u_int32_t count;
877 size_t copysize;
878
879 error = 0;
880 fsec = NULL;
881
882 /*
883 * Make a guess at the size of the filesec. We start with the base
884 * pointer, and look at how much room is left on the page, clipped
885 * to a sensible upper bound. If it turns out this isn't enough,
886 * we'll size based on the actual ACL contents and come back again.
887 *
888 * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The
889 * value here is fairly arbitrary. It's ok to have a zero count.
890 */
891 known_bound = xsecurity + sizeof(struct kauth_filesec);
892 uaddr = mach_vm_round_page(known_bound);
893 count = (uaddr - known_bound) / sizeof(struct kauth_ace);
894 if (count > 32)
895 count = 32;
896 restart:
897 if ((fsec = kauth_filesec_alloc(count)) == NULL) {
898 error = ENOMEM;
899 goto out;
900 }
901 copysize = KAUTH_FILESEC_SIZE(count);
902 if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0)
903 goto out;
904
905 /* validate the filesec header */
906 if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) {
907 error = EINVAL;
908 goto out;
909 }
910
911 /*
912 * Is there an ACL payload, and is it too big?
913 */
914 if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) &&
915 (fsec->fsec_entrycount > count)) {
916 if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) {
917 error = EINVAL;
918 goto out;
919 }
920 count = fsec->fsec_entrycount;
921 kauth_filesec_free(fsec);
922 goto restart;
923 }
924
925 out:
926 if (error) {
927 if (fsec)
928 kauth_filesec_free(fsec);
929 } else {
930 *xsecdestpp = fsec;
931 }
932 return(error);
933 }
934
935 /*
936 * Allocate a filesec structure.
937 */
938 kauth_filesec_t
939 kauth_filesec_alloc(int count)
940 {
941 kauth_filesec_t fsp;
942
943 /* if the caller hasn't given us a valid size hint, assume the worst */
944 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
945 return(NULL);
946
947 MALLOC(fsp, kauth_filesec_t, KAUTH_FILESEC_SIZE(count), M_KAUTH, M_WAITOK);
948 if (fsp != NULL) {
949 fsp->fsec_magic = KAUTH_FILESEC_MAGIC;
950 fsp->fsec_owner = kauth_null_guid;
951 fsp->fsec_group = kauth_null_guid;
952 fsp->fsec_entrycount = KAUTH_FILESEC_NOACL;
953 fsp->fsec_flags = 0;
954 }
955 return(fsp);
956 }
957
958 void
959 kauth_filesec_free(kauth_filesec_t fsp)
960 {
961 #ifdef KAUTH_DEBUG_ENABLE
962 if (fsp == KAUTH_FILESEC_NONE)
963 panic("freeing KAUTH_FILESEC_NONE");
964 if (fsp == KAUTH_FILESEC_WANTED)
965 panic("freeing KAUTH_FILESEC_WANTED");
966 #endif
967 FREE(fsp, M_KAUTH);
968 }
969
970
971 /*
972 * Allocate an ACL buffer.
973 */
974 kauth_acl_t
975 kauth_acl_alloc(int count)
976 {
977 kauth_acl_t aclp;
978
979 /* if the caller hasn't given us a valid size hint, assume the worst */
980 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
981 return(NULL);
982
983 MALLOC(aclp, kauth_acl_t, KAUTH_ACL_SIZE(count), M_KAUTH, M_WAITOK);
984 if (aclp != NULL) {
985 aclp->acl_entrycount = 0;
986 aclp->acl_flags = 0;
987 }
988 return(aclp);
989 }
990
991 void
992 kauth_acl_free(kauth_acl_t aclp)
993 {
994 FREE(aclp, M_KAUTH);
995 }
996
997
998 /*
999 * WARNING - caller must hold KAUTH_SCOPELOCK
1000 */
1001 static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp)
1002 {
1003 int i;
1004
1005 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
1006 if (sp->ks_listeners[i].kll_listenerp == NULL) {
1007 sp->ks_listeners[i].kll_callback = klp->kl_callback;
1008 sp->ks_listeners[i].kll_idata = klp->kl_idata;
1009 sp->ks_listeners[i].kll_listenerp = klp;
1010 sp->ks_flags |= KS_F_HAS_LISTENERS;
1011 return(0);
1012 }
1013 }
1014 return(ENOSPC);
1015 }
mirror of XNU