]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_credential.c
xnu-4903.231.4.tar.gz
[apple/xnu.git] / bsd / kern / kern_credential.c
1 /*
2 * Copyright (c) 2004-2011 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*
29 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
30 * support for mandatory and extensible security protections. This notice
31 * is included in support of clause 2.2 (b) of the Apple Public License,
32 * Version 2.0.
33 */
34
35 /*
36 * Kernel Authorization framework: Management of process/thread credentials
37 * and identity information.
38 */
39
40 #include <sys/param.h> /* XXX trim includes */
41 #include <sys/acct.h>
42 #include <sys/systm.h>
43 #include <sys/ucred.h>
44 #include <sys/proc_internal.h>
45 #include <sys/user.h>
46 #include <sys/timeb.h>
47 #include <sys/times.h>
48 #include <sys/malloc.h>
49 #include <sys/kauth.h>
50 #include <sys/kernel.h>
51 #include <sys/sdt.h>
52
53 #include <security/audit/audit.h>
54
55 #include <sys/mount.h>
56 #include <sys/stat.h> /* For manifest constants in posix_cred_access */
57 #include <sys/sysproto.h>
58 #include <mach/message.h>
59 #include <mach/host_security.h>
60
61 #include <libkern/OSAtomic.h>
62
63 #include <kern/task.h>
64 #include <kern/locks.h>
65 #ifdef MACH_ASSERT
66 # undef MACH_ASSERT
67 #endif
68 #define MACH_ASSERT 1 /* XXX so bogus */
69 #include <kern/assert.h>
70
71 #if CONFIG_MACF
72 #include <security/mac.h>
73 #include <security/mac_framework.h>
74 #include <security/_label.h>
75 #endif
76
77 #include <IOKit/IOBSD.h>
78
79 void mach_kauth_cred_uthread_update( void );
80
81 #define CRED_DIAGNOSTIC 0
82
83 # define NULLCRED_CHECK(_c) do {if (!IS_VALID_CRED(_c)) panic("%s: bad credential %p", __FUNCTION__,_c);} while(0)
84
85 /* Set to 1 to turn on KAUTH_DEBUG for kern_credential.c */
86 #if 0
87 #ifdef KAUTH_DEBUG
88 #undef KAUTH_DEBUG
89 #endif
90
91 #ifdef K_UUID_FMT
92 #undef K_UUID_FMT
93 #endif
94
95 #ifdef K_UUID_ARG
96 #undef K_UUID_ARG
97 #endif
98
99 # define K_UUID_FMT "%08x:%08x:%08x:%08x"
100 # define K_UUID_ARG(_u) *(int *)&_u.g_guid[0],*(int *)&_u.g_guid[4],*(int *)&_u.g_guid[8],*(int *)&_u.g_guid[12]
101 # define KAUTH_DEBUG(fmt, args...) do { printf("%s:%d: " fmt "\n", __PRETTY_FUNCTION__, __LINE__ , ##args); } while (0)
102 #endif
103
104 /*
105 * Credential debugging; we can track entry into a function that might
106 * change a credential, and we can track actual credential changes that
107 * result.
108 *
109 * Note: Does *NOT* currently include per-thread credential changes
110 */
111
112 #if DEBUG_CRED
113 #define DEBUG_CRED_ENTER printf
114 #define DEBUG_CRED_CHANGE printf
115 extern void kauth_cred_print(kauth_cred_t cred);
116
117 #include <libkern/OSDebug.h> /* needed for get_backtrace( ) */
118
119 int is_target_cred( kauth_cred_t the_cred );
120 void get_backtrace( void );
121
122 static int sysctl_dump_creds( __unused struct sysctl_oid *oidp, __unused void *arg1,
123 __unused int arg2, struct sysctl_req *req );
124 static int
125 sysctl_dump_cred_backtraces( __unused struct sysctl_oid *oidp, __unused void *arg1,
126 __unused int arg2, struct sysctl_req *req );
127
128 #define MAX_STACK_DEPTH 8
129 struct cred_backtrace {
130 int depth;
131 void * stack[ MAX_STACK_DEPTH ];
132 };
133 typedef struct cred_backtrace cred_backtrace;
134
135 #define MAX_CRED_BUFFER_SLOTS 200
136 struct cred_debug_buffer {
137 int next_slot;
138 cred_backtrace stack_buffer[ MAX_CRED_BUFFER_SLOTS ];
139 };
140 typedef struct cred_debug_buffer cred_debug_buffer;
141 cred_debug_buffer * cred_debug_buf_p = NULL;
142
143 #else /* !DEBUG_CRED */
144
145 #define DEBUG_CRED_ENTER(fmt, ...) do {} while (0)
146 #define DEBUG_CRED_CHANGE(fmt, ...) do {} while (0)
147
148 #endif /* !DEBUG_CRED */
149
150 #if CONFIG_EXT_RESOLVER
151 /*
152 * Interface to external identity resolver.
153 *
154 * The architecture of the interface is simple; the external resolver calls
155 * in to get work, then calls back with completed work. It also calls us
156 * to let us know that it's (re)started, so that we can resubmit work if it
157 * times out.
158 */
159
160 static lck_mtx_t *kauth_resolver_mtx;
161 #define KAUTH_RESOLVER_LOCK() lck_mtx_lock(kauth_resolver_mtx);
162 #define KAUTH_RESOLVER_UNLOCK() lck_mtx_unlock(kauth_resolver_mtx);
163
164 static volatile pid_t kauth_resolver_identity;
165 static int kauth_identitysvc_has_registered;
166 static int kauth_resolver_registered;
167 static uint32_t kauth_resolver_sequence;
168 static int kauth_resolver_timeout = 30; /* default: 30 seconds */
169
170 struct kauth_resolver_work {
171 TAILQ_ENTRY(kauth_resolver_work) kr_link;
172 struct kauth_identity_extlookup kr_work;
173 uint64_t kr_extend;
174 uint32_t kr_seqno;
175 int kr_refs;
176 int kr_flags;
177 #define KAUTH_REQUEST_UNSUBMITTED (1<<0)
178 #define KAUTH_REQUEST_SUBMITTED (1<<1)
179 #define KAUTH_REQUEST_DONE (1<<2)
180 int kr_result;
181 };
182
183 TAILQ_HEAD(kauth_resolver_unsubmitted_head, kauth_resolver_work) kauth_resolver_unsubmitted;
184 TAILQ_HEAD(kauth_resolver_submitted_head, kauth_resolver_work) kauth_resolver_submitted;
185 TAILQ_HEAD(kauth_resolver_done_head, kauth_resolver_work) kauth_resolver_done;
186
187 /* Number of resolver timeouts between logged complaints */
188 #define KAUTH_COMPLAINT_INTERVAL 1000
189 int kauth_resolver_timeout_cnt = 0;
190
191 #if DEVELOPMENT || DEBUG
192 /* Internal builds get different (less ambiguous) breadcrumbs. */
193 #define KAUTH_RESOLVER_FAILED_ERRCODE EOWNERDEAD
194 #else
195 /* But non-Internal builds get errors that are allowed by standards. */
196 #define KAUTH_RESOLVER_FAILED_ERRCODE EIO
197 #endif /* DEVELOPMENT || DEBUG */
198
199 int kauth_resolver_failed_cnt = 0;
200 #define RESOLVER_FAILED_MESSAGE(fmt, args...) \
201 do { \
202 if (!(kauth_resolver_failed_cnt++ % 100)) { \
203 printf("%s: " fmt "\n", __PRETTY_FUNCTION__, ##args); \
204 } \
205 } while (0)
206
207 static int kauth_resolver_submit(struct kauth_identity_extlookup *lkp, uint64_t extend_data);
208 static int kauth_resolver_complete(user_addr_t message);
209 static int kauth_resolver_getwork(user_addr_t message);
210 static int kauth_resolver_getwork2(user_addr_t message);
211 static __attribute__((noinline)) int __KERNEL_IS_WAITING_ON_EXTERNAL_CREDENTIAL_RESOLVER__(
212 struct kauth_resolver_work *);
213
214 #define KAUTH_CACHES_MAX_SIZE 10000 /* Max # entries for both groups and id caches */
215
216 struct kauth_identity {
217 TAILQ_ENTRY(kauth_identity) ki_link;
218 int ki_valid;
219 uid_t ki_uid;
220 gid_t ki_gid;
221 int ki_supgrpcnt;
222 gid_t ki_supgrps[NGROUPS];
223 guid_t ki_guid;
224 ntsid_t ki_ntsid;
225 const char *ki_name; /* string name from string cache */
226 /*
227 * Expiry times are the earliest time at which we will disregard the
228 * cached state and go to userland. Before then if the valid bit is
229 * set, we will return the cached value. If it's not set, we will
230 * not go to userland to resolve, just assume that there is no answer
231 * available.
232 */
233 time_t ki_groups_expiry;
234 time_t ki_guid_expiry;
235 time_t ki_ntsid_expiry;
236 };
237
238 static TAILQ_HEAD(kauth_identity_head, kauth_identity) kauth_identities;
239 static lck_mtx_t *kauth_identity_mtx;
240 #define KAUTH_IDENTITY_LOCK() lck_mtx_lock(kauth_identity_mtx);
241 #define KAUTH_IDENTITY_UNLOCK() lck_mtx_unlock(kauth_identity_mtx);
242 #define KAUTH_IDENTITY_CACHEMAX_DEFAULT 100 /* XXX default sizing? */
243 static int kauth_identity_cachemax = KAUTH_IDENTITY_CACHEMAX_DEFAULT;
244 static int kauth_identity_count;
245
246 static struct kauth_identity *kauth_identity_alloc(uid_t uid, gid_t gid, guid_t *guidp, time_t guid_expiry,
247 ntsid_t *ntsidp, time_t ntsid_expiry, int supgrpcnt, gid_t *supgrps, time_t groups_expiry,
248 const char *name, int nametype);
249 static void kauth_identity_register_and_free(struct kauth_identity *kip);
250 static void kauth_identity_updatecache(struct kauth_identity_extlookup *elp, struct kauth_identity *kip, uint64_t extend_data);
251 static void kauth_identity_trimcache(int newsize);
252 static void kauth_identity_lru(struct kauth_identity *kip);
253 static int kauth_identity_guid_expired(struct kauth_identity *kip);
254 static int kauth_identity_ntsid_expired(struct kauth_identity *kip);
255 static int kauth_identity_find_uid(uid_t uid, struct kauth_identity *kir, char *getname);
256 static int kauth_identity_find_gid(gid_t gid, struct kauth_identity *kir, char *getname);
257 static int kauth_identity_find_guid(guid_t *guidp, struct kauth_identity *kir, char *getname);
258 static int kauth_identity_find_ntsid(ntsid_t *ntsid, struct kauth_identity *kir, char *getname);
259 static int kauth_identity_find_nam(char *name, int valid, struct kauth_identity *kir);
260
261 struct kauth_group_membership {
262 TAILQ_ENTRY(kauth_group_membership) gm_link;
263 uid_t gm_uid; /* the identity whose membership we're recording */
264 gid_t gm_gid; /* group of which they are a member */
265 time_t gm_expiry; /* TTL for the membership, or 0 for persistent entries */
266 int gm_flags;
267 #define KAUTH_GROUP_ISMEMBER (1<<0)
268 };
269
270 TAILQ_HEAD(kauth_groups_head, kauth_group_membership) kauth_groups;
271 static lck_mtx_t *kauth_groups_mtx;
272 #define KAUTH_GROUPS_LOCK() lck_mtx_lock(kauth_groups_mtx);
273 #define KAUTH_GROUPS_UNLOCK() lck_mtx_unlock(kauth_groups_mtx);
274 #define KAUTH_GROUPS_CACHEMAX_DEFAULT 100 /* XXX default sizing? */
275 static int kauth_groups_cachemax = KAUTH_GROUPS_CACHEMAX_DEFAULT;
276 static int kauth_groups_count;
277
278 static int kauth_groups_expired(struct kauth_group_membership *gm);
279 static void kauth_groups_lru(struct kauth_group_membership *gm);
280 static void kauth_groups_updatecache(struct kauth_identity_extlookup *el);
281 static void kauth_groups_trimcache(int newsize);
282
283 #endif /* CONFIG_EXT_RESOLVER */
284
285 #define KAUTH_CRED_TABLE_SIZE 97
286
287 TAILQ_HEAD(kauth_cred_entry_head, ucred);
288 static struct kauth_cred_entry_head * kauth_cred_table_anchor = NULL;
289
290 #define KAUTH_CRED_HASH_DEBUG 0
291
292 static int kauth_cred_add(kauth_cred_t new_cred);
293 static boolean_t kauth_cred_remove(kauth_cred_t cred);
294 static inline u_long kauth_cred_hash(const uint8_t *datap, int data_len, u_long start_key);
295 static u_long kauth_cred_get_hashkey(kauth_cred_t cred);
296 static kauth_cred_t kauth_cred_update(kauth_cred_t old_cred, kauth_cred_t new_cred, boolean_t retain_auditinfo);
297 static boolean_t kauth_cred_unref_hashlocked(kauth_cred_t *credp);
298
299 #if KAUTH_CRED_HASH_DEBUG
300 static int kauth_cred_count = 0;
301 static void kauth_cred_hash_print(void);
302 static void kauth_cred_print(kauth_cred_t cred);
303 #endif
304
305 #if CONFIG_EXT_RESOLVER
306
307 /*
308 * __KERNEL_IS_WAITING_ON_EXTERNAL_CREDENTIAL_RESOLVER__
309 *
310 * Description: Waits for the user space daemon to respond to the request
311 * we made. Function declared non inline to be visible in
312 * stackshots and spindumps as well as debugging.
313 *
314 * Parameters: workp Work queue entry.
315 *
316 * Returns: 0 on Success.
317 * EIO if Resolver is dead.
318 * EINTR thread interrupted in msleep
319 * EWOULDBLOCK thread timed out in msleep
320 * ERESTART returned by msleep.
321 *
322 */
323 static __attribute__((noinline)) int
324 __KERNEL_IS_WAITING_ON_EXTERNAL_CREDENTIAL_RESOLVER__(
325 struct kauth_resolver_work *workp)
326 {
327 int error = 0;
328 struct timespec ts;
329 for (;;) {
330 /* we could compute a better timeout here */
331 ts.tv_sec = kauth_resolver_timeout;
332 ts.tv_nsec = 0;
333 error = msleep(workp, kauth_resolver_mtx, PCATCH, "kr_submit", &ts);
334 /* request has been completed? */
335 if ((error == 0) && (workp->kr_flags & KAUTH_REQUEST_DONE))
336 break;
337 /* woken because the resolver has died? */
338 if (kauth_resolver_identity == 0) {
339 RESOLVER_FAILED_MESSAGE("kauth external resolver died while while waiting for work to complete");
340 error = KAUTH_RESOLVER_FAILED_ERRCODE;
341 break;
342 }
343 /* an error? */
344 if (error != 0)
345 break;
346 }
347 return error;
348 }
349
350
351 /*
352 * kauth_resolver_init
353 *
354 * Description: Initialize the daemon side of the credential identity resolver
355 *
356 * Parameters: (void)
357 *
358 * Returns: (void)
359 *
360 * Notes: Initialize the credential identity resolver for use; the
361 * credential identity resolver is the KPI used by the user
362 * space credential identity resolver daemon to communicate
363 * with the kernel via the identitysvc() system call..
364 *
365 * This is how membership in more than 16 groups (1 effective
366 * and 15 supplementary) is supported, and also how UID's,
367 * UUID's, and so on, are translated to/from POSIX credential
368 * values.
369 *
370 * The credential identity resolver operates by attempting to
371 * determine identity first from the credential, then from
372 * the kernel credential identity cache, and finally by
373 * enqueueing a request to a user space daemon.
374 *
375 * This function is called from kauth_init() in the file
376 * kern_authorization.c.
377 */
378 void
379 kauth_resolver_init(void)
380 {
381 TAILQ_INIT(&kauth_resolver_unsubmitted);
382 TAILQ_INIT(&kauth_resolver_submitted);
383 TAILQ_INIT(&kauth_resolver_done);
384 kauth_resolver_sequence = 31337;
385 kauth_resolver_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0/*LCK_ATTR_NULL*/);
386 }
387
388
389 /*
390 * kauth_resolver_submit
391 *
392 * Description: Submit an external credential identity resolution request to
393 * the user space daemon.
394 *
395 * Parameters: lkp A pointer to an external
396 * lookup request
397 * extend_data extended data for kr_extend
398 *
399 * Returns: 0 Success
400 * EWOULDBLOCK No resolver registered
401 * EINTR Operation interrupted (e.g. by
402 * a signal)
403 * ENOMEM Could not allocate work item
404 * copyinstr:EFAULT Bad message from user space
405 * workp->kr_result:??? An error from the user space
406 * daemon (includes ENOENT!)
407 *
408 * Implicit returns:
409 * *lkp Modified
410 *
411 * Notes: Allocate a work queue entry, submit the work and wait for
412 * the operation to either complete or time out. Outstanding
413 * operations may also be cancelled.
414 *
415 * Submission is by means of placing the item on a work queue
416 * which is serviced by an external resolver thread calling
417 * into the kernel. The caller then sleeps until timeout,
418 * cancellation, or an external resolver thread calls in with
419 * a result message to kauth_resolver_complete(). All of these
420 * events wake the caller back up.
421 *
422 * This code is called from either kauth_cred_ismember_gid()
423 * for a group membership request, or it is called from
424 * kauth_cred_cache_lookup() when we get a cache miss.
425 */
426 static int
427 kauth_resolver_submit(struct kauth_identity_extlookup *lkp, uint64_t extend_data)
428 {
429 struct kauth_resolver_work *workp, *killp;
430 struct timespec ts;
431 int error, shouldfree;
432
433 /* no point actually blocking if the resolver isn't up yet */
434 if (kauth_resolver_identity == 0) {
435 /*
436 * We've already waited an initial <kauth_resolver_timeout>
437 * seconds with no result.
438 *
439 * Sleep on a stack address so no one wakes us before timeout;
440 * we sleep a half a second in case we are a high priority
441 * process, so that memberd doesn't starve while we are in a
442 * tight loop between user and kernel, eating all the CPU.
443 */
444 error = tsleep(&ts, PZERO | PCATCH, "kr_submit", hz/2);
445 if (kauth_resolver_identity == 0) {
446 /*
447 * if things haven't changed while we were asleep,
448 * tell the caller we couldn't get an authoritative
449 * answer.
450 */
451 return(EWOULDBLOCK);
452 }
453 }
454
455 MALLOC(workp, struct kauth_resolver_work *, sizeof(*workp), M_KAUTH, M_WAITOK);
456 if (workp == NULL)
457 return(ENOMEM);
458
459 workp->kr_work = *lkp;
460 workp->kr_extend = extend_data;
461 workp->kr_refs = 1;
462 workp->kr_flags = KAUTH_REQUEST_UNSUBMITTED;
463 workp->kr_result = 0;
464
465 /*
466 * We insert the request onto the unsubmitted queue, the call in from
467 * the resolver will it to the submitted thread when appropriate.
468 */
469 KAUTH_RESOLVER_LOCK();
470 workp->kr_seqno = workp->kr_work.el_seqno = kauth_resolver_sequence++;
471 workp->kr_work.el_result = KAUTH_EXTLOOKUP_INPROG;
472
473 /*
474 * XXX We *MUST NOT* attempt to coalesce identical work items due to
475 * XXX the inability to ensure order of update of the request item
476 * XXX extended data vs. the wakeup; instead, we let whoever is waiting
477 * XXX for each item repeat the update when they wake up.
478 */
479 TAILQ_INSERT_TAIL(&kauth_resolver_unsubmitted, workp, kr_link);
480
481 /*
482 * Wake up an external resolver thread to deal with the new work; one
483 * may not be available, and if not, then the request will be grabbed
484 * when a resolver thread comes back into the kernel to request new
485 * work.
486 */
487 wakeup_one((caddr_t)&kauth_resolver_unsubmitted);
488 error = __KERNEL_IS_WAITING_ON_EXTERNAL_CREDENTIAL_RESOLVER__(workp);
489
490 /* if the request was processed, copy the result */
491 if (error == 0)
492 *lkp = workp->kr_work;
493
494 if (error == EWOULDBLOCK) {
495 if ((kauth_resolver_timeout_cnt++ % KAUTH_COMPLAINT_INTERVAL) == 0) {
496 printf("kauth external resolver timed out (%d timeout(s) of %d seconds).\n",
497 kauth_resolver_timeout_cnt, kauth_resolver_timeout);
498 }
499
500 if (workp->kr_flags & KAUTH_REQUEST_UNSUBMITTED) {
501 /*
502 * If the request timed out and was never collected, the resolver
503 * is dead and probably not coming back anytime soon. In this
504 * case we revert to no-resolver behaviour, and punt all the other
505 * sleeping requests to clear the backlog.
506 */
507 KAUTH_DEBUG("RESOLVER - request timed out without being collected for processing, resolver dead");
508
509 /*
510 * Make the current resolver non-authoritative, and mark it as
511 * no longer registered to prevent kauth_cred_ismember_gid()
512 * enqueueing more work until a new one is registered. This
513 * mitigates the damage a crashing resolver may inflict.
514 */
515 kauth_resolver_identity = 0;
516 kauth_resolver_registered = 0;
517
518 /* kill all the other requestes that are waiting as well */
519 TAILQ_FOREACH(killp, &kauth_resolver_submitted, kr_link)
520 wakeup(killp);
521 TAILQ_FOREACH(killp, &kauth_resolver_unsubmitted, kr_link)
522 wakeup(killp);
523 /* Cause all waiting-for-work threads to return EIO */
524 wakeup((caddr_t)&kauth_resolver_unsubmitted);
525 }
526 }
527
528 /*
529 * drop our reference on the work item, and note whether we should
530 * free it or not
531 */
532 if (--workp->kr_refs <= 0) {
533 /* work out which list we have to remove it from */
534 if (workp->kr_flags & KAUTH_REQUEST_DONE) {
535 TAILQ_REMOVE(&kauth_resolver_done, workp, kr_link);
536 } else if (workp->kr_flags & KAUTH_REQUEST_SUBMITTED) {
537 TAILQ_REMOVE(&kauth_resolver_submitted, workp, kr_link);
538 } else if (workp->kr_flags & KAUTH_REQUEST_UNSUBMITTED) {
539 TAILQ_REMOVE(&kauth_resolver_unsubmitted, workp, kr_link);
540 } else {
541 KAUTH_DEBUG("RESOLVER - completed request has no valid queue");
542 }
543 shouldfree = 1;
544 } else {
545 /* someone else still has a reference on this request */
546 shouldfree = 0;
547 }
548
549 /* collect request result */
550 if (error == 0) {
551 error = workp->kr_result;
552 }
553 KAUTH_RESOLVER_UNLOCK();
554
555 /*
556 * If we dropped the last reference, free the request.
557 */
558 if (shouldfree) {
559 FREE(workp, M_KAUTH);
560 }
561
562 KAUTH_DEBUG("RESOLVER - returning %d", error);
563 return(error);
564 }
565
566
567 /*
568 * identitysvc
569 *
570 * Description: System call interface for the external identity resolver.
571 *
572 * Parameters: uap->message Message from daemon to kernel
573 *
574 * Returns: 0 Successfully became resolver
575 * EPERM Not the resolver process
576 * kauth_authorize_generic:EPERM Not root user
577 * kauth_resolver_complete:EIO
578 * kauth_resolver_complete:EFAULT
579 * kauth_resolver_getwork:EINTR
580 * kauth_resolver_getwork:EFAULT
581 *
582 * Notes: This system call blocks until there is work enqueued, at
583 * which time the kernel wakes it up, and a message from the
584 * kernel is copied out to the identity resolution daemon, which
585 * proceed to attempt to resolve it. When the resolution has
586 * completed (successfully or not), the daemon called back into
587 * this system call to give the result to the kernel, and wait
588 * for the next request.
589 */
590 int
591 identitysvc(__unused struct proc *p, struct identitysvc_args *uap, __unused int32_t *retval)
592 {
593 int opcode = uap->opcode;
594 user_addr_t message = uap->message;
595 struct kauth_resolver_work *workp;
596 struct kauth_cache_sizes sz_arg = {};
597 int error;
598 pid_t new_id;
599
600 if (!IOTaskHasEntitlement(current_task(), IDENTITYSVC_ENTITLEMENT)) {
601 KAUTH_DEBUG("RESOLVER - pid %d not entitled to call identitysvc", current_proc()->p_pid);
602 return(EPERM);
603 }
604
605 /*
606 * New server registering itself.
607 */
608 if (opcode == KAUTH_EXTLOOKUP_REGISTER) {
609 new_id = current_proc()->p_pid;
610 if ((error = kauth_authorize_generic(kauth_cred_get(), KAUTH_GENERIC_ISSUSER)) != 0) {
611 KAUTH_DEBUG("RESOLVER - pid %d refused permission to become identity resolver", new_id);
612 return(error);
613 }
614 KAUTH_RESOLVER_LOCK();
615 if (kauth_resolver_identity != new_id) {
616 KAUTH_DEBUG("RESOLVER - new resolver %d taking over from old %d", new_id, kauth_resolver_identity);
617 /*
618 * We have a new server, so assume that all the old requests have been lost.
619 */
620 while ((workp = TAILQ_LAST(&kauth_resolver_submitted, kauth_resolver_submitted_head)) != NULL) {
621 TAILQ_REMOVE(&kauth_resolver_submitted, workp, kr_link);
622 workp->kr_flags &= ~KAUTH_REQUEST_SUBMITTED;
623 workp->kr_flags |= KAUTH_REQUEST_UNSUBMITTED;
624 TAILQ_INSERT_HEAD(&kauth_resolver_unsubmitted, workp, kr_link);
625 }
626 /*
627 * Allow user space resolver to override the
628 * external resolution timeout
629 */
630 if (message > 30 && message < 10000) {
631 kauth_resolver_timeout = message;
632 KAUTH_DEBUG("RESOLVER - new resolver changes timeout to %d seconds\n", (int)message);
633 }
634 kauth_resolver_identity = new_id;
635 kauth_resolver_registered = 1;
636 kauth_identitysvc_has_registered = 1;
637 wakeup(&kauth_resolver_unsubmitted);
638 }
639 KAUTH_RESOLVER_UNLOCK();
640 return(0);
641 }
642
643 /*
644 * Beyond this point, we must be the resolver process. We verify this
645 * by confirming the resolver credential and pid.
646 */
647 if ((kauth_cred_getuid(kauth_cred_get()) != 0) || (current_proc()->p_pid != kauth_resolver_identity)) {
648 KAUTH_DEBUG("RESOLVER - call from bogus resolver %d\n", current_proc()->p_pid);
649 return(EPERM);
650 }
651
652 if (opcode == KAUTH_GET_CACHE_SIZES) {
653 KAUTH_IDENTITY_LOCK();
654 sz_arg.kcs_id_size = kauth_identity_cachemax;
655 KAUTH_IDENTITY_UNLOCK();
656
657 KAUTH_GROUPS_LOCK();
658 sz_arg.kcs_group_size = kauth_groups_cachemax;
659 KAUTH_GROUPS_UNLOCK();
660
661 if ((error = copyout(&sz_arg, uap->message, sizeof (sz_arg))) != 0) {
662 return (error);
663 }
664
665 return (0);
666 } else if (opcode == KAUTH_SET_CACHE_SIZES) {
667 if ((error = copyin(uap->message, &sz_arg, sizeof (sz_arg))) != 0) {
668 return (error);
669 }
670
671 if ((sz_arg.kcs_group_size > KAUTH_CACHES_MAX_SIZE) ||
672 (sz_arg.kcs_id_size > KAUTH_CACHES_MAX_SIZE)) {
673 return (EINVAL);
674 }
675
676 KAUTH_IDENTITY_LOCK();
677 kauth_identity_cachemax = sz_arg.kcs_id_size;
678 kauth_identity_trimcache(kauth_identity_cachemax);
679 KAUTH_IDENTITY_UNLOCK();
680
681 KAUTH_GROUPS_LOCK();
682 kauth_groups_cachemax = sz_arg.kcs_group_size;
683 kauth_groups_trimcache(kauth_groups_cachemax);
684 KAUTH_GROUPS_UNLOCK();
685
686 return (0);
687 } else if (opcode == KAUTH_CLEAR_CACHES) {
688 KAUTH_IDENTITY_LOCK();
689 kauth_identity_trimcache(0);
690 KAUTH_IDENTITY_UNLOCK();
691
692 KAUTH_GROUPS_LOCK();
693 kauth_groups_trimcache(0);
694 KAUTH_GROUPS_UNLOCK();
695 } else if (opcode == KAUTH_EXTLOOKUP_DEREGISTER) {
696 /*
697 * Terminate outstanding requests; without an authoritative
698 * resolver, we are now back on our own authority.
699 */
700 struct kauth_resolver_work *killp;
701
702 KAUTH_RESOLVER_LOCK();
703
704 /*
705 * Clear the identity, but also mark it as unregistered so
706 * there is no explicit future expectation of us getting a
707 * new resolver any time soon.
708 */
709 kauth_resolver_identity = 0;
710 kauth_resolver_registered = 0;
711
712 TAILQ_FOREACH(killp, &kauth_resolver_submitted, kr_link)
713 wakeup(killp);
714 TAILQ_FOREACH(killp, &kauth_resolver_unsubmitted, kr_link)
715 wakeup(killp);
716 /* Cause all waiting-for-work threads to return EIO */
717 wakeup((caddr_t)&kauth_resolver_unsubmitted);
718 KAUTH_RESOLVER_UNLOCK();
719 }
720
721 /*
722 * Got a result returning?
723 */
724 if (opcode & KAUTH_EXTLOOKUP_RESULT) {
725 if ((error = kauth_resolver_complete(message)) != 0)
726 return(error);
727 }
728
729 /*
730 * Caller wants to take more work?
731 */
732 if (opcode & KAUTH_EXTLOOKUP_WORKER) {
733 if ((error = kauth_resolver_getwork(message)) != 0)
734 return(error);
735 }
736
737 return(0);
738 }
739
740
741 /*
742 * kauth_resolver_getwork_continue
743 *
744 * Description: Continuation for kauth_resolver_getwork
745 *
746 * Parameters: result Error code or 0 for the sleep
747 * that got us to this function
748 *
749 * Returns: 0 Success
750 * EINTR Interrupted (e.g. by signal)
751 * kauth_resolver_getwork2:EFAULT
752 *
753 * Notes: See kauth_resolver_getwork(0 and kauth_resolver_getwork2() for
754 * more information.
755 */
756 static int
757 kauth_resolver_getwork_continue(int result)
758 {
759 thread_t thread;
760 struct uthread *ut;
761 user_addr_t message;
762
763 if (result) {
764 KAUTH_RESOLVER_UNLOCK();
765 return(result);
766 }
767
768 /*
769 * If we lost a race with another thread/memberd restarting, then we
770 * need to go back to sleep to look for more work. If it was memberd
771 * restarting, then the msleep0() will error out here, as our thread
772 * will already be "dead".
773 */
774 if (TAILQ_FIRST(&kauth_resolver_unsubmitted) == NULL) {
775 int error;
776
777 error = msleep0(&kauth_resolver_unsubmitted, kauth_resolver_mtx, PCATCH, "GRGetWork", 0, kauth_resolver_getwork_continue);
778 /*
779 * If this is a wakeup from another thread in the resolver
780 * deregistering it, error out the request-for-work thread
781 */
782 if (!kauth_resolver_identity) {
783 RESOLVER_FAILED_MESSAGE("external resolver died");
784 error = KAUTH_RESOLVER_FAILED_ERRCODE;
785 }
786 KAUTH_RESOLVER_UNLOCK();
787 return(error);
788 }
789
790 thread = current_thread();
791 ut = get_bsdthread_info(thread);
792 message = ut->uu_save.uus_kauth.message;
793 return(kauth_resolver_getwork2(message));
794 }
795
796
797 /*
798 * kauth_resolver_getwork2
799 *
800 * Decription: Common utility function to copy out a identity resolver work
801 * item from the kernel to user space as part of the user space
802 * identity resolver requesting work.
803 *
804 * Parameters: message message to user space
805 *
806 * Returns: 0 Success
807 * EFAULT Bad user space message address
808 *
809 * Notes: This common function exists to permit the use of continuations
810 * in the identity resolution process. This frees up the stack
811 * while we are waiting for the user space resolver to complete
812 * a request. This is specifically used so that our per thread
813 * cost can be small, and we will therefore be willing to run a
814 * larger number of threads in the user space identity resolver.
815 */
816 static int
817 kauth_resolver_getwork2(user_addr_t message)
818 {
819 struct kauth_resolver_work *workp;
820 int error;
821
822 /*
823 * Note: We depend on the caller protecting us from a NULL work item
824 * queue, since we must have the kauth resolver lock on entry to this
825 * function.
826 */
827 workp = TAILQ_FIRST(&kauth_resolver_unsubmitted);
828
829 /*
830 * Copy out the external lookup structure for the request, not
831 * including the el_extend field, which contains the address of the
832 * external buffer provided by the external resolver into which we
833 * copy the extension request information.
834 */
835 /* BEFORE FIELD */
836 if ((error = copyout(&workp->kr_work, message, offsetof(struct kauth_identity_extlookup, el_extend))) != 0) {
837 KAUTH_DEBUG("RESOLVER - error submitting work to resolve");
838 goto out;
839 }
840 /* AFTER FIELD */
841 if ((error = copyout(&workp->kr_work.el_info_reserved_1,
842 message + offsetof(struct kauth_identity_extlookup, el_info_reserved_1),
843 sizeof(struct kauth_identity_extlookup) - offsetof(struct kauth_identity_extlookup, el_info_reserved_1))) != 0) {
844 KAUTH_DEBUG("RESOLVER - error submitting work to resolve");
845 goto out;
846 }
847
848 /*
849 * Handle extended requests here; if we have a request of a type where
850 * the kernel wants a translation of extended information, then we need
851 * to copy it out into the extended buffer, assuming the buffer is
852 * valid; we only attempt to get the buffer address if we have request
853 * data to copy into it.
854 */
855
856 /*
857 * translate a user@domain string into a uid/gid/whatever
858 */
859 if (workp->kr_work.el_flags & (KAUTH_EXTLOOKUP_VALID_PWNAM | KAUTH_EXTLOOKUP_VALID_GRNAM)) {
860 uint64_t uaddr;
861
862 error = copyin(message + offsetof(struct kauth_identity_extlookup, el_extend), &uaddr, sizeof(uaddr));
863 if (!error) {
864 size_t actual; /* not used */
865 /*
866 * Use copyoutstr() to reduce the copy size; we let
867 * this catch a NULL uaddr because we shouldn't be
868 * asking in that case anyway.
869 */
870 error = copyoutstr(CAST_DOWN(void *,workp->kr_extend), uaddr, MAXPATHLEN, &actual);
871 }
872 if (error) {
873 KAUTH_DEBUG("RESOLVER - error submitting work to resolve");
874 goto out;
875 }
876 }
877 TAILQ_REMOVE(&kauth_resolver_unsubmitted, workp, kr_link);
878 workp->kr_flags &= ~KAUTH_REQUEST_UNSUBMITTED;
879 workp->kr_flags |= KAUTH_REQUEST_SUBMITTED;
880 TAILQ_INSERT_TAIL(&kauth_resolver_submitted, workp, kr_link);
881
882 out:
883 KAUTH_RESOLVER_UNLOCK();
884 return(error);
885 }
886
887
888 /*
889 * kauth_resolver_getwork
890 *
891 * Description: Get a work item from the enqueued requests from the kernel and
892 * give it to the user space daemon.
893 *
894 * Parameters: message message to user space
895 *
896 * Returns: 0 Success
897 * EINTR Interrupted (e.g. by signal)
898 * kauth_resolver_getwork2:EFAULT
899 *
900 * Notes: This function blocks in a continuation if there are no work
901 * items available for processing at the time the user space
902 * identity resolution daemon makes a request for work. This
903 * permits a large number of threads to be used by the daemon,
904 * without using a lot of wired kernel memory when there are no
905 * actual request outstanding.
906 */
907 static int
908 kauth_resolver_getwork(user_addr_t message)
909 {
910 struct kauth_resolver_work *workp;
911 int error;
912
913 KAUTH_RESOLVER_LOCK();
914 error = 0;
915 while ((workp = TAILQ_FIRST(&kauth_resolver_unsubmitted)) == NULL) {
916 thread_t thread = current_thread();
917 struct uthread *ut = get_bsdthread_info(thread);
918
919 ut->uu_save.uus_kauth.message = message;
920 error = msleep0(&kauth_resolver_unsubmitted, kauth_resolver_mtx, PCATCH, "GRGetWork", 0, kauth_resolver_getwork_continue);
921 KAUTH_RESOLVER_UNLOCK();
922 /*
923 * If this is a wakeup from another thread in the resolver
924 * deregistering it, error out the request-for-work thread
925 */
926 if (!kauth_resolver_identity) {
927 printf("external resolver died");
928 error = KAUTH_RESOLVER_FAILED_ERRCODE;
929 }
930 return(error);
931 }
932 return kauth_resolver_getwork2(message);
933 }
934
935
936 /*
937 * kauth_resolver_complete
938 *
939 * Description: Return a result from userspace.
940 *
941 * Parameters: message message from user space
942 *
943 * Returns: 0 Success
944 * EIO The resolver is dead
945 * copyin:EFAULT Bad message from user space
946 */
947 static int
948 kauth_resolver_complete(user_addr_t message)
949 {
950 struct kauth_identity_extlookup extl;
951 struct kauth_resolver_work *workp;
952 struct kauth_resolver_work *killp;
953 int error, result, want_extend_data;
954
955 /*
956 * Copy in the mesage, including the extension field, since we are
957 * copying into a local variable.
958 */
959 if ((error = copyin(message, &extl, sizeof(extl))) != 0) {
960 KAUTH_DEBUG("RESOLVER - error getting completed work\n");
961 return(error);
962 }
963
964 KAUTH_RESOLVER_LOCK();
965
966 error = 0;
967 result = 0;
968 switch (extl.el_result) {
969 case KAUTH_EXTLOOKUP_INPROG:
970 {
971 static int once = 0;
972
973 /* XXX this should go away once memberd is updated */
974 if (!once) {
975 printf("kauth_resolver: memberd is not setting valid result codes (assuming always successful)\n");
976 once = 1;
977 }
978 }
979 /* FALLTHROUGH */
980
981 case KAUTH_EXTLOOKUP_SUCCESS:
982 break;
983
984 case KAUTH_EXTLOOKUP_FATAL:
985 /* fatal error means the resolver is dead */
986 KAUTH_DEBUG("RESOLVER - resolver %d died, waiting for a new one", kauth_resolver_identity);
987 RESOLVER_FAILED_MESSAGE("resolver %d died, waiting for a new one", kauth_resolver_identity);
988 /*
989 * Terminate outstanding requests; without an authoritative
990 * resolver, we are now back on our own authority. Tag the
991 * resolver unregistered to prevent kauth_cred_ismember_gid()
992 * enqueueing more work until a new one is registered. This
993 * mitigates the damage a crashing resolver may inflict.
994 */
995 kauth_resolver_identity = 0;
996 kauth_resolver_registered = 0;
997
998 TAILQ_FOREACH(killp, &kauth_resolver_submitted, kr_link)
999 wakeup(killp);
1000 TAILQ_FOREACH(killp, &kauth_resolver_unsubmitted, kr_link)
1001 wakeup(killp);
1002 /* Cause all waiting-for-work threads to return EIO */
1003 wakeup((caddr_t)&kauth_resolver_unsubmitted);
1004 /* and return EIO to the caller */
1005 error = KAUTH_RESOLVER_FAILED_ERRCODE;
1006 break;
1007
1008 case KAUTH_EXTLOOKUP_BADRQ:
1009 KAUTH_DEBUG("RESOLVER - resolver reported invalid request %d", extl.el_seqno);
1010 result = EINVAL;
1011 break;
1012
1013 case KAUTH_EXTLOOKUP_FAILURE:
1014 KAUTH_DEBUG("RESOLVER - resolver reported transient failure for request %d", extl.el_seqno);
1015 RESOLVER_FAILED_MESSAGE("resolver reported transient failure for request %d", extl.el_seqno);
1016 result = KAUTH_RESOLVER_FAILED_ERRCODE;
1017 break;
1018
1019 default:
1020 KAUTH_DEBUG("RESOLVER - resolver returned unexpected status %d", extl.el_result);
1021 RESOLVER_FAILED_MESSAGE("resolver returned unexpected status %d", extl.el_result);
1022 result = KAUTH_RESOLVER_FAILED_ERRCODE;
1023 break;
1024 }
1025
1026 /*
1027 * In the case of a fatal error, we assume that the resolver will
1028 * restart quickly and re-collect all of the outstanding requests.
1029 * Thus, we don't complete the request which returned the fatal
1030 * error status.
1031 */
1032 if (extl.el_result != KAUTH_EXTLOOKUP_FATAL) {
1033 /* scan our list for this request */
1034 TAILQ_FOREACH(workp, &kauth_resolver_submitted, kr_link) {
1035 /* found it? */
1036 if (workp->kr_seqno == extl.el_seqno) {
1037 /*
1038 * Do we want extend_data?
1039 */
1040 want_extend_data = (workp->kr_work.el_flags & (KAUTH_EXTLOOKUP_WANT_PWNAM|KAUTH_EXTLOOKUP_WANT_GRNAM));
1041
1042 /*
1043 * Get the request of the submitted queue so
1044 * that it is not cleaned up out from under
1045 * us by a timeout.
1046 */
1047 TAILQ_REMOVE(&kauth_resolver_submitted, workp, kr_link);
1048 workp->kr_flags &= ~KAUTH_REQUEST_SUBMITTED;
1049 workp->kr_flags |= KAUTH_REQUEST_DONE;
1050 workp->kr_result = result;
1051
1052 /* Copy the result message to the work item. */
1053 memcpy(&workp->kr_work, &extl, sizeof(struct kauth_identity_extlookup));
1054
1055 /*
1056 * Check if we have a result in the extension
1057 * field; if we do, then we need to separately
1058 * copy the data from the message el_extend
1059 * into the request buffer that's in the work
1060 * item. We have to do it here because we do
1061 * not want to wake up the waiter until the
1062 * data is in their buffer, and because the
1063 * actual request response may be destroyed
1064 * by the time the requester wakes up, and they
1065 * do not have access to the user space buffer
1066 * address.
1067 *
1068 * It is safe to drop and reacquire the lock
1069 * here because we've already removed the item
1070 * from the submission queue, but have not yet
1071 * moved it to the completion queue. Note that
1072 * near simultaneous requests may result in
1073 * duplication of requests for items in this
1074 * window. This should not be a performance
1075 * issue and is easily detectable by comparing
1076 * time to live on last response vs. time of
1077 * next request in the resolver logs.
1078 *
1079 * A malicious/faulty resolver could overwrite
1080 * part of a user's address space if they return
1081 * flags that mismatch the original request's flags.
1082 */
1083 if (want_extend_data && (extl.el_flags & (KAUTH_EXTLOOKUP_VALID_PWNAM|KAUTH_EXTLOOKUP_VALID_GRNAM))) {
1084 size_t actual; /* notused */
1085
1086 KAUTH_RESOLVER_UNLOCK();
1087 error = copyinstr(extl.el_extend, CAST_DOWN(void *, workp->kr_extend), MAXPATHLEN, &actual);
1088 KAUTH_DEBUG("RESOLVER - resolver got name :%*s: len = %d\n", (int)actual,
1089 actual ? "null" : (char *)extl.el_extend, actual);
1090 KAUTH_RESOLVER_LOCK();
1091 } else if (extl.el_flags & (KAUTH_EXTLOOKUP_VALID_PWNAM|KAUTH_EXTLOOKUP_VALID_GRNAM)) {
1092 error = EFAULT;
1093 KAUTH_DEBUG("RESOLVER - resolver returned mismatching extension flags (%d), request contained (%d)",
1094 extl.el_flags, request_flags);
1095 }
1096
1097 /*
1098 * Move the completed work item to the
1099 * completion queue and wake up requester(s)
1100 */
1101 TAILQ_INSERT_TAIL(&kauth_resolver_done, workp, kr_link);
1102 wakeup(workp);
1103 break;
1104 }
1105 }
1106 }
1107 /*
1108 * Note that it's OK for us not to find anything; if the request has
1109 * timed out the work record will be gone.
1110 */
1111 KAUTH_RESOLVER_UNLOCK();
1112
1113 return(error);
1114 }
1115 #endif /* CONFIG_EXT_RESOLVER */
1116
1117
1118 /*
1119 * Identity cache.
1120 */
1121
1122 #define KI_VALID_UID (1<<0) /* UID and GID are mutually exclusive */
1123 #define KI_VALID_GID (1<<1)
1124 #define KI_VALID_GUID (1<<2)
1125 #define KI_VALID_NTSID (1<<3)
1126 #define KI_VALID_PWNAM (1<<4) /* Used for translation */
1127 #define KI_VALID_GRNAM (1<<5) /* Used for translation */
1128 #define KI_VALID_GROUPS (1<<6)
1129
1130 #if CONFIG_EXT_RESOLVER
1131 /*
1132 * kauth_identity_init
1133 *
1134 * Description: Initialize the kernel side of the credential identity resolver
1135 *
1136 * Parameters: (void)
1137 *
1138 * Returns: (void)
1139 *
1140 * Notes: Initialize the credential identity resolver for use; the
1141 * credential identity resolver is the KPI used to communicate
1142 * with a user space credential identity resolver daemon.
1143 *
1144 * This function is called from kauth_init() in the file
1145 * kern_authorization.c.
1146 */
1147 void
1148 kauth_identity_init(void)
1149 {
1150 TAILQ_INIT(&kauth_identities);
1151 kauth_identity_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0/*LCK_ATTR_NULL*/);
1152 }
1153
1154
1155 /*
1156 * kauth_identity_alloc
1157 *
1158 * Description: Allocate and fill out a kauth_identity structure for
1159 * translation between {UID|GID}/GUID/NTSID
1160 *
1161 * Parameters: uid
1162 *
1163 * Returns: NULL Insufficient memory to satisfy
1164 * the request or bad parameters
1165 * !NULL A pointer to the allocated
1166 * structure, filled in
1167 *
1168 * Notes: It is illegal to translate between UID and GID; any given UUID
1169 * or NTSID can only refer to an NTSID or UUID (respectively),
1170 * and *either* a UID *or* a GID, but not both.
1171 */
1172 static struct kauth_identity *
1173 kauth_identity_alloc(uid_t uid, gid_t gid, guid_t *guidp, time_t guid_expiry,
1174 ntsid_t *ntsidp, time_t ntsid_expiry, int supgrpcnt, gid_t *supgrps, time_t groups_expiry,
1175 const char *name, int nametype)
1176 {
1177 struct kauth_identity *kip;
1178
1179 /* get and fill in a new identity */
1180 MALLOC(kip, struct kauth_identity *, sizeof(*kip), M_KAUTH, M_WAITOK | M_ZERO);
1181 if (kip != NULL) {
1182 if (gid != KAUTH_GID_NONE) {
1183 kip->ki_gid = gid;
1184 kip->ki_valid = KI_VALID_GID;
1185 }
1186 if (uid != KAUTH_UID_NONE) {
1187 if (kip->ki_valid & KI_VALID_GID)
1188 panic("can't allocate kauth identity with both uid and gid");
1189 kip->ki_uid = uid;
1190 kip->ki_valid = KI_VALID_UID;
1191 }
1192 if (supgrpcnt) {
1193 /*
1194 * A malicious/faulty resolver could return bad values
1195 */
1196 assert(supgrpcnt >= 0);
1197 assert(supgrpcnt <= NGROUPS);
1198 assert(supgrps != NULL);
1199
1200 if ((supgrpcnt < 0) || (supgrpcnt > NGROUPS) || (supgrps == NULL)) {
1201 return NULL;
1202 }
1203 if (kip->ki_valid & KI_VALID_GID)
1204 panic("can't allocate kauth identity with both gid and supplementary groups");
1205 kip->ki_supgrpcnt = supgrpcnt;
1206 memcpy(kip->ki_supgrps, supgrps, sizeof(supgrps[0]) * supgrpcnt);
1207 kip->ki_valid |= KI_VALID_GROUPS;
1208 }
1209 kip->ki_groups_expiry = groups_expiry;
1210 if (guidp != NULL) {
1211 kip->ki_guid = *guidp;
1212 kip->ki_valid |= KI_VALID_GUID;
1213 }
1214 kip->ki_guid_expiry = guid_expiry;
1215 if (ntsidp != NULL) {
1216 kip->ki_ntsid = *ntsidp;
1217 kip->ki_valid |= KI_VALID_NTSID;
1218 }
1219 kip->ki_ntsid_expiry = ntsid_expiry;
1220 if (name != NULL) {
1221 kip->ki_name = name;
1222 kip->ki_valid |= nametype;
1223 }
1224 }
1225 return(kip);
1226 }
1227
1228
1229 /*
1230 * kauth_identity_register_and_free
1231 *
1232 * Description: Register an association between identity tokens. The passed
1233 * 'kip' is consumed by this function.
1234 *
1235 * Parameters: kip Pointer to kauth_identity
1236 * structure to register
1237 *
1238 * Returns: (void)
1239 *
1240 * Notes: The memory pointer to by 'kip' is assumed to have been
1241 * previously allocated via kauth_identity_alloc().
1242 */
1243 static void
1244 kauth_identity_register_and_free(struct kauth_identity *kip)
1245 {
1246 struct kauth_identity *ip;
1247
1248 /*
1249 * We search the cache for the UID listed in the incoming association.
1250 * If we already have an entry, the new information is merged.
1251 */
1252 ip = NULL;
1253 KAUTH_IDENTITY_LOCK();
1254 if (kip->ki_valid & KI_VALID_UID) {
1255 if (kip->ki_valid & KI_VALID_GID)
1256 panic("kauth_identity: can't insert record with both UID and GID as key");
1257 TAILQ_FOREACH(ip, &kauth_identities, ki_link)
1258 if ((ip->ki_valid & KI_VALID_UID) && (ip->ki_uid == kip->ki_uid))
1259 break;
1260 } else if (kip->ki_valid & KI_VALID_GID) {
1261 TAILQ_FOREACH(ip, &kauth_identities, ki_link)
1262 if ((ip->ki_valid & KI_VALID_GID) && (ip->ki_gid == kip->ki_gid))
1263 break;
1264 } else {
1265 panic("kauth_identity: can't insert record without UID or GID as key");
1266 }
1267
1268 if (ip != NULL) {
1269 /* we already have an entry, merge/overwrite */
1270 if (kip->ki_valid & KI_VALID_GUID) {
1271 ip->ki_guid = kip->ki_guid;
1272 ip->ki_valid |= KI_VALID_GUID;
1273 }
1274 ip->ki_guid_expiry = kip->ki_guid_expiry;
1275 if (kip->ki_valid & KI_VALID_NTSID) {
1276 ip->ki_ntsid = kip->ki_ntsid;
1277 ip->ki_valid |= KI_VALID_NTSID;
1278 }
1279 ip->ki_ntsid_expiry = kip->ki_ntsid_expiry;
1280 /* a valid ki_name field overwrites the previous name field */
1281 if (kip->ki_valid & (KI_VALID_PWNAM | KI_VALID_GRNAM)) {
1282 /* if there's an old one, discard it */
1283 const char *oname = NULL;
1284 if (ip->ki_valid & (KI_VALID_PWNAM | KI_VALID_GRNAM))
1285 oname = ip->ki_name;
1286 ip->ki_name = kip->ki_name;
1287 kip->ki_name = oname;
1288 }
1289 /* and discard the incoming entry */
1290 ip = kip;
1291 } else {
1292 /*
1293 * if we don't have any information on this identity, add it;
1294 * if it pushes us over our limit, discard the oldest one.
1295 */
1296 TAILQ_INSERT_HEAD(&kauth_identities, kip, ki_link);
1297 if (++kauth_identity_count > kauth_identity_cachemax) {
1298 ip = TAILQ_LAST(&kauth_identities, kauth_identity_head);
1299 TAILQ_REMOVE(&kauth_identities, ip, ki_link);
1300 kauth_identity_count--;
1301 }
1302 }
1303 KAUTH_IDENTITY_UNLOCK();
1304 /* have to drop lock before freeing expired entry (it may be in use) */
1305 if (ip != NULL) {
1306 /* if the ki_name field is used, clear it first */
1307 if (ip->ki_valid & (KI_VALID_PWNAM | KI_VALID_GRNAM))
1308 vfs_removename(ip->ki_name);
1309 /* free the expired entry */
1310 FREE(ip, M_KAUTH);
1311 }
1312 }
1313
1314
1315 /*
1316 * kauth_identity_updatecache
1317 *
1318 * Description: Given a lookup result, add any associations that we don't
1319 * currently have; replace ones which have changed.
1320 *
1321 * Parameters: elp External lookup result from
1322 * user space daemon to kernel
1323 * rkip pointer to returned kauth
1324 * identity, or NULL
1325 * extend_data Extended data (can vary)
1326 *
1327 * Returns: (void)
1328 *
1329 * Implicit returns:
1330 * *rkip Modified (if non-NULL)
1331 *
1332 * Notes: For extended information requests, this code relies on the fact
1333 * that elp->el_flags is never used as an rvalue, and is only
1334 * ever bit-tested for valid lookup information we are willing
1335 * to cache.
1336 *
1337 * XXX: We may have to do the same in the case that extended data was
1338 * passed out to user space to ensure that the request string
1339 * gets cached; we may also be able to use the rkip as an
1340 * input to avoid this. The jury is still out.
1341 *
1342 * XXX: This codes performance could be improved for multiple valid
1343 * results by combining the loop iteration in a single loop.
1344 */
1345 static void
1346 kauth_identity_updatecache(struct kauth_identity_extlookup *elp, struct kauth_identity *rkip, uint64_t extend_data)
1347 {
1348 struct timeval tv;
1349 struct kauth_identity *kip;
1350 const char *speculative_name = NULL;
1351
1352 microuptime(&tv);
1353
1354 /*
1355 * If there is extended data, and that data represents a name rather
1356 * than something else, speculatively create an entry for it in the
1357 * string cache. We do this to avoid holding the KAUTH_IDENTITY_LOCK
1358 * over the allocation later.
1359 */
1360 if (elp->el_flags & (KAUTH_EXTLOOKUP_VALID_PWNAM | KAUTH_EXTLOOKUP_VALID_GRNAM)) {
1361 const char *tmp = CAST_DOWN(const char *,extend_data);
1362 speculative_name = vfs_addname(tmp, strnlen(tmp, MAXPATHLEN - 1), 0, 0);
1363 }
1364
1365 /* user identity? */
1366 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_UID) {
1367 KAUTH_IDENTITY_LOCK();
1368 TAILQ_FOREACH(kip, &kauth_identities, ki_link) {
1369 /* matching record */
1370 if ((kip->ki_valid & KI_VALID_UID) && (kip->ki_uid == elp->el_uid)) {
1371 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) {
1372 assert(elp->el_sup_grp_cnt <= NGROUPS);
1373 if (elp->el_sup_grp_cnt > NGROUPS) {
1374 KAUTH_DEBUG("CACHE - invalid sup_grp_cnt provided (%d), truncating to %d",
1375 elp->el_sup_grp_cnt, NGROUPS);
1376 elp->el_sup_grp_cnt = NGROUPS;
1377 }
1378 kip->ki_supgrpcnt = elp->el_sup_grp_cnt;
1379 memcpy(kip->ki_supgrps, elp->el_sup_groups, sizeof(elp->el_sup_groups[0]) * kip->ki_supgrpcnt);
1380 kip->ki_valid |= KI_VALID_GROUPS;
1381 kip->ki_groups_expiry = (elp->el_member_valid) ? tv.tv_sec + elp->el_member_valid : 0;
1382 }
1383 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_UGUID) {
1384 kip->ki_guid = elp->el_uguid;
1385 kip->ki_valid |= KI_VALID_GUID;
1386 }
1387 kip->ki_guid_expiry = (elp->el_uguid_valid) ? tv.tv_sec + elp->el_uguid_valid : 0;
1388 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_USID) {
1389 kip->ki_ntsid = elp->el_usid;
1390 kip->ki_valid |= KI_VALID_NTSID;
1391 }
1392 kip->ki_ntsid_expiry = (elp->el_usid_valid) ? tv.tv_sec + elp->el_usid_valid : 0;
1393 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_PWNAM) {
1394 const char *oname = kip->ki_name;
1395 kip->ki_name = speculative_name;
1396 speculative_name = NULL;
1397 kip->ki_valid |= KI_VALID_PWNAM;
1398 if (oname) {
1399 /*
1400 * free oname (if any) outside
1401 * the lock
1402 */
1403 speculative_name = oname;
1404 }
1405 }
1406 kauth_identity_lru(kip);
1407 if (rkip != NULL)
1408 *rkip = *kip;
1409 KAUTH_DEBUG("CACHE - refreshed %d is " K_UUID_FMT, kip->ki_uid, K_UUID_ARG(kip->ki_guid));
1410 break;
1411 }
1412 }
1413 KAUTH_IDENTITY_UNLOCK();
1414 /* not found in cache, add new record */
1415 if (kip == NULL) {
1416 kip = kauth_identity_alloc(elp->el_uid, KAUTH_GID_NONE,
1417 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_UGUID) ? &elp->el_uguid : NULL,
1418 (elp->el_uguid_valid) ? tv.tv_sec + elp->el_uguid_valid : 0,
1419 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_USID) ? &elp->el_usid : NULL,
1420 (elp->el_usid_valid) ? tv.tv_sec + elp->el_usid_valid : 0,
1421 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) ? elp->el_sup_grp_cnt : 0,
1422 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) ? elp->el_sup_groups : NULL,
1423 (elp->el_member_valid) ? tv.tv_sec + elp->el_member_valid : 0,
1424 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_PWNAM) ? speculative_name : NULL,
1425 KI_VALID_PWNAM);
1426 if (kip != NULL) {
1427 if (rkip != NULL)
1428 *rkip = *kip;
1429 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_PWNAM)
1430 speculative_name = NULL;
1431 KAUTH_DEBUG("CACHE - learned %d is " K_UUID_FMT, kip->ki_uid, K_UUID_ARG(kip->ki_guid));
1432 kauth_identity_register_and_free(kip);
1433 }
1434 }
1435 }
1436
1437 /* group identity? (ignore, if we already processed it as a user) */
1438 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GID && !(elp->el_flags & KAUTH_EXTLOOKUP_VALID_UID)) {
1439 KAUTH_IDENTITY_LOCK();
1440 TAILQ_FOREACH(kip, &kauth_identities, ki_link) {
1441 /* matching record */
1442 if ((kip->ki_valid & KI_VALID_GID) && (kip->ki_gid == elp->el_gid)) {
1443 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GGUID) {
1444 kip->ki_guid = elp->el_gguid;
1445 kip->ki_valid |= KI_VALID_GUID;
1446 }
1447 kip->ki_guid_expiry = (elp->el_gguid_valid) ? tv.tv_sec + elp->el_gguid_valid : 0;
1448 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GSID) {
1449 kip->ki_ntsid = elp->el_gsid;
1450 kip->ki_valid |= KI_VALID_NTSID;
1451 }
1452 kip->ki_ntsid_expiry = (elp->el_gsid_valid) ? tv.tv_sec + elp->el_gsid_valid : 0;
1453 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GRNAM) {
1454 const char *oname = kip->ki_name;
1455 kip->ki_name = speculative_name;
1456 speculative_name = NULL;
1457 kip->ki_valid |= KI_VALID_GRNAM;
1458 if (oname) {
1459 /*
1460 * free oname (if any) outside
1461 * the lock
1462 */
1463 speculative_name = oname;
1464 }
1465 }
1466 kauth_identity_lru(kip);
1467 if (rkip != NULL)
1468 *rkip = *kip;
1469 KAUTH_DEBUG("CACHE - refreshed %d is " K_UUID_FMT, kip->ki_uid, K_UUID_ARG(kip->ki_guid));
1470 break;
1471 }
1472 }
1473 KAUTH_IDENTITY_UNLOCK();
1474 /* not found in cache, add new record */
1475 if (kip == NULL) {
1476 kip = kauth_identity_alloc(KAUTH_UID_NONE, elp->el_gid,
1477 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GGUID) ? &elp->el_gguid : NULL,
1478 (elp->el_gguid_valid) ? tv.tv_sec + elp->el_gguid_valid : 0,
1479 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GSID) ? &elp->el_gsid : NULL,
1480 (elp->el_gsid_valid) ? tv.tv_sec + elp->el_gsid_valid : 0,
1481 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) ? elp->el_sup_grp_cnt : 0,
1482 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) ? elp->el_sup_groups : NULL,
1483 (elp->el_member_valid) ? tv.tv_sec + elp->el_member_valid : 0,
1484 (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GRNAM) ? speculative_name : NULL,
1485 KI_VALID_GRNAM);
1486 if (kip != NULL) {
1487 if (rkip != NULL)
1488 *rkip = *kip;
1489 if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GRNAM)
1490 speculative_name = NULL;
1491 KAUTH_DEBUG("CACHE - learned %d is " K_UUID_FMT, kip->ki_uid, K_UUID_ARG(kip->ki_guid));
1492 kauth_identity_register_and_free(kip);
1493 }
1494 }
1495 }
1496
1497 /* If we have a name reference to drop, drop it here */
1498 if (speculative_name != NULL) {
1499 vfs_removename(speculative_name);
1500 }
1501 }
1502
1503
1504 /*
1505 * Trim older entries from the identity cache.
1506 *
1507 * Must be called with the identity cache lock held.
1508 */
1509 static void
1510 kauth_identity_trimcache(int newsize) {
1511 struct kauth_identity *kip;
1512
1513 lck_mtx_assert(kauth_identity_mtx, LCK_MTX_ASSERT_OWNED);
1514
1515 while (kauth_identity_count > newsize) {
1516 kip = TAILQ_LAST(&kauth_identities, kauth_identity_head);
1517 TAILQ_REMOVE(&kauth_identities, kip, ki_link);
1518 kauth_identity_count--;
1519 FREE(kip, M_KAUTH);
1520 }
1521 }
1522
1523 /*
1524 * kauth_identity_lru
1525 *
1526 * Description: Promote the entry to the head of the LRU, assumes the cache
1527 * is locked.
1528 *
1529 * Parameters: kip kauth identity to move to the
1530 * head of the LRU list, if it's
1531 * not already there
1532 *
1533 * Returns: (void)
1534 *
1535 * Notes: This is called even if the entry has expired; typically an
1536 * expired entry that's been looked up is about to be revalidated,
1537 * and having it closer to the head of the LRU means finding it
1538 * quickly again when the revalidation comes through.
1539 */
1540 static void
1541 kauth_identity_lru(struct kauth_identity *kip)
1542 {
1543 if (kip != TAILQ_FIRST(&kauth_identities)) {
1544 TAILQ_REMOVE(&kauth_identities, kip, ki_link);
1545 TAILQ_INSERT_HEAD(&kauth_identities, kip, ki_link);
1546 }
1547 }
1548
1549
1550 /*
1551 * kauth_identity_guid_expired
1552 *
1553 * Description: Handle lazy expiration of GUID translations.
1554 *
1555 * Parameters: kip kauth identity to check for
1556 * GUID expiration
1557 *
1558 * Returns: 1 Expired
1559 * 0 Not expired
1560 */
1561 static int
1562 kauth_identity_guid_expired(struct kauth_identity *kip)
1563 {
1564 struct timeval tv;
1565
1566 /*
1567 * Expiration time of 0 means this entry is persistent.
1568 */
1569 if (kip->ki_guid_expiry == 0)
1570 return (0);
1571
1572 microuptime(&tv);
1573 KAUTH_DEBUG("CACHE - GUID expires @ %ld now %ld", kip->ki_guid_expiry, tv.tv_sec);
1574
1575 return((kip->ki_guid_expiry <= tv.tv_sec) ? 1 : 0);
1576 }
1577
1578
1579 /*
1580 * kauth_identity_ntsid_expired
1581 *
1582 * Description: Handle lazy expiration of NTSID translations.
1583 *
1584 * Parameters: kip kauth identity to check for
1585 * NTSID expiration
1586 *
1587 * Returns: 1 Expired
1588 * 0 Not expired
1589 */
1590 static int
1591 kauth_identity_ntsid_expired(struct kauth_identity *kip)
1592 {
1593 struct timeval tv;
1594
1595 /*
1596 * Expiration time of 0 means this entry is persistent.
1597 */
1598 if (kip->ki_ntsid_expiry == 0)
1599 return (0);
1600
1601 microuptime(&tv);
1602 KAUTH_DEBUG("CACHE - NTSID expires @ %ld now %ld", kip->ki_ntsid_expiry, tv.tv_sec);
1603
1604 return((kip->ki_ntsid_expiry <= tv.tv_sec) ? 1 : 0);
1605 }
1606
1607 /*
1608 * kauth_identity_groups_expired
1609 *
1610 * Description: Handle lazy expiration of supplemental group translations.
1611 *
1612 * Parameters: kip kauth identity to check for
1613 * groups expiration
1614 *
1615 * Returns: 1 Expired
1616 * 0 Not expired
1617 */
1618 static int
1619 kauth_identity_groups_expired(struct kauth_identity *kip)
1620 {
1621 struct timeval tv;
1622
1623 /*
1624 * Expiration time of 0 means this entry is persistent.
1625 */
1626 if (kip->ki_groups_expiry == 0)
1627 return (0);
1628
1629 microuptime(&tv);
1630 KAUTH_DEBUG("CACHE - GROUPS expires @ %ld now %ld\n", kip->ki_groups_expiry, tv.tv_sec);
1631
1632 return((kip->ki_groups_expiry <= tv.tv_sec) ? 1 : 0);
1633 }
1634
1635 /*
1636 * kauth_identity_find_uid
1637 *
1638 * Description: Search for an entry by UID
1639 *
1640 * Parameters: uid UID to find
1641 * kir Pointer to return area
1642 * getname Name buffer, if ki_name wanted
1643 *
1644 * Returns: 0 Found
1645 * ENOENT Not found
1646 *
1647 * Implicit returns:
1648 * *klr Modified, if found
1649 */
1650 static int
1651 kauth_identity_find_uid(uid_t uid, struct kauth_identity *kir, char *getname)
1652 {
1653 struct kauth_identity *kip;
1654
1655 KAUTH_IDENTITY_LOCK();
1656 TAILQ_FOREACH(kip, &kauth_identities, ki_link) {
1657 if ((kip->ki_valid & KI_VALID_UID) && (uid == kip->ki_uid)) {
1658 kauth_identity_lru(kip);
1659 /* Copy via structure assignment */
1660 *kir = *kip;
1661 /* If a name is wanted and one exists, copy it out */
1662 if (getname != NULL && (kip->ki_valid & (KI_VALID_PWNAM | KI_VALID_GRNAM)))
1663 strlcpy(getname, kip->ki_name, MAXPATHLEN);
1664 break;
1665 }
1666 }
1667 KAUTH_IDENTITY_UNLOCK();
1668 return((kip == NULL) ? ENOENT : 0);
1669 }
1670
1671
1672 /*
1673 * kauth_identity_find_gid
1674 *
1675 * Description: Search for an entry by GID
1676 *
1677 * Parameters: gid GID to find
1678 * kir Pointer to return area
1679 * getname Name buffer, if ki_name wanted
1680 *
1681 * Returns: 0 Found
1682 * ENOENT Not found
1683 *
1684 * Implicit returns:
1685 * *klr Modified, if found
1686 */
1687 static int
1688 kauth_identity_find_gid(uid_t gid, struct kauth_identity *kir, char *getname)
1689 {
1690 struct kauth_identity *kip;
1691
1692 KAUTH_IDENTITY_LOCK();
1693 TAILQ_FOREACH(kip, &kauth_identities, ki_link) {
1694 if ((kip->ki_valid & KI_VALID_GID) && (gid == kip->ki_gid)) {
1695 kauth_identity_lru(kip);
1696 /* Copy via structure assignment */
1697 *kir = *kip;
1698 /* If a name is wanted and one exists, copy it out */
1699 if (getname != NULL && (kip->ki_valid & (KI_VALID_PWNAM | KI_VALID_GRNAM)))
1700 strlcpy(getname, kip->ki_name, MAXPATHLEN);
1701 break;
1702 }
1703 }
1704 KAUTH_IDENTITY_UNLOCK();
1705 return((kip == NULL) ? ENOENT : 0);
1706 }
1707
1708
1709 /*
1710 * kauth_identity_find_guid
1711 *
1712 * Description: Search for an entry by GUID
1713 *
1714 * Parameters: guidp Pointer to GUID to find
1715 * kir Pointer to return area
1716 * getname Name buffer, if ki_name wanted
1717 *
1718 * Returns: 0 Found
1719 * ENOENT Not found
1720 *
1721 * Implicit returns:
1722 * *klr Modified, if found
1723 *
1724 * Note: The association may be expired, in which case the caller
1725 * may elect to call out to userland to revalidate.
1726 */
1727 static int
1728 kauth_identity_find_guid(guid_t *guidp, struct kauth_identity *kir, char *getname)
1729 {
1730 struct kauth_identity *kip;
1731
1732 KAUTH_IDENTITY_LOCK();
1733 TAILQ_FOREACH(kip, &kauth_identities, ki_link) {
1734 if ((kip->ki_valid & KI_VALID_GUID) && (kauth_guid_equal(guidp, &kip->ki_guid))) {
1735 kauth_identity_lru(kip);
1736 /* Copy via structure assignment */
1737 *kir = *kip;
1738 /* If a name is wanted and one exists, copy it out */
1739 if (getname != NULL && (kip->ki_valid & (KI_VALID_PWNAM | KI_VALID_GRNAM)))
1740 strlcpy(getname, kip->ki_name, MAXPATHLEN);
1741 break;
1742 }
1743 }
1744 KAUTH_IDENTITY_UNLOCK();
1745 return((kip == NULL) ? ENOENT : 0);
1746 }
1747
1748 /*
1749 * kauth_identity_find_nam
1750 *
1751 * Description: Search for an entry by name
1752 *
1753 * Parameters: name Pointer to name to find
1754 * valid KI_VALID_PWNAM or KI_VALID_GRNAM
1755 * kir Pointer to return area
1756 *
1757 * Returns: 0 Found
1758 * ENOENT Not found
1759 *
1760 * Implicit returns:
1761 * *klr Modified, if found
1762 */
1763 static int
1764 kauth_identity_find_nam(char *name, int valid, struct kauth_identity *kir)
1765 {
1766 struct kauth_identity *kip;
1767
1768 KAUTH_IDENTITY_LOCK();
1769 TAILQ_FOREACH(kip, &kauth_identities, ki_link) {
1770 if ((kip->ki_valid & valid) && !strcmp(name, kip->ki_name)) {
1771 kauth_identity_lru(kip);
1772 /* Copy via structure assignment */
1773 *kir = *kip;
1774 break;
1775 }
1776 }
1777 KAUTH_IDENTITY_UNLOCK();
1778 return((kip == NULL) ? ENOENT : 0);
1779 }
1780
1781
1782 /*
1783 * kauth_identity_find_ntsid
1784 *
1785 * Description: Search for an entry by NTSID
1786 *
1787 * Parameters: ntsid Pointer to NTSID to find
1788 * kir Pointer to return area
1789 * getname Name buffer, if ki_name wanted
1790 *
1791 * Returns: 0 Found
1792 * ENOENT Not found
1793 *
1794 * Implicit returns:
1795 * *klr Modified, if found
1796 *
1797 * Note: The association may be expired, in which case the caller
1798 * may elect to call out to userland to revalidate.
1799 */
1800 static int
1801 kauth_identity_find_ntsid(ntsid_t *ntsid, struct kauth_identity *kir, char *getname)
1802 {
1803 struct kauth_identity *kip;
1804
1805 KAUTH_IDENTITY_LOCK();
1806 TAILQ_FOREACH(kip, &kauth_identities, ki_link) {
1807 if ((kip->ki_valid & KI_VALID_NTSID) && (kauth_ntsid_equal(ntsid, &kip->ki_ntsid))) {
1808 kauth_identity_lru(kip);
1809 /* Copy via structure assignment */
1810 *kir = *kip;
1811 /* If a name is wanted and one exists, copy it out */
1812 if (getname != NULL && (kip->ki_valid & (KI_VALID_PWNAM | KI_VALID_GRNAM)))
1813 strlcpy(getname, kip->ki_name, MAXPATHLEN);
1814 break;
1815 }
1816 }
1817 KAUTH_IDENTITY_UNLOCK();
1818 return((kip == NULL) ? ENOENT : 0);
1819 }
1820 #endif /* CONFIG_EXT_RESOLVER */
1821
1822
1823 /*
1824 * GUID handling.
1825 */
1826 guid_t kauth_null_guid;
1827
1828
1829 /*
1830 * kauth_guid_equal
1831 *
1832 * Description: Determine the equality of two GUIDs
1833 *
1834 * Parameters: guid1 Pointer to first GUID
1835 * guid2 Pointer to second GUID
1836 *
1837 * Returns: 0 If GUIDs are unequal
1838 * !0 If GUIDs are equal
1839 */
1840 int
1841 kauth_guid_equal(guid_t *guid1, guid_t *guid2)
1842 {
1843 return(bcmp(guid1, guid2, sizeof(*guid1)) == 0);
1844 }
1845
1846
1847 /*
1848 * kauth_wellknown_guid
1849 *
1850 * Description: Determine if a GUID is a well-known GUID
1851 *
1852 * Parameters: guid Pointer to GUID to check
1853 *
1854 * Returns: KAUTH_WKG_NOT Not a well known GUID
1855 * KAUTH_WKG_EVERYBODY "Everybody"
1856 * KAUTH_WKG_NOBODY "Nobody"
1857 * KAUTH_WKG_OWNER "Other"
1858 * KAUTH_WKG_GROUP "Group"
1859 */
1860 int
1861 kauth_wellknown_guid(guid_t *guid)
1862 {
1863 static char fingerprint[] = {0xab, 0xcd, 0xef, 0xab, 0xcd, 0xef, 0xab, 0xcd, 0xef, 0xab, 0xcd, 0xef};
1864 uint32_t code;
1865 /*
1866 * All WKGs begin with the same 12 bytes.
1867 */
1868 if (bcmp((void *)guid, fingerprint, 12) == 0) {
1869 /*
1870 * The final 4 bytes are our code (in network byte order).
1871 */
1872 code = OSSwapHostToBigInt32(*(uint32_t *)&guid->g_guid[12]);
1873 switch(code) {
1874 case 0x0000000c:
1875 return(KAUTH_WKG_EVERYBODY);
1876 case 0xfffffffe:
1877 return(KAUTH_WKG_NOBODY);
1878 case 0x0000000a:
1879 return(KAUTH_WKG_OWNER);
1880 case 0x00000010:
1881 return(KAUTH_WKG_GROUP);
1882 }
1883 }
1884 return(KAUTH_WKG_NOT);
1885 }
1886
1887
1888 /*
1889 * kauth_ntsid_equal
1890 *
1891 * Description: Determine the equality of two NTSIDs (NT Security Identifiers)
1892 *
1893 * Parameters: sid1 Pointer to first NTSID
1894 * sid2 Pointer to second NTSID
1895 *
1896 * Returns: 0 If GUIDs are unequal
1897 * !0 If GUIDs are equal
1898 */
1899 int
1900 kauth_ntsid_equal(ntsid_t *sid1, ntsid_t *sid2)
1901 {
1902 /* check sizes for equality, also sanity-check size while we're at it */
1903 if ((KAUTH_NTSID_SIZE(sid1) == KAUTH_NTSID_SIZE(sid2)) &&
1904 (KAUTH_NTSID_SIZE(sid1) <= sizeof(*sid1)) &&
1905 bcmp(sid1, sid2, KAUTH_NTSID_SIZE(sid1)) == 0)
1906 return(1);
1907 return(0);
1908 }
1909
1910
1911 /*
1912 * Identity KPI
1913 *
1914 * We support four tokens representing identity:
1915 * - Credential reference
1916 * - UID
1917 * - GUID
1918 * - NT security identifier
1919 *
1920 * Of these, the UID is the ubiquitous identifier; cross-referencing should
1921 * be done using it.
1922 */
1923
1924
1925
1926 /*
1927 * kauth_cred_change_egid
1928 *
1929 * Description: Set EGID by changing the first element of cr_groups for the
1930 * passed credential; if the new EGID exists in the list of
1931 * groups already, then rotate the old EGID into its position,
1932 * otherwise replace it
1933 *
1934 * Parameters: cred Pointer to the credential to modify
1935 * new_egid The new EGID to set
1936 *
1937 * Returns: 0 The egid did not displace a member of
1938 * the supplementary group list
1939 * 1 The egid being set displaced a member
1940 * of the supplementary groups list
1941 *
1942 * Note: Utility function; internal use only because of locking.
1943 *
1944 * This function operates on the credential passed; the caller
1945 * must operate either on a newly allocated credential (one for
1946 * which there is no hash cache reference and no externally
1947 * visible pointer reference), or a template credential.
1948 */
1949 static int
1950 kauth_cred_change_egid(kauth_cred_t cred, gid_t new_egid)
1951 {
1952 int i;
1953 int displaced = 1;
1954 #if radar_4600026
1955 int is_member;
1956 #endif /* radar_4600026 */
1957 gid_t old_egid = kauth_cred_getgid(cred);
1958 posix_cred_t pcred = posix_cred_get(cred);
1959
1960 /* Ignoring the first entry, scan for a match for the new egid */
1961 for (i = 1; i < pcred->cr_ngroups; i++) {
1962 /*
1963 * If we find a match, swap them so we don't lose overall
1964 * group information
1965 */
1966 if (pcred->cr_groups[i] == new_egid) {
1967 pcred->cr_groups[i] = old_egid;
1968 DEBUG_CRED_CHANGE("kauth_cred_change_egid: unset displaced\n");
1969 displaced = 0;
1970 break;
1971 }
1972 }
1973
1974 #if radar_4600026
1975 #error Fix radar 4600026 first!!!
1976
1977 /*
1978 This is correct for memberd behaviour, but incorrect for POSIX; to address
1979 this, we would need to automatically opt-out any SUID/SGID binary, and force
1980 it to use initgroups to opt back in. We take the approach of considering it
1981 opt'ed out in any group of 16 displacement instead, since it's a much more
1982 conservative approach (i.e. less likely to cause things to break).
1983 */
1984
1985 /*
1986 * If we displaced a member of the supplementary groups list of the
1987 * credential, and we have not opted out of memberd, then if memberd
1988 * says that the credential is a member of the group, then it has not
1989 * actually been displaced.
1990 *
1991 * NB: This is typically a cold code path.
1992 */
1993 if (displaced && !(pcred->cr_flags & CRF_NOMEMBERD) &&
1994 kauth_cred_ismember_gid(cred, new_egid, &is_member) == 0 &&
1995 is_member) {
1996 displaced = 0;
1997 DEBUG_CRED_CHANGE("kauth_cred_change_egid: reset displaced\n");
1998 }
1999 #endif /* radar_4600026 */
2000
2001 /* set the new EGID into the old spot */
2002 pcred->cr_groups[0] = new_egid;
2003
2004 return (displaced);
2005 }
2006
2007
2008 /*
2009 * kauth_cred_getuid
2010 *
2011 * Description: Fetch UID from credential
2012 *
2013 * Parameters: cred Credential to examine
2014 *
2015 * Returns: (uid_t) UID associated with credential
2016 */
2017 uid_t
2018 kauth_cred_getuid(kauth_cred_t cred)
2019 {
2020 NULLCRED_CHECK(cred);
2021 return(posix_cred_get(cred)->cr_uid);
2022 }
2023
2024
2025 /*
2026 * kauth_cred_getruid
2027 *
2028 * Description: Fetch RUID from credential
2029 *
2030 * Parameters: cred Credential to examine
2031 *
2032 * Returns: (uid_t) RUID associated with credential
2033 */
2034 uid_t
2035 kauth_cred_getruid(kauth_cred_t cred)
2036 {
2037 NULLCRED_CHECK(cred);
2038 return(posix_cred_get(cred)->cr_ruid);
2039 }
2040
2041
2042 /*
2043 * kauth_cred_getsvuid
2044 *
2045 * Description: Fetch SVUID from credential
2046 *
2047 * Parameters: cred Credential to examine
2048 *
2049 * Returns: (uid_t) SVUID associated with credential
2050 */
2051 uid_t
2052 kauth_cred_getsvuid(kauth_cred_t cred)
2053 {
2054 NULLCRED_CHECK(cred);
2055 return(posix_cred_get(cred)->cr_svuid);
2056 }
2057
2058
2059 /*
2060 * kauth_cred_getgid
2061 *
2062 * Description: Fetch GID from credential
2063 *
2064 * Parameters: cred Credential to examine
2065 *
2066 * Returns: (gid_t) GID associated with credential
2067 */
2068 gid_t
2069 kauth_cred_getgid(kauth_cred_t cred)
2070 {
2071 NULLCRED_CHECK(cred);
2072 return(posix_cred_get(cred)->cr_gid);
2073 }
2074
2075
2076 /*
2077 * kauth_cred_getrgid
2078 *
2079 * Description: Fetch RGID from credential
2080 *
2081 * Parameters: cred Credential to examine
2082 *
2083 * Returns: (gid_t) RGID associated with credential
2084 */
2085 gid_t
2086 kauth_cred_getrgid(kauth_cred_t cred)
2087 {
2088 NULLCRED_CHECK(cred);
2089 return(posix_cred_get(cred)->cr_rgid);
2090 }
2091
2092
2093 /*
2094 * kauth_cred_getsvgid
2095 *
2096 * Description: Fetch SVGID from credential
2097 *
2098 * Parameters: cred Credential to examine
2099 *
2100 * Returns: (gid_t) SVGID associated with credential
2101 */
2102 gid_t
2103 kauth_cred_getsvgid(kauth_cred_t cred)
2104 {
2105 NULLCRED_CHECK(cred);
2106 return(posix_cred_get(cred)->cr_svgid);
2107 }
2108
2109
2110 static int kauth_cred_cache_lookup(int from, int to, void *src, void *dst);
2111
2112 #if CONFIG_EXT_RESOLVER == 0
2113 /*
2114 * If there's no resolver, only support a subset of the kauth_cred_x2y() lookups.
2115 */
2116 static __inline int
2117 kauth_cred_cache_lookup(int from, int to, void *src, void *dst)
2118 {
2119 /* NB: These must match the definitions used by Libinfo's mbr_identifier_translate(). */
2120 static const uuid_t _user_compat_prefix = {0xff, 0xff, 0xee, 0xee, 0xdd, 0xdd, 0xcc, 0xcc, 0xbb, 0xbb, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00};
2121 static const uuid_t _group_compat_prefix = {0xab, 0xcd, 0xef, 0xab, 0xcd, 0xef, 0xab, 0xcd, 0xef, 0xab, 0xcd, 0xef, 0x00, 0x00, 0x00, 0x00};
2122 #define COMPAT_PREFIX_LEN (sizeof(uuid_t) - sizeof(id_t))
2123
2124 assert(from != to);
2125
2126 switch (from) {
2127 case KI_VALID_UID: {
2128 id_t uid = htonl(*(id_t *)src);
2129
2130 if (to == KI_VALID_GUID) {
2131 uint8_t *uu = dst;
2132 memcpy(uu, _user_compat_prefix, sizeof(_user_compat_prefix));
2133 memcpy(&uu[COMPAT_PREFIX_LEN], &uid, sizeof(uid));
2134 return (0);
2135 }
2136 break;
2137 }
2138 case KI_VALID_GID: {
2139 id_t gid = htonl(*(id_t *)src);
2140
2141 if (to == KI_VALID_GUID) {
2142 uint8_t *uu = dst;
2143 memcpy(uu, _group_compat_prefix, sizeof(_group_compat_prefix));
2144 memcpy(&uu[COMPAT_PREFIX_LEN], &gid, sizeof(gid));
2145 return (0);
2146 }
2147 break;
2148 }
2149 case KI_VALID_GUID: {
2150 const uint8_t *uu = src;
2151
2152 if (to == KI_VALID_UID) {
2153 if (memcmp(uu, _user_compat_prefix, COMPAT_PREFIX_LEN) == 0) {
2154 id_t uid;
2155 memcpy(&uid, &uu[COMPAT_PREFIX_LEN], sizeof(uid));
2156 *(id_t *)dst = ntohl(uid);
2157 return (0);
2158 }
2159 } else if (to == KI_VALID_GID) {
2160 if (memcmp(uu, _group_compat_prefix, COMPAT_PREFIX_LEN) == 0) {
2161 id_t gid;
2162 memcpy(&gid, &uu[COMPAT_PREFIX_LEN], sizeof(gid));
2163 *(id_t *)dst = ntohl(gid);
2164 return (0);
2165 }
2166 }
2167 break;
2168 }
2169 default:
2170 /* NOT IMPLEMENTED */
2171 break;
2172 }
2173 return (ENOENT);
2174 }
2175 #endif
2176
2177 #if defined(CONFIG_EXT_RESOLVER) && (CONFIG_EXT_RESOLVER)
2178 /*
2179 * Structure to hold supplemental groups. Used for impedance matching with
2180 * kauth_cred_cache_lookup below.
2181 */
2182 struct supgroups {
2183 int *count;
2184 gid_t *groups;
2185 };
2186
2187 /*
2188 * kauth_cred_uid2groups
2189 *
2190 * Description: Fetch supplemental GROUPS from UID
2191 *
2192 * Parameters: uid UID to examine
2193 * groups pointer to an array of gid_ts
2194 * gcount pointer to the number of groups wanted/returned
2195 *
2196 * Returns: 0 Success
2197 * kauth_cred_cache_lookup:EINVAL
2198 *
2199 * Implicit returns:
2200 * *groups Modified, if successful
2201 * *gcount Modified, if successful
2202 *
2203 */
2204 static int
2205 kauth_cred_uid2groups(uid_t *uid, gid_t *groups, int *gcount)
2206 {
2207 int rv;
2208
2209 struct supgroups supgroups;
2210 supgroups.count = gcount;
2211 supgroups.groups = groups;
2212
2213 rv = kauth_cred_cache_lookup(KI_VALID_UID, KI_VALID_GROUPS, uid, &supgroups);
2214
2215 return (rv);
2216 }
2217 #endif
2218
2219 /*
2220 * kauth_cred_guid2pwnam
2221 *
2222 * Description: Fetch PWNAM from GUID
2223 *
2224 * Parameters: guidp Pointer to GUID to examine
2225 * pwnam Pointer to user@domain buffer
2226 *
2227 * Returns: 0 Success
2228 * kauth_cred_cache_lookup:EINVAL
2229 *
2230 * Implicit returns:
2231 * *pwnam Modified, if successful
2232 *
2233 * Notes: pwnam is assumed to point to a buffer of MAXPATHLEN in size
2234 */
2235 int
2236 kauth_cred_guid2pwnam(guid_t *guidp, char *pwnam)
2237 {
2238 return(kauth_cred_cache_lookup(KI_VALID_GUID, KI_VALID_PWNAM, guidp, pwnam));
2239 }
2240
2241
2242 /*
2243 * kauth_cred_guid2grnam
2244 *
2245 * Description: Fetch GRNAM from GUID
2246 *
2247 * Parameters: guidp Pointer to GUID to examine
2248 * grnam Pointer to group@domain buffer
2249 *
2250 * Returns: 0 Success
2251 * kauth_cred_cache_lookup:EINVAL
2252 *
2253 * Implicit returns:
2254 * *grnam Modified, if successful
2255 *
2256 * Notes: grnam is assumed to point to a buffer of MAXPATHLEN in size
2257 */
2258 int
2259 kauth_cred_guid2grnam(guid_t *guidp, char *grnam)
2260 {
2261 return(kauth_cred_cache_lookup(KI_VALID_GUID, KI_VALID_GRNAM, guidp, grnam));
2262 }
2263
2264
2265 /*
2266 * kauth_cred_pwnam2guid
2267 *
2268 * Description: Fetch PWNAM from GUID
2269 *
2270 * Parameters: pwnam String containing user@domain
2271 * guidp Pointer to buffer for GUID
2272 *
2273 * Returns: 0 Success
2274 * kauth_cred_cache_lookup:EINVAL
2275 *
2276 * Implicit returns:
2277 * *guidp Modified, if successful
2278 *
2279 * Notes: pwnam should not point to a request larger than MAXPATHLEN
2280 * bytes in size, including the NUL termination of the string.
2281 */
2282 int
2283 kauth_cred_pwnam2guid(char *pwnam, guid_t *guidp)
2284 {
2285 return(kauth_cred_cache_lookup(KI_VALID_PWNAM, KI_VALID_GUID, pwnam, guidp));
2286 }
2287
2288
2289 /*
2290 * kauth_cred_grnam2guid
2291 *
2292 * Description: Fetch GRNAM from GUID
2293 *
2294 * Parameters: grnam String containing group@domain
2295 * guidp Pointer to buffer for GUID
2296 *
2297 * Returns: 0 Success
2298 * kauth_cred_cache_lookup:EINVAL
2299 *
2300 * Implicit returns:
2301 * *guidp Modified, if successful
2302 *
2303 * Notes: grnam should not point to a request larger than MAXPATHLEN
2304 * bytes in size, including the NUL termination of the string.
2305 */
2306 int
2307 kauth_cred_grnam2guid(char *grnam, guid_t *guidp)
2308 {
2309 return(kauth_cred_cache_lookup(KI_VALID_GRNAM, KI_VALID_GUID, grnam, guidp));
2310 }
2311
2312
2313 /*
2314 * kauth_cred_guid2uid
2315 *
2316 * Description: Fetch UID from GUID
2317 *
2318 * Parameters: guidp Pointer to GUID to examine
2319 * uidp Pointer to buffer for UID
2320 *
2321 * Returns: 0 Success
2322 * kauth_cred_cache_lookup:EINVAL
2323 *
2324 * Implicit returns:
2325 * *uidp Modified, if successful
2326 */
2327 int
2328 kauth_cred_guid2uid(guid_t *guidp, uid_t *uidp)
2329 {
2330 return(kauth_cred_cache_lookup(KI_VALID_GUID, KI_VALID_UID, guidp, uidp));
2331 }
2332
2333
2334 /*
2335 * kauth_cred_guid2gid
2336 *
2337 * Description: Fetch GID from GUID
2338 *
2339 * Parameters: guidp Pointer to GUID to examine
2340 * gidp Pointer to buffer for GID
2341 *
2342 * Returns: 0 Success
2343 * kauth_cred_cache_lookup:EINVAL
2344 *
2345 * Implicit returns:
2346 * *gidp Modified, if successful
2347 */
2348 int
2349 kauth_cred_guid2gid(guid_t *guidp, gid_t *gidp)
2350 {
2351 return(kauth_cred_cache_lookup(KI_VALID_GUID, KI_VALID_GID, guidp, gidp));
2352 }
2353
2354 /*
2355 * kauth_cred_nfs4domain2dsnode
2356 *
2357 * Description: Fetch dsnode from nfs4domain
2358 *
2359 * Parameters: nfs4domain Pointer to a string nfs4 domain
2360 * dsnode Pointer to buffer for dsnode
2361 *
2362 * Returns: 0 Success
2363 * ENOENT For now just a stub that always fails
2364 *
2365 * Implicit returns:
2366 * *dsnode Modified, if successuful
2367 */
2368 int
2369 kauth_cred_nfs4domain2dsnode(__unused char *nfs4domain, __unused char *dsnode)
2370 {
2371 return(ENOENT);
2372 }
2373
2374 /*
2375 * kauth_cred_dsnode2nfs4domain
2376 *
2377 * Description: Fetch nfs4domain from dsnode
2378 *
2379 * Parameters: nfs4domain Pointer to string dsnode
2380 * dsnode Pointer to buffer for nfs4domain
2381 *
2382 * Returns: 0 Success
2383 * ENOENT For now just a stub that always fails
2384 *
2385 * Implicit returns:
2386 * *nfs4domain Modified, if successuful
2387 */
2388 int
2389 kauth_cred_dsnode2nfs4domain(__unused char *dsnode, __unused char *nfs4domain)
2390 {
2391 return(ENOENT);
2392 }
2393
2394 /*
2395 * kauth_cred_ntsid2uid
2396 *
2397 * Description: Fetch UID from NTSID
2398 *
2399 * Parameters: sidp Pointer to NTSID to examine
2400 * uidp Pointer to buffer for UID
2401 *
2402 * Returns: 0 Success
2403 * kauth_cred_cache_lookup:EINVAL
2404 *
2405 * Implicit returns:
2406 * *uidp Modified, if successful
2407 */
2408 int
2409 kauth_cred_ntsid2uid(ntsid_t *sidp, uid_t *uidp)
2410 {
2411 return(kauth_cred_cache_lookup(KI_VALID_NTSID, KI_VALID_UID, sidp, uidp));
2412 }
2413
2414
2415 /*
2416 * kauth_cred_ntsid2gid
2417 *
2418 * Description: Fetch GID from NTSID
2419 *
2420 * Parameters: sidp Pointer to NTSID to examine
2421 * gidp Pointer to buffer for GID
2422 *
2423 * Returns: 0 Success
2424 * kauth_cred_cache_lookup:EINVAL
2425 *
2426 * Implicit returns:
2427 * *gidp Modified, if successful
2428 */
2429 int
2430 kauth_cred_ntsid2gid(ntsid_t *sidp, gid_t *gidp)
2431 {
2432 return(kauth_cred_cache_lookup(KI_VALID_NTSID, KI_VALID_GID, sidp, gidp));
2433 }
2434
2435
2436 /*
2437 * kauth_cred_ntsid2guid
2438 *
2439 * Description: Fetch GUID from NTSID
2440 *
2441 * Parameters: sidp Pointer to NTSID to examine
2442 * guidp Pointer to buffer for GUID
2443 *
2444 * Returns: 0 Success
2445 * kauth_cred_cache_lookup:EINVAL
2446 *
2447 * Implicit returns:
2448 * *guidp Modified, if successful
2449 */
2450 int
2451 kauth_cred_ntsid2guid(ntsid_t *sidp, guid_t *guidp)
2452 {
2453 return(kauth_cred_cache_lookup(KI_VALID_NTSID, KI_VALID_GUID, sidp, guidp));
2454 }
2455
2456
2457 /*
2458 * kauth_cred_uid2guid
2459 *
2460 * Description: Fetch GUID from UID
2461 *
2462 * Parameters: uid UID to examine
2463 * guidp Pointer to buffer for GUID
2464 *
2465 * Returns: 0 Success
2466 * kauth_cred_cache_lookup:EINVAL
2467 *
2468 * Implicit returns:
2469 * *guidp Modified, if successful
2470 */
2471 int
2472 kauth_cred_uid2guid(uid_t uid, guid_t *guidp)
2473 {
2474 return(kauth_cred_cache_lookup(KI_VALID_UID, KI_VALID_GUID, &uid, guidp));
2475 }
2476
2477
2478 /*
2479 * kauth_cred_getguid
2480 *
2481 * Description: Fetch GUID from credential
2482 *
2483 * Parameters: cred Credential to examine
2484 * guidp Pointer to buffer for GUID
2485 *
2486 * Returns: 0 Success
2487 * kauth_cred_cache_lookup:EINVAL
2488 *
2489 * Implicit returns:
2490 * *guidp Modified, if successful
2491 */
2492 int
2493 kauth_cred_getguid(kauth_cred_t cred, guid_t *guidp)
2494 {
2495 NULLCRED_CHECK(cred);
2496 return(kauth_cred_uid2guid(kauth_cred_getuid(cred), guidp));
2497 }
2498
2499
2500 /*
2501 * kauth_cred_getguid
2502 *
2503 * Description: Fetch GUID from GID
2504 *
2505 * Parameters: gid GID to examine
2506 * guidp Pointer to buffer for GUID
2507 *
2508 * Returns: 0 Success
2509 * kauth_cred_cache_lookup:EINVAL
2510 *
2511 * Implicit returns:
2512 * *guidp Modified, if successful
2513 */
2514 int
2515 kauth_cred_gid2guid(gid_t gid, guid_t *guidp)
2516 {
2517 return(kauth_cred_cache_lookup(KI_VALID_GID, KI_VALID_GUID, &gid, guidp));
2518 }
2519
2520
2521 /*
2522 * kauth_cred_uid2ntsid
2523 *
2524 * Description: Fetch NTSID from UID
2525 *
2526 * Parameters: uid UID to examine
2527 * sidp Pointer to buffer for NTSID
2528 *
2529 * Returns: 0 Success
2530 * kauth_cred_cache_lookup:EINVAL
2531 *
2532 * Implicit returns:
2533 * *sidp Modified, if successful
2534 */
2535 int
2536 kauth_cred_uid2ntsid(uid_t uid, ntsid_t *sidp)
2537 {
2538 return(kauth_cred_cache_lookup(KI_VALID_UID, KI_VALID_NTSID, &uid, sidp));
2539 }
2540
2541
2542 /*
2543 * kauth_cred_getntsid
2544 *
2545 * Description: Fetch NTSID from credential
2546 *
2547 * Parameters: cred Credential to examine
2548 * sidp Pointer to buffer for NTSID
2549 *
2550 * Returns: 0 Success
2551 * kauth_cred_cache_lookup:EINVAL
2552 *
2553 * Implicit returns:
2554 * *sidp Modified, if successful
2555 */
2556 int
2557 kauth_cred_getntsid(kauth_cred_t cred, ntsid_t *sidp)
2558 {
2559 NULLCRED_CHECK(cred);
2560 return(kauth_cred_uid2ntsid(kauth_cred_getuid(cred), sidp));
2561 }
2562
2563
2564 /*
2565 * kauth_cred_gid2ntsid
2566 *
2567 * Description: Fetch NTSID from GID
2568 *
2569 * Parameters: gid GID to examine
2570 * sidp Pointer to buffer for NTSID
2571 *
2572 * Returns: 0 Success
2573 * kauth_cred_cache_lookup:EINVAL
2574 *
2575 * Implicit returns:
2576 * *sidp Modified, if successful
2577 */
2578 int
2579 kauth_cred_gid2ntsid(gid_t gid, ntsid_t *sidp)
2580 {
2581 return(kauth_cred_cache_lookup(KI_VALID_GID, KI_VALID_NTSID, &gid, sidp));
2582 }
2583
2584
2585 /*
2586 * kauth_cred_guid2ntsid
2587 *
2588 * Description: Fetch NTSID from GUID
2589 *
2590 * Parameters: guidp Pointer to GUID to examine
2591 * sidp Pointer to buffer for NTSID
2592 *
2593 * Returns: 0 Success
2594 * kauth_cred_cache_lookup:EINVAL
2595 *
2596 * Implicit returns:
2597 * *sidp Modified, if successful
2598 */
2599 int
2600 kauth_cred_guid2ntsid(guid_t *guidp, ntsid_t *sidp)
2601 {
2602 return(kauth_cred_cache_lookup(KI_VALID_GUID, KI_VALID_NTSID, guidp, sidp));
2603 }
2604
2605
2606 /*
2607 * kauth_cred_cache_lookup
2608 *
2609 * Description: Lookup a translation in the cache; if one is not found, and
2610 * the attempt was not fatal, submit the request to the resolver
2611 * instead, and wait for it to complete or be aborted.
2612 *
2613 * Parameters: from Identity information we have
2614 * to Identity information we want
2615 * src Pointer to buffer containing
2616 * the source identity
2617 * dst Pointer to buffer to receive
2618 * the target identity
2619 *
2620 * Returns: 0 Success
2621 * EINVAL Unknown source identity type
2622 */
2623 #if CONFIG_EXT_RESOLVER
2624 static int
2625 kauth_cred_cache_lookup(int from, int to, void *src, void *dst)
2626 {
2627 struct kauth_identity ki;
2628 struct kauth_identity_extlookup el;
2629 int error;
2630 uint64_t extend_data = 0ULL;
2631 int (* expired)(struct kauth_identity *kip);
2632 char *namebuf = NULL;
2633
2634 KAUTH_DEBUG("CACHE - translate %d to %d", from, to);
2635
2636 /*
2637 * Look for an existing cache entry for this association.
2638 * If the entry has not expired, return the cached information.
2639 * We do not cache user@domain translations here; they use too
2640 * much memory to hold onto forever, and can not be updated
2641 * atomically.
2642 */
2643 if (to == KI_VALID_PWNAM || to == KI_VALID_GRNAM) {
2644 if (dst == NULL)
2645 return (EINVAL);
2646 namebuf = dst;
2647 *namebuf = '\0';
2648 }
2649 ki.ki_valid = 0;
2650 switch(from) {
2651 case KI_VALID_UID:
2652 error = kauth_identity_find_uid(*(uid_t *)src, &ki, namebuf);
2653 break;
2654 case KI_VALID_GID:
2655 error = kauth_identity_find_gid(*(gid_t *)src, &ki, namebuf);
2656 break;
2657 case KI_VALID_GUID:
2658 error = kauth_identity_find_guid((guid_t *)src, &ki, namebuf);
2659 break;
2660 case KI_VALID_NTSID:
2661 error = kauth_identity_find_ntsid((ntsid_t *)src, &ki, namebuf);
2662 break;
2663 case KI_VALID_PWNAM:
2664 case KI_VALID_GRNAM:
2665 /* Names are unique in their 'from' space */
2666 error = kauth_identity_find_nam((char *)src, from, &ki);
2667 break;
2668 default:
2669 return(EINVAL);
2670 }
2671 /* If we didn't get what we're asking for. Call the resolver */
2672 if (!error && !(to & ki.ki_valid))
2673 error = ENOENT;
2674 /* lookup failure or error */
2675 if (error != 0) {
2676 /* any other error is fatal */
2677 if (error != ENOENT) {
2678 /* XXX bogus check - this is not possible */
2679 KAUTH_DEBUG("CACHE - cache search error %d", error);
2680 return(error);
2681 }
2682 } else {
2683 /* found a valid cached entry, check expiry */
2684 switch(to) {
2685 case KI_VALID_GUID:
2686 expired = kauth_identity_guid_expired;
2687 break;
2688 case KI_VALID_NTSID:
2689 expired = kauth_identity_ntsid_expired;
2690 break;
2691 case KI_VALID_GROUPS:
2692 expired = kauth_identity_groups_expired;
2693 break;
2694 default:
2695 switch(from) {
2696 case KI_VALID_GUID:
2697 expired = kauth_identity_guid_expired;
2698 break;
2699 case KI_VALID_NTSID:
2700 expired = kauth_identity_ntsid_expired;
2701 break;
2702 default:
2703 expired = NULL;
2704 }
2705 }
2706
2707 /*
2708 * If no expiry function, or not expired, we have found
2709 * a hit.
2710 */
2711 if (expired) {
2712 if (!expired(&ki)) {
2713 KAUTH_DEBUG("CACHE - entry valid, unexpired");
2714 expired = NULL; /* must clear it is used as a flag */
2715 } else {
2716 /*
2717 * We leave ki_valid set here; it contains a
2718 * translation but the TTL has expired. If we can't
2719 * get a result from the resolver, we will use it as
2720 * a better-than nothing alternative.
2721 */
2722
2723 KAUTH_DEBUG("CACHE - expired entry found");
2724 }
2725 } else {
2726 KAUTH_DEBUG("CACHE - no expiry function");
2727 }
2728
2729 if (!expired) {
2730 /* do we have a translation? */
2731 if (ki.ki_valid & to) {
2732 KAUTH_DEBUG("CACHE - found matching entry with valid 0x%08x", ki.ki_valid);
2733 DTRACE_PROC4(kauth__identity__cache__hit, int, from, int, to, void *, src, void *, dst);
2734 goto found;
2735 } else {
2736 /*
2737 * GUIDs and NTSIDs map to either a UID or a GID, but not both.
2738 * If we went looking for a translation from GUID or NTSID and
2739 * found a translation that wasn't for our desired type, then
2740 * don't bother calling the resolver. We know that this
2741 * GUID/NTSID can't translate to our desired type.
2742 */
2743 switch(from) {
2744 case KI_VALID_GUID:
2745 case KI_VALID_NTSID:
2746 switch(to) {
2747 case KI_VALID_GID:
2748 if ((ki.ki_valid & KI_VALID_UID)) {
2749 KAUTH_DEBUG("CACHE - unexpected entry 0x%08x & %x", ki.ki_valid, KI_VALID_GID);
2750 return (ENOENT);
2751 }
2752 break;
2753 case KI_VALID_UID:
2754 if ((ki.ki_valid & KI_VALID_GID)) {
2755 KAUTH_DEBUG("CACHE - unexpected entry 0x%08x & %x", ki.ki_valid, KI_VALID_UID);
2756 return (ENOENT);
2757 }
2758 break;
2759 }
2760 break;
2761 }
2762 }
2763 }
2764 }
2765
2766 /*
2767 * We failed to find a cache entry; call the resolver.
2768 *
2769 * Note: We ask for as much non-extended data as we can get,
2770 * and only provide (or ask for) extended information if
2771 * we have a 'from' (or 'to') which requires it. This
2772 * way we don't pay for the extra transfer overhead for
2773 * data we don't need.
2774 */
2775 bzero(&el, sizeof(el));
2776 el.el_info_pid = current_proc()->p_pid;
2777 switch(from) {
2778 case KI_VALID_UID:
2779 el.el_flags = KAUTH_EXTLOOKUP_VALID_UID;
2780 el.el_uid = *(uid_t *)src;
2781 break;
2782 case KI_VALID_GID:
2783 el.el_flags = KAUTH_EXTLOOKUP_VALID_GID;
2784 el.el_gid = *(gid_t *)src;
2785 break;
2786 case KI_VALID_GUID:
2787 el.el_flags = KAUTH_EXTLOOKUP_VALID_UGUID | KAUTH_EXTLOOKUP_VALID_GGUID;
2788 el.el_uguid = *(guid_t *)src;
2789 el.el_gguid = *(guid_t *)src;
2790 break;
2791 case KI_VALID_NTSID:
2792 el.el_flags = KAUTH_EXTLOOKUP_VALID_USID | KAUTH_EXTLOOKUP_VALID_GSID;
2793 el.el_usid = *(ntsid_t *)src;
2794 el.el_gsid = *(ntsid_t *)src;
2795 break;
2796 case KI_VALID_PWNAM:
2797 /* extra overhead */
2798 el.el_flags = KAUTH_EXTLOOKUP_VALID_PWNAM;
2799 extend_data = CAST_USER_ADDR_T(src);
2800 break;
2801 case KI_VALID_GRNAM:
2802 /* extra overhead */
2803 el.el_flags = KAUTH_EXTLOOKUP_VALID_GRNAM;
2804 extend_data = CAST_USER_ADDR_T(src);
2805 break;
2806 default:
2807 return(EINVAL);
2808 }
2809 /*
2810 * Here we ask for everything all at once, to avoid having to work
2811 * out what we really want now, or might want soon.
2812 *
2813 * Asking for SID translations when we don't know we need them right
2814 * now is going to cause excess work to be done if we're connected
2815 * to a network that thinks it can translate them. This list needs
2816 * to get smaller/smarter.
2817 */
2818 el.el_flags |= KAUTH_EXTLOOKUP_WANT_UID | KAUTH_EXTLOOKUP_WANT_GID |
2819 KAUTH_EXTLOOKUP_WANT_UGUID | KAUTH_EXTLOOKUP_WANT_GGUID |
2820 KAUTH_EXTLOOKUP_WANT_USID | KAUTH_EXTLOOKUP_WANT_GSID;
2821 if (to == KI_VALID_PWNAM) {
2822 /* extra overhead */
2823 el.el_flags |= KAUTH_EXTLOOKUP_WANT_PWNAM;
2824 extend_data = CAST_USER_ADDR_T(dst);
2825 }
2826 if (to == KI_VALID_GRNAM) {
2827 /* extra overhead */
2828 el.el_flags |= KAUTH_EXTLOOKUP_WANT_GRNAM;
2829 extend_data = CAST_USER_ADDR_T(dst);
2830 }
2831 if (to == KI_VALID_GROUPS) {
2832 /* Expensive and only useful for an NFS client not using kerberos */
2833 el.el_flags |= KAUTH_EXTLOOKUP_WANT_SUPGRPS;
2834 if (ki.ki_valid & KI_VALID_GROUPS) {
2835 /*
2836 * Copy the current supplemental groups for the resolver.
2837 * The resolver should check these groups first and if
2838 * the user (uid) is still a member it should endeavor to
2839 * keep them in the list. Otherwise NFS clients could get
2840 * changing access to server file system objects on each
2841 * expiration.
2842 */
2843 if (ki.ki_supgrpcnt > NGROUPS) {
2844 panic("kauth data structure corrupted. kauth identity 0x%p with %d groups, greater than max of %d",
2845 &ki, ki.ki_supgrpcnt, NGROUPS);
2846 }
2847
2848 el.el_sup_grp_cnt = ki.ki_supgrpcnt;
2849
2850 memcpy(el.el_sup_groups, ki.ki_supgrps, sizeof (el.el_sup_groups[0]) * ki.ki_supgrpcnt);
2851 /* Let the resolver know these were the previous valid groups */
2852 el.el_flags |= KAUTH_EXTLOOKUP_VALID_SUPGRPS;
2853 KAUTH_DEBUG("GROUPS: Sending previously valid GROUPS");
2854 } else
2855 KAUTH_DEBUG("GROUPS: no valid groups to send");
2856 }
2857
2858 /* Call resolver */
2859 KAUTH_DEBUG("CACHE - calling resolver for %x", el.el_flags);
2860
2861 DTRACE_PROC3(kauth__id__resolver__submitted, int, from, int, to, uintptr_t, src);
2862
2863 error = kauth_resolver_submit(&el, extend_data);
2864
2865 DTRACE_PROC2(kauth__id__resolver__returned, int, error, struct kauth_identity_extlookup *, &el)
2866
2867 KAUTH_DEBUG("CACHE - resolver returned %d", error);
2868
2869 /* was the external lookup successful? */
2870 if (error == 0) {
2871 /*
2872 * Save the results from the lookup - we may have other
2873 * information, even if we didn't get a guid or the
2874 * extended data.
2875 *
2876 * If we came from a name, we know the extend_data is valid.
2877 */
2878 if (from == KI_VALID_PWNAM)
2879 el.el_flags |= KAUTH_EXTLOOKUP_VALID_PWNAM;
2880 else if (from == KI_VALID_GRNAM)
2881 el.el_flags |= KAUTH_EXTLOOKUP_VALID_GRNAM;
2882
2883 kauth_identity_updatecache(&el, &ki, extend_data);
2884
2885 /*
2886 * Check to see if we have a valid cache entry
2887 * originating from the result.
2888 */
2889 if (!(ki.ki_valid & to)) {
2890 error = ENOENT;
2891 }
2892 }
2893 if (error)
2894 return(error);
2895 found:
2896 /*
2897 * Copy from the appropriate struct kauth_identity cache entry
2898 * structure into the destination buffer area.
2899 */
2900 switch(to) {
2901 case KI_VALID_UID:
2902 *(uid_t *)dst = ki.ki_uid;
2903 break;
2904 case KI_VALID_GID:
2905 *(gid_t *)dst = ki.ki_gid;
2906 break;
2907 case KI_VALID_GUID:
2908 *(guid_t *)dst = ki.ki_guid;
2909 break;
2910 case KI_VALID_NTSID:
2911 *(ntsid_t *)dst = ki.ki_ntsid;
2912 break;
2913 case KI_VALID_GROUPS: {
2914 struct supgroups *gp = (struct supgroups *)dst;
2915 u_int32_t limit = ki.ki_supgrpcnt;
2916
2917 if (gp->count) {
2918 limit = MIN(ki.ki_supgrpcnt, *gp->count);
2919 *gp->count = limit;
2920 }
2921
2922 memcpy(gp->groups, ki.ki_supgrps, sizeof(gid_t) * limit);
2923 }
2924 break;
2925 case KI_VALID_PWNAM:
2926 case KI_VALID_GRNAM:
2927 /* handled in kauth_resolver_complete() */
2928 break;
2929 default:
2930 return(EINVAL);
2931 }
2932 KAUTH_DEBUG("CACHE - returned successfully");
2933 return(0);
2934 }
2935
2936
2937 /*
2938 * Group membership cache.
2939 *
2940 * XXX the linked-list implementation here needs to be optimized.
2941 */
2942
2943 /*
2944 * kauth_groups_init
2945 *
2946 * Description: Initialize the groups cache
2947 *
2948 * Parameters: (void)
2949 *
2950 * Returns: (void)
2951 *
2952 * Notes: Initialize the groups cache for use; the group cache is used
2953 * to avoid unnecessary calls out to user space.
2954 *
2955 * This function is called from kauth_init() in the file
2956 * kern_authorization.c.
2957 */
2958 void
2959 kauth_groups_init(void)
2960 {
2961 TAILQ_INIT(&kauth_groups);
2962 kauth_groups_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0/*LCK_ATTR_NULL*/);
2963 }
2964
2965
2966 /*
2967 * kauth_groups_expired
2968 *
2969 * Description: Handle lazy expiration of group membership cache entries
2970 *
2971 * Parameters: gm group membership entry to
2972 * check for expiration
2973 *
2974 * Returns: 1 Expired
2975 * 0 Not expired
2976 */
2977 static int
2978 kauth_groups_expired(struct kauth_group_membership *gm)
2979 {
2980 struct timeval tv;
2981
2982 /*
2983 * Expiration time of 0 means this entry is persistent.
2984 */
2985 if (gm->gm_expiry == 0)
2986 return (0);
2987
2988 microuptime(&tv);
2989
2990 return((gm->gm_expiry <= tv.tv_sec) ? 1 : 0);
2991 }
2992
2993
2994 /*
2995 * kauth_groups_lru
2996 *
2997 * Description: Promote the entry to the head of the LRU, assumes the cache
2998 * is locked.
2999 *
3000 * Parameters: kip group membership entry to move
3001 * to the head of the LRU list,
3002 * if it's not already there
3003 *
3004 * Returns: (void)
3005 *
3006 * Notes: This is called even if the entry has expired; typically an
3007 * expired entry that's been looked up is about to be revalidated,
3008 * and having it closer to the head of the LRU means finding it
3009 * quickly again when the revalidation comes through.
3010 */
3011 static void
3012 kauth_groups_lru(struct kauth_group_membership *gm)
3013 {
3014 if (gm != TAILQ_FIRST(&kauth_groups)) {
3015 TAILQ_REMOVE(&kauth_groups, gm, gm_link);
3016 TAILQ_INSERT_HEAD(&kauth_groups, gm, gm_link);
3017 }
3018 }
3019
3020
3021 /*
3022 * kauth_groups_updatecache
3023 *
3024 * Description: Given a lookup result, add any group cache associations that
3025 * we don't currently have.
3026 *
3027 * Parameters: elp External lookup result from
3028 * user space daemon to kernel
3029 * rkip pointer to returned kauth
3030 * identity, or NULL
3031 *
3032 * Returns: (void)
3033 */
3034 static void
3035 kauth_groups_updatecache(struct kauth_identity_extlookup *el)
3036 {
3037 struct kauth_group_membership *gm;
3038 struct timeval tv;
3039
3040 /* need a valid response if we are to cache anything */
3041 if ((el->el_flags &
3042 (KAUTH_EXTLOOKUP_VALID_UID | KAUTH_EXTLOOKUP_VALID_GID | KAUTH_EXTLOOKUP_VALID_MEMBERSHIP)) !=
3043 (KAUTH_EXTLOOKUP_VALID_UID | KAUTH_EXTLOOKUP_VALID_GID | KAUTH_EXTLOOKUP_VALID_MEMBERSHIP))
3044 return;
3045
3046 microuptime(&tv);
3047
3048 /*
3049 * Search for an existing record for this association before inserting
3050 * a new one; if we find one, update it instead of creating a new one
3051 */
3052 KAUTH_GROUPS_LOCK();
3053 TAILQ_FOREACH(gm, &kauth_groups, gm_link) {
3054 if ((el->el_uid == gm->gm_uid) &&
3055 (el->el_gid == gm->gm_gid)) {
3056 if (el->el_flags & KAUTH_EXTLOOKUP_ISMEMBER) {
3057 gm->gm_flags |= KAUTH_GROUP_ISMEMBER;
3058 } else {
3059 gm->gm_flags &= ~KAUTH_GROUP_ISMEMBER;
3060 }
3061 gm->gm_expiry = (el->el_member_valid) ? el->el_member_valid + tv.tv_sec : 0;
3062 kauth_groups_lru(gm);
3063 break;
3064 }
3065 }
3066 KAUTH_GROUPS_UNLOCK();
3067
3068 /* if we found an entry to update, stop here */
3069 if (gm != NULL)
3070 return;
3071
3072 /* allocate a new record */
3073 MALLOC(gm, struct kauth_group_membership *, sizeof(*gm), M_KAUTH, M_WAITOK);
3074 if (gm != NULL) {
3075 gm->gm_uid = el->el_uid;
3076 gm->gm_gid = el->el_gid;
3077 if (el->el_flags & KAUTH_EXTLOOKUP_ISMEMBER) {
3078 gm->gm_flags |= KAUTH_GROUP_ISMEMBER;
3079 } else {
3080 gm->gm_flags &= ~KAUTH_GROUP_ISMEMBER;
3081 }
3082 gm->gm_expiry = (el->el_member_valid) ? el->el_member_valid + tv.tv_sec : 0;
3083 }
3084
3085 /*
3086 * Insert the new entry. Note that it's possible to race ourselves
3087 * here and end up with duplicate entries in the list. Wasteful, but
3088 * harmless since the first into the list will never be looked up,
3089 * and thus will eventually just fall off the end.
3090 */
3091 KAUTH_GROUPS_LOCK();
3092 TAILQ_INSERT_HEAD(&kauth_groups, gm, gm_link);
3093 if (++kauth_groups_count > kauth_groups_cachemax) {
3094 gm = TAILQ_LAST(&kauth_groups, kauth_groups_head);
3095 TAILQ_REMOVE(&kauth_groups, gm, gm_link);
3096 kauth_groups_count--;
3097 } else {
3098 gm = NULL;
3099 }
3100 KAUTH_GROUPS_UNLOCK();
3101
3102 /* free expired cache entry */
3103 if (gm != NULL)
3104 FREE(gm, M_KAUTH);
3105 }
3106
3107 /*
3108 * Trim older entries from the group membership cache.
3109 *
3110 * Must be called with the group cache lock held.
3111 */
3112 static void
3113 kauth_groups_trimcache(int new_size) {
3114 struct kauth_group_membership *gm;
3115
3116 lck_mtx_assert(kauth_groups_mtx, LCK_MTX_ASSERT_OWNED);
3117
3118 while (kauth_groups_count > new_size) {
3119 gm = TAILQ_LAST(&kauth_groups, kauth_groups_head);
3120 TAILQ_REMOVE(&kauth_groups, gm, gm_link);
3121 kauth_groups_count--;
3122 FREE(gm, M_KAUTH);
3123 }
3124 }
3125 #endif /* CONFIG_EXT_RESOLVER */
3126
3127 /*
3128 * Group membership KPI
3129 */
3130
3131 /*
3132 * kauth_cred_ismember_gid
3133 *
3134 * Description: Given a credential and a GID, determine if the GID is a member
3135 * of one of the supplementary groups associated with the given
3136 * credential
3137 *
3138 * Parameters: cred Credential to check in
3139 * gid GID to check for membership
3140 * resultp Pointer to int to contain the
3141 * result of the call
3142 *
3143 * Returns: 0 Success
3144 * ENOENT Could not perform lookup
3145 * kauth_resolver_submit:EWOULDBLOCK
3146 * kauth_resolver_submit:EINTR
3147 * kauth_resolver_submit:ENOMEM
3148 * kauth_resolver_submit:ENOENT User space daemon did not vend
3149 * this credential.
3150 * kauth_resolver_submit:??? Unlikely error from user space
3151 *
3152 * Implicit returns:
3153 * *resultp (modified) 1 Is member
3154 * 0 Is not member
3155 *
3156 * Notes: This function guarantees not to modify resultp when returning
3157 * an error.
3158 *
3159 * This function effectively checks the EGID as well, since the
3160 * EGID is cr_groups[0] as an implementation detail.
3161 */
3162 int
3163 kauth_cred_ismember_gid(kauth_cred_t cred, gid_t gid, int *resultp)
3164 {
3165 posix_cred_t pcred = posix_cred_get(cred);
3166 int i;
3167
3168 /*
3169 * Check the per-credential list of override groups.
3170 *
3171 * We can conditionalise this on cred->cr_gmuid == KAUTH_UID_NONE since
3172 * the cache should be used for that case.
3173 */
3174 for (i = 0; i < pcred->cr_ngroups; i++) {
3175 if (gid == pcred->cr_groups[i]) {
3176 *resultp = 1;
3177 return(0);
3178 }
3179 }
3180
3181 /*
3182 * If we don't have a UID for group membership checks, the in-cred list
3183 * was authoritative and we can stop here.
3184 */
3185 if (pcred->cr_gmuid == KAUTH_UID_NONE) {
3186 *resultp = 0;
3187 return(0);
3188 }
3189
3190 #if CONFIG_EXT_RESOLVER
3191 struct kauth_group_membership *gm;
3192 struct kauth_identity_extlookup el;
3193 int error;
3194
3195 /*
3196 * If the resolver hasn't checked in yet, we are early in the boot
3197 * phase and the local group list is complete and authoritative.
3198 */
3199 if (!kauth_resolver_registered) {
3200 *resultp = 0;
3201 return(0);
3202 }
3203
3204 /* TODO: */
3205 /* XXX check supplementary groups */
3206 /* XXX check whiteout groups */
3207 /* XXX nesting of supplementary/whiteout groups? */
3208
3209 /*
3210 * Check the group cache.
3211 */
3212 KAUTH_GROUPS_LOCK();
3213 TAILQ_FOREACH(gm, &kauth_groups, gm_link) {
3214 if ((gm->gm_uid == pcred->cr_gmuid) && (gm->gm_gid == gid) && !kauth_groups_expired(gm)) {
3215 kauth_groups_lru(gm);
3216 break;
3217 }
3218 }
3219
3220 /* did we find a membership entry? */
3221 if (gm != NULL)
3222 *resultp = (gm->gm_flags & KAUTH_GROUP_ISMEMBER) ? 1 : 0;
3223 KAUTH_GROUPS_UNLOCK();
3224
3225 /* if we did, we can return now */
3226 if (gm != NULL) {
3227 DTRACE_PROC2(kauth__group__cache__hit, int, pcred->cr_gmuid, int, gid);
3228 return(0);
3229 }
3230
3231 /* nothing in the cache, need to go to userland */
3232 bzero(&el, sizeof(el));
3233 el.el_info_pid = current_proc()->p_pid;
3234 el.el_flags = KAUTH_EXTLOOKUP_VALID_UID | KAUTH_EXTLOOKUP_VALID_GID | KAUTH_EXTLOOKUP_WANT_MEMBERSHIP;
3235 el.el_uid = pcred->cr_gmuid;
3236 el.el_gid = gid;
3237 el.el_member_valid = 0; /* XXX set by resolver? */
3238
3239 DTRACE_PROC2(kauth__group__resolver__submitted, int, el.el_uid, int, el.el_gid);
3240
3241 error = kauth_resolver_submit(&el, 0ULL);
3242
3243 DTRACE_PROC2(kauth__group__resolver__returned, int, error, int, el.el_flags);
3244
3245 if (error != 0)
3246 return(error);
3247 /* save the results from the lookup */
3248 kauth_groups_updatecache(&el);
3249
3250 /* if we successfully ascertained membership, report */
3251 if (el.el_flags & KAUTH_EXTLOOKUP_VALID_MEMBERSHIP) {
3252 *resultp = (el.el_flags & KAUTH_EXTLOOKUP_ISMEMBER) ? 1 : 0;
3253 return(0);
3254 }
3255
3256 return(ENOENT);
3257 #else
3258 *resultp = 0;
3259 return(0);
3260 #endif
3261 }
3262
3263 /*
3264 * kauth_cred_ismember_guid
3265 *
3266 * Description: Determine whether the supplied credential is a member of the
3267 * group nominated by GUID.
3268 *
3269 * Parameters: cred Credential to check in
3270 * guidp Pointer to GUID whose group
3271 * we are testing for membership
3272 * resultp Pointer to int to contain the
3273 * result of the call
3274 *
3275 * Returns: 0 Success
3276 * kauth_cred_guid2gid:EINVAL
3277 * kauth_cred_ismember_gid:ENOENT
3278 * kauth_resolver_submit:ENOENT User space daemon did not vend
3279 * this credential.
3280 * kauth_cred_ismember_gid:EWOULDBLOCK
3281 * kauth_cred_ismember_gid:EINTR
3282 * kauth_cred_ismember_gid:ENOMEM
3283 * kauth_cred_ismember_gid:??? Unlikely error from user space
3284 *
3285 * Implicit returns:
3286 * *resultp (modified) 1 Is member
3287 * 0 Is not member
3288 */
3289 int
3290 kauth_cred_ismember_guid(__unused kauth_cred_t cred, guid_t *guidp, int *resultp)
3291 {
3292 int error = 0;
3293
3294 switch (kauth_wellknown_guid(guidp)) {
3295 case KAUTH_WKG_NOBODY:
3296 *resultp = 0;
3297 break;
3298 case KAUTH_WKG_EVERYBODY:
3299 *resultp = 1;
3300 break;
3301 default:
3302 {
3303 gid_t gid;
3304 #if CONFIG_EXT_RESOLVER
3305 struct kauth_identity ki;
3306
3307 /*
3308 * Grovel the identity cache looking for this GUID.
3309 * If we find it, and it is for a user record, return
3310 * false because it's not a group.
3311 *
3312 * This is necessary because we don't have -ve caching
3313 * of group memberships, and we really want to avoid
3314 * calling out to the resolver if at all possible.
3315 *
3316 * Because we're called by the ACL evaluator, and the
3317 * ACL evaluator is likely to encounter ACEs for users,
3318 * this is expected to be a common case.
3319 */
3320 ki.ki_valid = 0;
3321 if ((error = kauth_identity_find_guid(guidp, &ki, NULL)) == 0 &&
3322 !kauth_identity_guid_expired(&ki)) {
3323 if (ki.ki_valid & KI_VALID_GID) {
3324 /* It's a group after all... */
3325 gid = ki.ki_gid;
3326 goto do_check;
3327 }
3328 if (ki.ki_valid & KI_VALID_UID) {
3329 *resultp = 0;
3330 return (0);
3331 }
3332 }
3333 #endif /* CONFIG_EXT_RESOLVER */
3334 /*
3335 * Attempt to translate the GUID to a GID. Even if
3336 * this fails, we will have primed the cache if it is
3337 * a user record and we'll see it above the next time
3338 * we're asked.
3339 */
3340 if ((error = kauth_cred_guid2gid(guidp, &gid)) != 0) {
3341 /*
3342 * If we have no guid -> gid translation, it's not a group and
3343 * thus the cred can't be a member.
3344 */
3345 if (error == ENOENT) {
3346 *resultp = 0;
3347 error = 0;
3348 }
3349 } else {
3350 #if CONFIG_EXT_RESOLVER
3351 do_check:
3352 #endif /* CONFIG_EXT_RESOLVER */
3353 error = kauth_cred_ismember_gid(cred, gid, resultp);
3354 }
3355 }
3356 break;
3357 }
3358 return(error);
3359 }
3360
3361 /*
3362 * kauth_cred_gid_subset
3363 *
3364 * Description: Given two credentials, determine if all GIDs associated with
3365 * the first are also associated with the second
3366 *
3367 * Parameters: cred1 Credential to check for
3368 * cred2 Credential to check in
3369 * resultp Pointer to int to contain the
3370 * result of the call
3371 *
3372 * Returns: 0 Success
3373 * non-zero See kauth_cred_ismember_gid for
3374 * error codes
3375 *
3376 * Implicit returns:
3377 * *resultp (modified) 1 Is subset
3378 * 0 Is not subset
3379 *
3380 * Notes: This function guarantees not to modify resultp when returning
3381 * an error.
3382 */
3383 int
3384 kauth_cred_gid_subset(kauth_cred_t cred1, kauth_cred_t cred2, int *resultp)
3385 {
3386 int i, err, res = 1;
3387 gid_t gid;
3388 posix_cred_t pcred1 = posix_cred_get(cred1);
3389 posix_cred_t pcred2 = posix_cred_get(cred2);
3390
3391 /* First, check the local list of groups */
3392 for (i = 0; i < pcred1->cr_ngroups; i++) {
3393 gid = pcred1->cr_groups[i];
3394 if ((err = kauth_cred_ismember_gid(cred2, gid, &res)) != 0) {
3395 return err;
3396 }
3397
3398 if (!res && gid != pcred2->cr_rgid && gid != pcred2->cr_svgid) {
3399 *resultp = 0;
3400 return 0;
3401 }
3402 }
3403
3404 /* Check real gid */
3405 if ((err = kauth_cred_ismember_gid(cred2, pcred1->cr_rgid, &res)) != 0) {
3406 return err;
3407 }
3408
3409 if (!res && pcred1->cr_rgid != pcred2->cr_rgid &&
3410 pcred1->cr_rgid != pcred2->cr_svgid) {
3411 *resultp = 0;
3412 return 0;
3413 }
3414
3415 /* Finally, check saved gid */
3416 if ((err = kauth_cred_ismember_gid(cred2, pcred1->cr_svgid, &res)) != 0){
3417 return err;
3418 }
3419
3420 if (!res && pcred1->cr_svgid != pcred2->cr_rgid &&
3421 pcred1->cr_svgid != pcred2->cr_svgid) {
3422 *resultp = 0;
3423 return 0;
3424 }
3425
3426 *resultp = 1;
3427 return 0;
3428 }
3429
3430
3431 /*
3432 * kauth_cred_issuser
3433 *
3434 * Description: Fast replacement for issuser()
3435 *
3436 * Parameters: cred Credential to check for super
3437 * user privileges
3438 *
3439 * Returns: 0 Not super user
3440 * !0 Is super user
3441 *
3442 * Notes: This function uses a magic number which is not a manifest
3443 * constant; this is bad practice.
3444 */
3445 int
3446 kauth_cred_issuser(kauth_cred_t cred)
3447 {
3448 return(kauth_cred_getuid(cred) == 0);
3449 }
3450
3451
3452 /*
3453 * Credential KPI
3454 */
3455
3456 /* lock protecting credential hash table */
3457 static lck_mtx_t *kauth_cred_hash_mtx;
3458 #define KAUTH_CRED_HASH_LOCK() lck_mtx_lock(kauth_cred_hash_mtx);
3459 #define KAUTH_CRED_HASH_UNLOCK() lck_mtx_unlock(kauth_cred_hash_mtx);
3460 #if KAUTH_CRED_HASH_DEBUG
3461 #define KAUTH_CRED_HASH_LOCK_ASSERT() lck_mtx_assert(kauth_cred_hash_mtx, LCK_MTX_ASSERT_OWNED)
3462 #else /* !KAUTH_CRED_HASH_DEBUG */
3463 #define KAUTH_CRED_HASH_LOCK_ASSERT()
3464 #endif /* !KAUTH_CRED_HASH_DEBUG */
3465
3466
3467 /*
3468 * kauth_cred_init
3469 *
3470 * Description: Initialize the credential hash cache
3471 *
3472 * Parameters: (void)
3473 *
3474 * Returns: (void)
3475 *
3476 * Notes: Intialize the credential hash cache for use; the credential
3477 * hash cache is used convert duplicate credentials into a
3478 * single reference counted credential in order to save wired
3479 * kernel memory. In practice, this generally means a desktop
3480 * system runs with a few tens of credentials, instead of one
3481 * per process, one per thread, one per vnode cache entry, and
3482 * so on. This generally results in savings of 200K or more
3483 * (potentially much more on server systems).
3484 *
3485 * The hash cache internally has a reference on the credential
3486 * for itself as a means of avoiding a reclaim race for a
3487 * credential in the process of having it's last non-hash
3488 * reference released. This would otherwise result in the
3489 * possibility of a freed credential that was still in uses due
3490 * a race. This use is protected by the KAUTH_CRED_HASH_LOCK.
3491 *
3492 * On final release, the hash reference is droped, and the
3493 * credential is freed back to the system.
3494 *
3495 * This function is called from kauth_init() in the file
3496 * kern_authorization.c.
3497 */
3498 void
3499 kauth_cred_init(void)
3500 {
3501 int i;
3502
3503 kauth_cred_hash_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0/*LCK_ATTR_NULL*/);
3504
3505 /*allocate credential hash table */
3506 MALLOC(kauth_cred_table_anchor, struct kauth_cred_entry_head *,
3507 (sizeof(struct kauth_cred_entry_head) * KAUTH_CRED_TABLE_SIZE),
3508 M_KAUTH, M_WAITOK | M_ZERO);
3509 if (kauth_cred_table_anchor == NULL)
3510 panic("startup: kauth_cred_init");
3511 for (i = 0; i < KAUTH_CRED_TABLE_SIZE; i++) {
3512 TAILQ_INIT(&kauth_cred_table_anchor[i]);
3513 }
3514 }
3515
3516
3517 /*
3518 * kauth_getuid
3519 *
3520 * Description: Get the current thread's effective UID.
3521 *
3522 * Parameters: (void)
3523 *
3524 * Returns: (uid_t) The effective UID of the
3525 * current thread
3526 */
3527 uid_t
3528 kauth_getuid(void)
3529 {
3530 return(kauth_cred_getuid(kauth_cred_get()));
3531 }
3532
3533
3534 /*
3535 * kauth_getruid
3536 *
3537 * Description: Get the current thread's real UID.
3538 *
3539 * Parameters: (void)
3540 *
3541 * Returns: (uid_t) The real UID of the current
3542 * thread
3543 */
3544 uid_t
3545 kauth_getruid(void)
3546 {
3547 return(kauth_cred_getruid(kauth_cred_get()));
3548 }
3549
3550
3551 /*
3552 * kauth_getgid
3553 *
3554 * Description: Get the current thread's effective GID.
3555 *
3556 * Parameters: (void)
3557 *
3558 * Returns: (gid_t) The effective GID of the
3559 * current thread
3560 */
3561 gid_t
3562 kauth_getgid(void)
3563 {
3564 return(kauth_cred_getgid(kauth_cred_get()));
3565 }
3566
3567
3568 /*
3569 * kauth_getgid
3570 *
3571 * Description: Get the current thread's real GID.
3572 *
3573 * Parameters: (void)
3574 *
3575 * Returns: (gid_t) The real GID of the current
3576 * thread
3577 */
3578 gid_t
3579 kauth_getrgid(void)
3580 {
3581 return(kauth_cred_getrgid(kauth_cred_get()));
3582 }
3583
3584
3585 /*
3586 * kauth_cred_get
3587 *
3588 * Description: Returns a pointer to the current thread's credential
3589 *
3590 * Parameters: (void)
3591 *
3592 * Returns: (kauth_cred_t) Pointer to the current thread's
3593 * credential
3594 *
3595 * Notes: This function does not take a reference; because of this, the
3596 * caller MUST NOT do anything that would let the thread's
3597 * credential change while using the returned value, without
3598 * first explicitly taking their own reference.
3599 *
3600 * If a caller intends to take a reference on the resulting
3601 * credential pointer from calling this function, it is strongly
3602 * recommended that the caller use kauth_cred_get_with_ref()
3603 * instead, to protect against any future changes to the cred
3604 * locking protocols; such changes could otherwise potentially
3605 * introduce race windows in the callers code.
3606 */
3607 kauth_cred_t
3608 kauth_cred_get(void)
3609 {
3610 struct proc *p;
3611 struct uthread *uthread;
3612
3613 uthread = get_bsdthread_info(current_thread());
3614 /* sanity */
3615 if (uthread == NULL)
3616 panic("thread wants credential but has no BSD thread info");
3617 /*
3618 * We can lazy-bind credentials to threads, as long as their processes
3619 * have them.
3620 *
3621 * XXX If we later inline this function, the code in this block
3622 * XXX should probably be called out in a function.
3623 */
3624 if (uthread->uu_ucred == NOCRED) {
3625 if ((p = (proc_t) get_bsdtask_info(get_threadtask(current_thread()))) == NULL)
3626 panic("thread wants credential but has no BSD process");
3627 uthread->uu_ucred = kauth_cred_proc_ref(p);
3628 }
3629 return(uthread->uu_ucred);
3630 }
3631
3632 void
3633 mach_kauth_cred_uthread_update(void)
3634 {
3635 uthread_t uthread;
3636 proc_t proc;
3637
3638 uthread = get_bsdthread_info(current_thread());
3639 proc = current_proc();
3640
3641 kauth_cred_uthread_update(uthread, proc);
3642 }
3643
3644 /*
3645 * kauth_cred_uthread_update
3646 *
3647 * Description: Given a uthread, a proc, and whether or not the proc is locked,
3648 * late-bind the uthread cred to the proc cred.
3649 *
3650 * Parameters: uthread_t The uthread to update
3651 * proc_t The process to update to
3652 *
3653 * Returns: (void)
3654 *
3655 * Notes: This code is common code called from system call or trap entry
3656 * in the case that the process thread may have been changed
3657 * since the last time the thread entered the kernel. It is
3658 * generally only called with the current uthread and process as
3659 * parameters.
3660 */
3661 void
3662 kauth_cred_uthread_update(uthread_t uthread, proc_t proc)
3663 {
3664 if (uthread->uu_ucred != proc->p_ucred &&
3665 (uthread->uu_flag & UT_SETUID) == 0) {
3666 kauth_cred_t old = uthread->uu_ucred;
3667 uthread->uu_ucred = kauth_cred_proc_ref(proc);
3668 if (IS_VALID_CRED(old))
3669 kauth_cred_unref(&old);
3670 }
3671 }
3672
3673
3674 /*
3675 * kauth_cred_get_with_ref
3676 *
3677 * Description: Takes a reference on the current thread's credential, and then
3678 * returns a pointer to it to the caller.
3679 *
3680 * Parameters: (void)
3681 *
3682 * Returns: (kauth_cred_t) Pointer to the current thread's
3683 * newly referenced credential
3684 *
3685 * Notes: This function takes a reference on the credential before
3686 * returning it to the caller.
3687 *
3688 * It is the responsibility of the calling code to release this
3689 * reference when the credential is no longer in use.
3690 *
3691 * Since the returned reference may be a persistent reference
3692 * (e.g. one cached in another data structure with a lifetime
3693 * longer than the calling function), this release may be delayed
3694 * until such time as the persistent reference is to be destroyed.
3695 * An example of this would be the per vnode credential cache used
3696 * to accelerate lookup operations.
3697 */
3698 kauth_cred_t
3699 kauth_cred_get_with_ref(void)
3700 {
3701 struct proc *procp;
3702 struct uthread *uthread;
3703
3704 uthread = get_bsdthread_info(current_thread());
3705 /* sanity checks */
3706 if (uthread == NULL)
3707 panic("%s - thread wants credential but has no BSD thread info", __FUNCTION__);
3708 if ((procp = (proc_t) get_bsdtask_info(get_threadtask(current_thread()))) == NULL)
3709 panic("%s - thread wants credential but has no BSD process", __FUNCTION__);
3710
3711 /*
3712 * We can lazy-bind credentials to threads, as long as their processes
3713 * have them.
3714 *
3715 * XXX If we later inline this function, the code in this block
3716 * XXX should probably be called out in a function.
3717 */
3718 if (uthread->uu_ucred == NOCRED) {
3719 /* take reference for new cred in thread */
3720 uthread->uu_ucred = kauth_cred_proc_ref(procp);
3721 }
3722 /* take a reference for our caller */
3723 kauth_cred_ref(uthread->uu_ucred);
3724 return(uthread->uu_ucred);
3725 }
3726
3727
3728 /*
3729 * kauth_cred_proc_ref
3730 *
3731 * Description: Takes a reference on the current process's credential, and
3732 * then returns a pointer to it to the caller.
3733 *
3734 * Parameters: procp Process whose credential we
3735 * intend to take a reference on
3736 *
3737 * Returns: (kauth_cred_t) Pointer to the process's
3738 * newly referenced credential
3739 *
3740 * Locks: PROC_UCRED_LOCK is held before taking the reference and released
3741 * after the refeence is taken to protect the p_ucred field of
3742 * the process referred to by procp.
3743 *
3744 * Notes: This function takes a reference on the credential before
3745 * returning it to the caller.
3746 *
3747 * It is the responsibility of the calling code to release this
3748 * reference when the credential is no longer in use.
3749 *
3750 * Since the returned reference may be a persistent reference
3751 * (e.g. one cached in another data structure with a lifetime
3752 * longer than the calling function), this release may be delayed
3753 * until such time as the persistent reference is to be destroyed.
3754 * An example of this would be the per vnode credential cache used
3755 * to accelerate lookup operations.
3756 */
3757 kauth_cred_t
3758 kauth_cred_proc_ref(proc_t procp)
3759 {
3760 kauth_cred_t cred;
3761
3762 proc_ucred_lock(procp);
3763 cred = proc_ucred(procp);
3764 kauth_cred_ref(cred);
3765 proc_ucred_unlock(procp);
3766 return(cred);
3767 }
3768
3769
3770 /*
3771 * kauth_cred_alloc
3772 *
3773 * Description: Allocate a new credential
3774 *
3775 * Parameters: (void)
3776 *
3777 * Returns: !NULL Newly allocated credential
3778 * NULL Insufficient memory
3779 *
3780 * Notes: The newly allocated credential is zero'ed as part of the
3781 * allocation process, with the exception of the reference
3782 * count, which is set to 1 to indicate a single reference
3783 * held by the caller.
3784 *
3785 * Since newly allocated credentials have no external pointers
3786 * referencing them, prior to making them visible in an externally
3787 * visible pointer (e.g. by adding them to the credential hash
3788 * cache) is the only legal time in which an existing credential
3789 * can be safely iinitialized or modified directly.
3790 *
3791 * After initialization, the caller is expected to call the
3792 * function kauth_cred_add() to add the credential to the hash
3793 * cache, after which time it's frozen and becomes publically
3794 * visible.
3795 *
3796 * The release protocol depends on kauth_hash_add() being called
3797 * before kauth_cred_rele() (there is a diagnostic panic which
3798 * will trigger if this protocol is not observed).
3799 *
3800 * XXX: This function really ought to be static, rather than being
3801 * exported as KPI, since a failure of kauth_cred_add() can only
3802 * be handled by an explicit free of the credential; such frees
3803 * depend on knowlegdge of the allocation method used, which is
3804 * permitted to change between kernel revisions.
3805 *
3806 * XXX: In the insufficient resource case, this code panic's rather
3807 * than returning a NULL pointer; the code that calls this
3808 * function needs to be audited before this can be changed.
3809 */
3810 kauth_cred_t
3811 kauth_cred_alloc(void)
3812 {
3813 kauth_cred_t newcred;
3814
3815 MALLOC_ZONE(newcred, kauth_cred_t, sizeof(*newcred), M_CRED, M_WAITOK);
3816 if (newcred != 0) {
3817 posix_cred_t newpcred = posix_cred_get(newcred);
3818 bzero(newcred, sizeof(*newcred));
3819 newcred->cr_ref = 1;
3820 newcred->cr_audit.as_aia_p = audit_default_aia_p;
3821 /* must do this, or cred has same group membership as uid 0 */
3822 newpcred->cr_gmuid = KAUTH_UID_NONE;
3823 #if CRED_DIAGNOSTIC
3824 } else {
3825 panic("kauth_cred_alloc: couldn't allocate credential");
3826 #endif
3827 }
3828
3829 #if KAUTH_CRED_HASH_DEBUG
3830 kauth_cred_count++;
3831 #endif
3832
3833 #if CONFIG_MACF
3834 mac_cred_label_init(newcred);
3835 #endif
3836
3837 return(newcred);
3838 }
3839
3840
3841 /*
3842 * kauth_cred_create
3843 *
3844 * Description: Look to see if we already have a known credential in the hash
3845 * cache; if one is found, bump the reference count and return
3846 * it. If there are no credentials that match the given
3847 * credential, then allocate a new credential.
3848 *
3849 * Parameters: cred Template for credential to
3850 * be created
3851 *
3852 * Returns: (kauth_cred_t) The credential that was found
3853 * in the hash or created
3854 * NULL kauth_cred_add() failed, or
3855 * there was not an egid specified
3856 *
3857 * Notes: The gmuid is hard-defaulted to the UID specified. Since we
3858 * maintain this field, we can't expect callers to know how it
3859 * needs to be set. Callers should be prepared for this field
3860 * to be overwritten.
3861 *
3862 * XXX: This code will tight-loop if memory for a new credential is
3863 * persistently unavailable; this is perhaps not the wisest way
3864 * to handle this condition, but current callers do not expect
3865 * a failure.
3866 */
3867 kauth_cred_t
3868 kauth_cred_create(kauth_cred_t cred)
3869 {
3870 kauth_cred_t found_cred, new_cred = NULL;
3871 posix_cred_t pcred = posix_cred_get(cred);
3872 int is_member = 0;
3873
3874 KAUTH_CRED_HASH_LOCK_ASSERT();
3875
3876 if (pcred->cr_flags & CRF_NOMEMBERD) {
3877 pcred->cr_gmuid = KAUTH_UID_NONE;
3878 } else {
3879 /*
3880 * If the template credential is not opting out of external
3881 * group membership resolution, then we need to check that
3882 * the UID we will be using is resolvable by the external
3883 * resolver. If it's not, then we opt it out anyway, since
3884 * all future external resolution requests will be failing
3885 * anyway, and potentially taking a long time to do it. We
3886 * use gid 0 because we always know it will exist and not
3887 * trigger additional lookups. This is OK, because we end up
3888 * precatching the information here as a result.
3889 */
3890 if (!kauth_cred_ismember_gid(cred, 0, &is_member)) {
3891 /*
3892 * It's a recognized value; we don't really care about
3893 * the answer, so long as it's something the external
3894 * resolver could have vended.
3895 */
3896 pcred->cr_gmuid = pcred->cr_uid;
3897 } else {
3898 /*
3899 * It's not something the external resolver could
3900 * have vended, so we don't want to ask it more
3901 * questions about the credential in the future. This
3902 * speeds up future lookups, as long as the caller
3903 * caches results; otherwise, it the same recurring
3904 * cost. Since most credentials are used multiple
3905 * times, we still get some performance win from this.
3906 */
3907 pcred->cr_gmuid = KAUTH_UID_NONE;
3908 pcred->cr_flags |= CRF_NOMEMBERD;
3909 }
3910 }
3911
3912 /* Caller *must* specify at least the egid in cr_groups[0] */
3913 if (pcred->cr_ngroups < 1)
3914 return(NULL);
3915
3916 for (;;) {
3917 KAUTH_CRED_HASH_LOCK();
3918 found_cred = kauth_cred_find(cred);
3919 if (found_cred != NULL) {
3920 /*
3921 * Found an existing credential so we'll bump
3922 * reference count and return
3923 */
3924 kauth_cred_ref(found_cred);
3925 KAUTH_CRED_HASH_UNLOCK();
3926 return(found_cred);
3927 }
3928 KAUTH_CRED_HASH_UNLOCK();
3929
3930 /*
3931 * No existing credential found. Create one and add it to
3932 * our hash table.
3933 */
3934 new_cred = kauth_cred_alloc();
3935 if (new_cred != NULL) {
3936 int err;
3937 posix_cred_t new_pcred = posix_cred_get(new_cred);
3938 new_pcred->cr_uid = pcred->cr_uid;
3939 new_pcred->cr_ruid = pcred->cr_ruid;
3940 new_pcred->cr_svuid = pcred->cr_svuid;
3941 new_pcred->cr_rgid = pcred->cr_rgid;
3942 new_pcred->cr_svgid = pcred->cr_svgid;
3943 new_pcred->cr_gmuid = pcred->cr_gmuid;
3944 new_pcred->cr_ngroups = pcred->cr_ngroups;
3945 bcopy(&pcred->cr_groups[0], &new_pcred->cr_groups[0], sizeof(new_pcred->cr_groups));
3946 #if CONFIG_AUDIT
3947 bcopy(&cred->cr_audit, &new_cred->cr_audit,
3948 sizeof(new_cred->cr_audit));
3949 #endif
3950 new_pcred->cr_flags = pcred->cr_flags;
3951
3952 KAUTH_CRED_HASH_LOCK();
3953 err = kauth_cred_add(new_cred);
3954 KAUTH_CRED_HASH_UNLOCK();
3955
3956 /* Retry if kauth_cred_add returns non zero value */
3957 if (err == 0)
3958 break;
3959 #if CONFIG_MACF
3960 mac_cred_label_destroy(new_cred);
3961 #endif
3962 AUDIT_SESSION_UNREF(new_cred);
3963
3964 FREE_ZONE(new_cred, sizeof(*new_cred), M_CRED);
3965 new_cred = NULL;
3966 }
3967 }
3968
3969 return(new_cred);
3970 }
3971
3972
3973 /*
3974 * kauth_cred_setresuid
3975 *
3976 * Description: Update the given credential using the UID arguments. The given
3977 * UIDs are used to set the effective UID, real UID, saved UID,
3978 * and GMUID (used for group membership checking).
3979 *
3980 * Parameters: cred The original credential
3981 * ruid The new real UID
3982 * euid The new effective UID
3983 * svuid The new saved UID
3984 * gmuid KAUTH_UID_NONE -or- the new
3985 * group membership UID
3986 *
3987 * Returns: (kauth_cred_t) The updated credential
3988 *
3989 * Note: gmuid is different in that a KAUTH_UID_NONE is a valid
3990 * setting, so if you don't want it to change, pass it the
3991 * previous value, explicitly.
3992 *
3993 * IMPORTANT: This function is implemented via kauth_cred_update(), which,
3994 * if it returns a credential other than the one it is passed,
3995 * will have dropped the reference on the passed credential. All
3996 * callers should be aware of this, and treat this function as an
3997 * unref + ref, potentially on different credentials.
3998 *
3999 * Because of this, the caller is expected to take its own
4000 * reference on the credential passed as the first parameter,
4001 * and be prepared to release the reference on the credential
4002 * that is returned to them, if it is not intended to be a
4003 * persistent reference.
4004 */
4005 kauth_cred_t
4006 kauth_cred_setresuid(kauth_cred_t cred, uid_t ruid, uid_t euid, uid_t svuid, uid_t gmuid)
4007 {
4008 struct ucred temp_cred;
4009 posix_cred_t temp_pcred = posix_cred_get(&temp_cred);
4010 posix_cred_t pcred = posix_cred_get(cred);
4011
4012 NULLCRED_CHECK(cred);
4013
4014 /*
4015 * We don't need to do anything if the UIDs we are changing are
4016 * already the same as the UIDs passed in
4017 */
4018 if ((euid == KAUTH_UID_NONE || pcred->cr_uid == euid) &&
4019 (ruid == KAUTH_UID_NONE || pcred->cr_ruid == ruid) &&
4020 (svuid == KAUTH_UID_NONE || pcred->cr_svuid == svuid) &&
4021 (pcred->cr_gmuid == gmuid)) {
4022 /* no change needed */
4023 return(cred);
4024 }
4025
4026 /*
4027 * Look up in cred hash table to see if we have a matching credential
4028 * with the new values; this is done by calling kauth_cred_update().
4029 */
4030 bcopy(cred, &temp_cred, sizeof(temp_cred));
4031 if (euid != KAUTH_UID_NONE) {
4032 temp_pcred->cr_uid = euid;
4033 }
4034 if (ruid != KAUTH_UID_NONE) {
4035 temp_pcred->cr_ruid = ruid;
4036 }
4037 if (svuid != KAUTH_UID_NONE) {
4038 temp_pcred->cr_svuid = svuid;
4039 }
4040
4041 /*
4042 * If we are setting the gmuid to KAUTH_UID_NONE, then we want to
4043 * opt out of participation in external group resolution, unless we
4044 * unless we explicitly opt back in later.
4045 */
4046 if ((temp_pcred->cr_gmuid = gmuid) == KAUTH_UID_NONE) {
4047 temp_pcred->cr_flags |= CRF_NOMEMBERD;
4048 }
4049
4050 return(kauth_cred_update(cred, &temp_cred, TRUE));
4051 }
4052
4053
4054 /*
4055 * kauth_cred_setresgid
4056 *
4057 * Description: Update the given credential using the GID arguments. The given
4058 * GIDs are used to set the effective GID, real GID, and saved
4059 * GID.
4060 *
4061 * Parameters: cred The original credential
4062 * rgid The new real GID
4063 * egid The new effective GID
4064 * svgid The new saved GID
4065 *
4066 * Returns: (kauth_cred_t) The updated credential
4067 *
4068 * IMPORTANT: This function is implemented via kauth_cred_update(), which,
4069 * if it returns a credential other than the one it is passed,
4070 * will have dropped the reference on the passed credential. All
4071 * callers should be aware of this, and treat this function as an
4072 * unref + ref, potentially on different credentials.
4073 *
4074 * Because of this, the caller is expected to take its own
4075 * reference on the credential passed as the first parameter,
4076 * and be prepared to release the reference on the credential
4077 * that is returned to them, if it is not intended to be a
4078 * persistent reference.
4079 */
4080 kauth_cred_t
4081 kauth_cred_setresgid(kauth_cred_t cred, gid_t rgid, gid_t egid, gid_t svgid)
4082 {
4083 struct ucred temp_cred;
4084 posix_cred_t temp_pcred = posix_cred_get(&temp_cred);
4085 posix_cred_t pcred = posix_cred_get(cred);
4086
4087 NULLCRED_CHECK(cred);
4088 DEBUG_CRED_ENTER("kauth_cred_setresgid %p %d %d %d\n", cred, rgid, egid, svgid);
4089
4090 /*
4091 * We don't need to do anything if the given GID are already the
4092 * same as the GIDs in the credential.
4093 */
4094 if (pcred->cr_groups[0] == egid &&
4095 pcred->cr_rgid == rgid &&
4096 pcred->cr_svgid == svgid) {
4097 /* no change needed */
4098 return(cred);
4099 }
4100
4101 /*
4102 * Look up in cred hash table to see if we have a matching credential
4103 * with the new values; this is done by calling kauth_cred_update().
4104 */
4105 bcopy(cred, &temp_cred, sizeof(temp_cred));
4106 if (egid != KAUTH_GID_NONE) {
4107 /* displacing a supplementary group opts us out of memberd */
4108 if (kauth_cred_change_egid(&temp_cred, egid)) {
4109 DEBUG_CRED_CHANGE("displaced!\n");
4110 temp_pcred->cr_flags |= CRF_NOMEMBERD;
4111 temp_pcred->cr_gmuid = KAUTH_UID_NONE;
4112 } else {
4113 DEBUG_CRED_CHANGE("not displaced\n");
4114 }
4115 }
4116 if (rgid != KAUTH_GID_NONE) {
4117 temp_pcred->cr_rgid = rgid;
4118 }
4119 if (svgid != KAUTH_GID_NONE) {
4120 temp_pcred->cr_svgid = svgid;
4121 }
4122
4123 return(kauth_cred_update(cred, &temp_cred, TRUE));
4124 }
4125
4126
4127 /*
4128 * Update the given credential with the given groups. We only allocate a new
4129 * credential when the given gid actually results in changes to the existing
4130 * credential.
4131 * The gmuid argument supplies a new uid (or KAUTH_UID_NONE to opt out)
4132 * which will be used for group membership checking.
4133 */
4134 /*
4135 * kauth_cred_setgroups
4136 *
4137 * Description: Update the given credential using the provide supplementary
4138 * group list and group membership UID
4139 *
4140 * Parameters: cred The original credential
4141 * groups Pointer to gid_t array which
4142 * contains the new group list
4143 * groupcount The count of valid groups which
4144 * are contained in 'groups'
4145 * gmuid KAUTH_UID_NONE -or- the new
4146 * group membership UID
4147 *
4148 * Returns: (kauth_cred_t) The updated credential
4149 *
4150 * Note: gmuid is different in that a KAUTH_UID_NONE is a valid
4151 * setting, so if you don't want it to change, pass it the
4152 * previous value, explicitly.
4153 *
4154 * IMPORTANT: This function is implemented via kauth_cred_update(), which,
4155 * if it returns a credential other than the one it is passed,
4156 * will have dropped the reference on the passed credential. All
4157 * callers should be aware of this, and treat this function as an
4158 * unref + ref, potentially on different credentials.
4159 *
4160 * Because of this, the caller is expected to take its own
4161 * reference on the credential passed as the first parameter,
4162 * and be prepared to release the reference on the credential
4163 * that is returned to them, if it is not intended to be a
4164 * persistent reference.
4165 *
4166 * XXX: Changes are determined in ordinal order - if the caller passes
4167 * in the same groups list that is already present in the
4168 * credential, but the members are in a different order, even if
4169 * the EGID is not modified (i.e. cr_groups[0] is the same), it
4170 * is considered a modification to the credential, and a new
4171 * credential is created.
4172 *
4173 * This should perhaps be better optimized, but it is considered
4174 * to be the caller's problem.
4175 */
4176 kauth_cred_t
4177 kauth_cred_setgroups(kauth_cred_t cred, gid_t *groups, int groupcount, uid_t gmuid)
4178 {
4179 int i;
4180 struct ucred temp_cred;
4181 posix_cred_t temp_pcred = posix_cred_get(&temp_cred);
4182 posix_cred_t pcred;
4183
4184 NULLCRED_CHECK(cred);
4185
4186 pcred = posix_cred_get(cred);
4187
4188 /*
4189 * We don't need to do anything if the given list of groups does not
4190 * change.
4191 */
4192 if ((pcred->cr_gmuid == gmuid) && (pcred->cr_ngroups == groupcount)) {
4193 for (i = 0; i < groupcount; i++) {
4194 if (pcred->cr_groups[i] != groups[i])
4195 break;
4196 }
4197 if (i == groupcount) {
4198 /* no change needed */
4199 return(cred);
4200 }
4201 }
4202
4203 /*
4204 * Look up in cred hash table to see if we have a matching credential
4205 * with new values. If we are setting or clearing the gmuid, then
4206 * update the cr_flags, since clearing it is sticky. This permits an
4207 * opt-out of memberd processing using setgroups(), and an opt-in
4208 * using initgroups(). This is required for POSIX conformance.
4209 */
4210 bcopy(cred, &temp_cred, sizeof(temp_cred));
4211 temp_pcred->cr_ngroups = groupcount;
4212 bcopy(groups, temp_pcred->cr_groups, sizeof(temp_pcred->cr_groups));
4213 temp_pcred->cr_gmuid = gmuid;
4214 if (gmuid == KAUTH_UID_NONE)
4215 temp_pcred->cr_flags |= CRF_NOMEMBERD;
4216 else
4217 temp_pcred->cr_flags &= ~CRF_NOMEMBERD;
4218
4219 return(kauth_cred_update(cred, &temp_cred, TRUE));
4220 }
4221
4222 /*
4223 * Notes: The return value exists to account for the possibility of a
4224 * kauth_cred_t without a POSIX label. This will be the case in
4225 * the future (see posix_cred_get() below, for more details).
4226 */
4227 #if CONFIG_EXT_RESOLVER
4228 int kauth_external_supplementary_groups_supported = 1;
4229
4230 SYSCTL_INT(_kern, OID_AUTO, ds_supgroups_supported, CTLFLAG_RW | CTLFLAG_LOCKED, &kauth_external_supplementary_groups_supported, 0, "");
4231 #endif
4232
4233 int
4234 kauth_cred_getgroups(kauth_cred_t cred, gid_t *grouplist, int *countp)
4235 {
4236 int limit = NGROUPS;
4237 posix_cred_t pcred;
4238
4239 pcred = posix_cred_get(cred);
4240
4241 #if CONFIG_EXT_RESOLVER
4242 /*
4243 * If we've not opted out of using the resolver, then convert the cred to a list
4244 * of supplemental groups. We do this only if there has been a resolver to talk to,
4245 * since we may be too early in boot, or in an environment that isn't using DS.
4246 */
4247 if (kauth_identitysvc_has_registered && kauth_external_supplementary_groups_supported && (pcred->cr_flags & CRF_NOMEMBERD) == 0) {
4248 uid_t uid = kauth_cred_getuid(cred);
4249 int err;
4250
4251 err = kauth_cred_uid2groups(&uid, grouplist, countp);
4252 if (!err)
4253 return 0;
4254
4255 /* On error just fall through */
4256 KAUTH_DEBUG("kauth_cred_getgroups failed %d\n", err);
4257 }
4258 #endif /* CONFIG_EXT_RESOLVER */
4259
4260 /*
4261 * If they just want a copy of the groups list, they may not care
4262 * about the actual count. If they specify an input count, however,
4263 * treat it as an indicator of the buffer size available in grouplist,
4264 * and limit the returned list to that size.
4265 */
4266 if (countp) {
4267 limit = MIN(*countp, pcred->cr_ngroups);
4268 *countp = limit;
4269 }
4270
4271 memcpy(grouplist, pcred->cr_groups, sizeof(gid_t) * limit);
4272
4273 return 0;
4274 }
4275
4276
4277 /*
4278 * kauth_cred_setuidgid
4279 *
4280 * Description: Update the given credential using the UID and GID arguments.
4281 * The given UID is used to set the effective UID, real UID, and
4282 * saved UID. The given GID is used to set the effective GID,
4283 * real GID, and saved GID.
4284 *
4285 * Parameters: cred The original credential
4286 * uid The new UID to use
4287 * gid The new GID to use
4288 *
4289 * Returns: (kauth_cred_t) The updated credential
4290 *
4291 * Notes: We set the gmuid to uid if the credential we are inheriting
4292 * from has not opted out of memberd participation; otherwise
4293 * we set it to KAUTH_UID_NONE
4294 *
4295 * This code is only ever called from the per-thread credential
4296 * code path in the "set per thread credential" case; and in
4297 * posix_spawn() in the case that the POSIX_SPAWN_RESETIDS
4298 * flag is set.
4299 *
4300 * IMPORTANT: This function is implemented via kauth_cred_update(), which,
4301 * if it returns a credential other than the one it is passed,
4302 * will have dropped the reference on the passed credential. All
4303 * callers should be aware of this, and treat this function as an
4304 * unref + ref, potentially on different credentials.
4305 *
4306 * Because of this, the caller is expected to take its own
4307 * reference on the credential passed as the first parameter,
4308 * and be prepared to release the reference on the credential
4309 * that is returned to them, if it is not intended to be a
4310 * persistent reference.
4311 */
4312 kauth_cred_t
4313 kauth_cred_setuidgid(kauth_cred_t cred, uid_t uid, gid_t gid)
4314 {
4315 struct ucred temp_cred;
4316 posix_cred_t temp_pcred = posix_cred_get(&temp_cred);
4317 posix_cred_t pcred;
4318
4319 NULLCRED_CHECK(cred);
4320
4321 pcred = posix_cred_get(cred);
4322
4323 /*
4324 * We don't need to do anything if the effective, real and saved
4325 * user IDs are already the same as the user ID passed into us.
4326 */
4327 if (pcred->cr_uid == uid && pcred->cr_ruid == uid && pcred->cr_svuid == uid &&
4328 pcred->cr_gid == gid && pcred->cr_rgid == gid && pcred->cr_svgid == gid) {
4329 /* no change needed */
4330 return(cred);
4331 }
4332
4333 /*
4334 * Look up in cred hash table to see if we have a matching credential
4335 * with the new values.
4336 */
4337 bzero(&temp_cred, sizeof(temp_cred));
4338 temp_pcred->cr_uid = uid;
4339 temp_pcred->cr_ruid = uid;
4340 temp_pcred->cr_svuid = uid;
4341 temp_pcred->cr_flags = pcred->cr_flags;
4342 /* inherit the opt-out of memberd */
4343 if (pcred->cr_flags & CRF_NOMEMBERD) {
4344 temp_pcred->cr_gmuid = KAUTH_UID_NONE;
4345 temp_pcred->cr_flags |= CRF_NOMEMBERD;
4346 } else {
4347 temp_pcred->cr_gmuid = uid;
4348 temp_pcred->cr_flags &= ~CRF_NOMEMBERD;
4349 }
4350 temp_pcred->cr_ngroups = 1;
4351 /* displacing a supplementary group opts us out of memberd */
4352 if (kauth_cred_change_egid(&temp_cred, gid)) {
4353 temp_pcred->cr_gmuid = KAUTH_UID_NONE;
4354 temp_pcred->cr_flags |= CRF_NOMEMBERD;
4355 }
4356 temp_pcred->cr_rgid = gid;
4357 temp_pcred->cr_svgid = gid;
4358 #if CONFIG_MACF
4359 temp_cred.cr_label = cred->cr_label;
4360 #endif
4361
4362 return(kauth_cred_update(cred, &temp_cred, TRUE));
4363 }
4364
4365
4366 /*
4367 * kauth_cred_setsvuidgid
4368 *
4369 * Description: Function used by execve to set the saved uid and gid values
4370 * for suid/sgid programs
4371 *
4372 * Parameters: cred The credential to update
4373 * uid The saved uid to set
4374 * gid The saved gid to set
4375 *
4376 * Returns: (kauth_cred_t) The updated credential
4377 *
4378 * IMPORTANT: This function is implemented via kauth_cred_update(), which,
4379 * if it returns a credential other than the one it is passed,
4380 * will have dropped the reference on the passed credential. All
4381 * callers should be aware of this, and treat this function as an
4382 * unref + ref, potentially on different credentials.
4383 *
4384 * Because of this, the caller is expected to take its own
4385 * reference on the credential passed as the first parameter,
4386 * and be prepared to release the reference on the credential
4387 * that is returned to them, if it is not intended to be a
4388 * persistent reference.
4389 */
4390 kauth_cred_t
4391 kauth_cred_setsvuidgid(kauth_cred_t cred, uid_t uid, gid_t gid)
4392 {
4393 struct ucred temp_cred;
4394 posix_cred_t temp_pcred = posix_cred_get(&temp_cred);
4395 posix_cred_t pcred;
4396
4397 NULLCRED_CHECK(cred);
4398
4399 pcred = posix_cred_get(cred);
4400
4401 DEBUG_CRED_ENTER("kauth_cred_setsvuidgid: %p u%d->%d g%d->%d\n", cred, cred->cr_svuid, uid, cred->cr_svgid, gid);
4402
4403 /*
4404 * We don't need to do anything if the effective, real and saved
4405 * uids are already the same as the uid provided. This check is
4406 * likely insufficient.
4407 */
4408 if (pcred->cr_svuid == uid && pcred->cr_svgid == gid) {
4409 /* no change needed */
4410 return(cred);
4411 }
4412 DEBUG_CRED_CHANGE("kauth_cred_setsvuidgid: cred change\n");
4413
4414 /* look up in cred hash table to see if we have a matching credential
4415 * with new values.
4416 */
4417 bcopy(cred, &temp_cred, sizeof(temp_cred));
4418 temp_pcred->cr_svuid = uid;
4419 temp_pcred->cr_svgid = gid;
4420
4421 return(kauth_cred_update(cred, &temp_cred, TRUE));
4422 }
4423
4424
4425 /*
4426 * kauth_cred_setauditinfo
4427 *
4428 * Description: Update the given credential using the given au_session_t.
4429 *
4430 * Parameters: cred The original credential
4431 * auditinfo_p Pointer to ne audit information
4432 *
4433 * Returns: (kauth_cred_t) The updated credential
4434 *
4435 * IMPORTANT: This function is implemented via kauth_cred_update(), which,
4436 * if it returns a credential other than the one it is passed,
4437 * will have dropped the reference on the passed credential. All
4438 * callers should be aware of this, and treat this function as an
4439 * unref + ref, potentially on different credentials.
4440 *
4441 * Because of this, the caller is expected to take its own
4442 * reference on the credential passed as the first parameter,
4443 * and be prepared to release the reference on the credential
4444 * that is returned to them, if it is not intended to be a
4445 * persistent reference.
4446 */
4447 kauth_cred_t
4448 kauth_cred_setauditinfo(kauth_cred_t cred, au_session_t *auditinfo_p)
4449 {
4450 struct ucred temp_cred;
4451
4452 NULLCRED_CHECK(cred);
4453
4454 /*
4455 * We don't need to do anything if the audit info is already the
4456 * same as the audit info in the credential provided.
4457 */
4458 if (bcmp(&cred->cr_audit, auditinfo_p, sizeof(cred->cr_audit)) == 0) {
4459 /* no change needed */
4460 return(cred);
4461 }
4462
4463 bcopy(cred, &temp_cred, sizeof(temp_cred));
4464 bcopy(auditinfo_p, &temp_cred.cr_audit, sizeof(temp_cred.cr_audit));
4465
4466 return(kauth_cred_update(cred, &temp_cred, FALSE));
4467 }
4468
4469 #if CONFIG_MACF
4470 /*
4471 * kauth_cred_label_update
4472 *
4473 * Description: Update the MAC label associated with a credential
4474 *
4475 * Parameters: cred The original credential
4476 * label The MAC label to set
4477 *
4478 * Returns: (kauth_cred_t) The updated credential
4479 *
4480 * IMPORTANT: This function is implemented via kauth_cred_update(), which,
4481 * if it returns a credential other than the one it is passed,
4482 * will have dropped the reference on the passed credential. All
4483 * callers should be aware of this, and treat this function as an
4484 * unref + ref, potentially on different credentials.
4485 *
4486 * Because of this, the caller is expected to take its own
4487 * reference on the credential passed as the first parameter,
4488 * and be prepared to release the reference on the credential
4489 * that is returned to them, if it is not intended to be a
4490 * persistent reference.
4491 */
4492 kauth_cred_t
4493 kauth_cred_label_update(kauth_cred_t cred, struct label *label)
4494 {
4495 kauth_cred_t newcred;
4496 struct ucred temp_cred;
4497
4498 bcopy(cred, &temp_cred, sizeof(temp_cred));
4499
4500 mac_cred_label_init(&temp_cred);
4501 mac_cred_label_associate(cred, &temp_cred);
4502 mac_cred_label_update(&temp_cred, label);
4503
4504 newcred = kauth_cred_update(cred, &temp_cred, TRUE);
4505 mac_cred_label_destroy(&temp_cred);
4506 return (newcred);
4507 }
4508
4509 /*
4510 * kauth_cred_label_update_execve
4511 *
4512 * Description: Update the MAC label associated with a credential as
4513 * part of exec
4514 *
4515 * Parameters: cred The original credential
4516 * vp The exec vnode
4517 * scriptl The script MAC label
4518 * execl The executable MAC label
4519 * disjointp Pointer to flag to set if old
4520 * and returned credentials are
4521 * disjoint
4522 *
4523 * Returns: (kauth_cred_t) The updated credential
4524 *
4525 * Implicit returns:
4526 * *disjointp Set to 1 for disjoint creds
4527 *
4528 * IMPORTANT: This function is implemented via kauth_cred_update(), which,
4529 * if it returns a credential other than the one it is passed,
4530 * will have dropped the reference on the passed credential. All
4531 * callers should be aware of this, and treat this function as an
4532 * unref + ref, potentially on different credentials.
4533 *
4534 * Because of this, the caller is expected to take its own
4535 * reference on the credential passed as the first parameter,
4536 * and be prepared to release the reference on the credential
4537 * that is returned to them, if it is not intended to be a
4538 * persistent reference.
4539 */
4540
4541 static
4542 kauth_cred_t
4543 kauth_cred_label_update_execve(kauth_cred_t cred, vfs_context_t ctx,
4544 struct vnode *vp, off_t offset, struct vnode *scriptvp, struct label *scriptl,
4545 struct label *execl, unsigned int *csflags, void *macextensions, int *disjointp, int *labelupdateerror)
4546 {
4547 kauth_cred_t newcred;
4548 struct ucred temp_cred;
4549
4550 bcopy(cred, &temp_cred, sizeof(temp_cred));
4551
4552 mac_cred_label_init(&temp_cred);
4553 mac_cred_label_associate(cred, &temp_cred);
4554 mac_cred_label_update_execve(ctx, &temp_cred,
4555 vp, offset, scriptvp, scriptl, execl, csflags,
4556 macextensions, disjointp, labelupdateerror);
4557
4558 newcred = kauth_cred_update(cred, &temp_cred, TRUE);
4559 mac_cred_label_destroy(&temp_cred);
4560 return (newcred);
4561 }
4562
4563 /*
4564 * kauth_proc_label_update
4565 *
4566 * Description: Update the label inside the credential associated with the process.
4567 *
4568 * Parameters: p The process to modify
4569 * label The label to place in the process credential
4570 *
4571 * Notes: The credential associated with the process may change as a result
4572 * of this call. The caller should not assume the process reference to
4573 * the old credential still exists.
4574 */
4575 int kauth_proc_label_update(struct proc *p, struct label *label)
4576 {
4577 kauth_cred_t my_cred, my_new_cred;
4578
4579 my_cred = kauth_cred_proc_ref(p);
4580
4581 DEBUG_CRED_ENTER("kauth_proc_label_update: %p\n", my_cred);
4582
4583 /* get current credential and take a reference while we muck with it */
4584 for (;;) {
4585
4586 /*
4587 * Set the credential with new info. If there is no change,
4588 * we get back the same credential we passed in; if there is
4589 * a change, we drop the reference on the credential we
4590 * passed in. The subsequent compare is safe, because it is
4591 * a pointer compare rather than a contents compare.
4592 */
4593 my_new_cred = kauth_cred_label_update(my_cred, label);
4594 if (my_cred != my_new_cred) {
4595
4596 DEBUG_CRED_CHANGE("kauth_proc_setlabel_unlocked CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
4597
4598 proc_ucred_lock(p);
4599 /*
4600 * We need to protect for a race where another thread
4601 * also changed the credential after we took our
4602 * reference. If p_ucred has changed then we should
4603 * restart this again with the new cred.
4604 */
4605 if (p->p_ucred != my_cred) {
4606 proc_ucred_unlock(p);
4607 kauth_cred_unref(&my_new_cred);
4608 my_cred = kauth_cred_proc_ref(p);
4609 /* try again */
4610 continue;
4611 }
4612 p->p_ucred = my_new_cred;
4613 /* update cred on proc */
4614 PROC_UPDATE_CREDS_ONPROC(p);
4615
4616 proc_ucred_unlock(p);
4617 }
4618 break;
4619 }
4620 /* Drop old proc reference or our extra reference */
4621 kauth_cred_unref(&my_cred);
4622
4623 return (0);
4624 }
4625
4626 /*
4627 * kauth_proc_label_update_execve
4628 *
4629 * Description: Update the label inside the credential associated with the
4630 * process as part of a transitioning execve. The label will
4631 * be updated by the policies as part of this processing, not
4632 * provided up front.
4633 *
4634 * Parameters: p The process to modify
4635 * ctx The context of the exec
4636 * vp The vnode being exec'ed
4637 * scriptl The script MAC label
4638 * execl The executable MAC label
4639 * lupdateerror The error place holder for MAC label authority
4640 * to update about possible termination
4641 *
4642 * Returns: 0 Label update did not make credential
4643 * disjoint
4644 * 1 Label update caused credential to be
4645 * disjoint
4646 *
4647 * Notes: The credential associated with the process WILL change as a
4648 * result of this call. The caller should not assume the process
4649 * reference to the old credential still exists.
4650 */
4651
4652 void
4653 kauth_proc_label_update_execve(struct proc *p, vfs_context_t ctx,
4654 struct vnode *vp, off_t offset, struct vnode *scriptvp, struct label *scriptl,
4655 struct label *execl, unsigned int *csflags, void *macextensions, int *disjoint, int *update_return)
4656 {
4657 kauth_cred_t my_cred, my_new_cred;
4658 my_cred = kauth_cred_proc_ref(p);
4659
4660 DEBUG_CRED_ENTER("kauth_proc_label_update_execve: %p\n", my_cred);
4661
4662 /* get current credential and take a reference while we muck with it */
4663 for (;;) {
4664
4665 /*
4666 * Set the credential with new info. If there is no change,
4667 * we get back the same credential we passed in; if there is
4668 * a change, we drop the reference on the credential we
4669 * passed in. The subsequent compare is safe, because it is
4670 * a pointer compare rather than a contents compare.
4671 */
4672 my_new_cred = kauth_cred_label_update_execve(my_cred, ctx, vp, offset, scriptvp, scriptl, execl, csflags, macextensions, disjoint, update_return);
4673 if (my_cred != my_new_cred) {
4674
4675 DEBUG_CRED_CHANGE("kauth_proc_label_update_execve_unlocked CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
4676
4677 proc_ucred_lock(p);
4678 /*
4679 * We need to protect for a race where another thread
4680 * also changed the credential after we took our
4681 * reference. If p_ucred has changed then we should
4682 * restart this again with the new cred.
4683 */
4684 if (p->p_ucred != my_cred) {
4685 proc_ucred_unlock(p);
4686 kauth_cred_unref(&my_new_cred);
4687 my_cred = kauth_cred_proc_ref(p);
4688 /* try again */
4689 continue;
4690 }
4691 p->p_ucred = my_new_cred;
4692 /* update cred on proc */
4693 PROC_UPDATE_CREDS_ONPROC(p);
4694 proc_ucred_unlock(p);
4695 }
4696 break;
4697 }
4698 /* Drop old proc reference or our extra reference */
4699 kauth_cred_unref(&my_cred);
4700 }
4701
4702 #if 1
4703 /*
4704 * for temporary binary compatibility
4705 */
4706 kauth_cred_t kauth_cred_setlabel(kauth_cred_t cred, struct label *label);
4707 kauth_cred_t
4708 kauth_cred_setlabel(kauth_cred_t cred, struct label *label)
4709 {
4710 return kauth_cred_label_update(cred, label);
4711 }
4712
4713 int kauth_proc_setlabel(struct proc *p, struct label *label);
4714 int
4715 kauth_proc_setlabel(struct proc *p, struct label *label)
4716 {
4717 return kauth_proc_label_update(p, label);
4718 }
4719 #endif
4720
4721 #else
4722
4723 /* this is a temp hack to cover us when MACF is not built in a kernel configuration.
4724 * Since we cannot build our export lists based on the kernel configuration we need
4725 * to define a stub.
4726 */
4727 kauth_cred_t
4728 kauth_cred_label_update(__unused kauth_cred_t cred, __unused void *label)
4729 {
4730 return(NULL);
4731 }
4732
4733 int
4734 kauth_proc_label_update(__unused struct proc *p, __unused void *label)
4735 {
4736 return (0);
4737 }
4738
4739 #if 1
4740 /*
4741 * for temporary binary compatibility
4742 */
4743 kauth_cred_t kauth_cred_setlabel(kauth_cred_t cred, void *label);
4744 kauth_cred_t
4745 kauth_cred_setlabel(__unused kauth_cred_t cred, __unused void *label)
4746 {
4747 return NULL;
4748 }
4749
4750 int kauth_proc_setlabel(struct proc *p, void *label);
4751 int
4752 kauth_proc_setlabel(__unused struct proc *p, __unused void *label)
4753 {
4754 return (0);
4755 }
4756 #endif
4757 #endif
4758
4759 /*
4760 * kauth_cred_ref
4761 *
4762 * Description: Add a reference to the passed credential
4763 *
4764 * Parameters: cred The credential to reference
4765 *
4766 * Returns: (void)
4767 *
4768 * Notes: This function adds a reference to the provided credential;
4769 * the existing reference on the credential is assumed to be
4770 * held stable over this operation by taking the appropriate
4771 * lock to protect the pointer from which it is being referenced,
4772 * if necessary (e.g. the proc lock is held over the call if the
4773 * credential being referenced is from p_ucred, the vnode lock
4774 * if from the per vnode name cache cred cache, and so on).
4775 *
4776 * This is safe from the kauth_cred_unref() path, since an atomic
4777 * add is used, and the unref path specifically checks to see that
4778 * the value has not been changed to add a reference between the
4779 * time the credential is unreferenced by another pointer and the
4780 * time it is unreferenced from the cred hash cache.
4781 */
4782 void
4783 kauth_cred_ref(kauth_cred_t cred)
4784 {
4785 int old_value;
4786
4787 NULLCRED_CHECK(cred);
4788
4789 old_value = OSAddAtomicLong(1, (long*)&cred->cr_ref);
4790
4791 if (old_value < 1)
4792 panic("kauth_cred_ref: trying to take a reference on a cred with no references");
4793
4794 #if 0 // use this to watch a specific credential
4795 if ( is_target_cred( cred ) != 0 ) {
4796 get_backtrace( );
4797 }
4798 #endif
4799
4800 return;
4801 }
4802
4803
4804 /*
4805 * kauth_cred_unref_hashlocked
4806 *
4807 * Description: release a credential reference; when the last reference is
4808 * released, the credential will be freed.
4809 *
4810 * Parameters: credp Pointer to address containing
4811 * credential to be freed
4812 *
4813 * Returns: TRUE if the credential must be destroyed by the caller.
4814 * FALSE otherwise.
4815 *
4816 * Implicit returns:
4817 * *credp Set to NOCRED
4818 *
4819 * Notes: This function assumes the credential hash lock is held.
4820 *
4821 * This function is internal use only, since the hash lock is
4822 * scoped to this compilation unit.
4823 *
4824 * This function destroys the contents of the pointer passed by
4825 * the caller to prevent the caller accidentally attempting to
4826 * release a given reference twice in error.
4827 *
4828 * The last reference is considered to be released when a release
4829 * of a credential of a reference count of 2 occurs; this is an
4830 * intended effect, to take into account the reference held by
4831 * the credential hash, which is released at the same time.
4832 */
4833 static boolean_t
4834 kauth_cred_unref_hashlocked(kauth_cred_t *credp)
4835 {
4836 int old_value;
4837 boolean_t destroy_it = FALSE;
4838
4839 KAUTH_CRED_HASH_LOCK_ASSERT();
4840 NULLCRED_CHECK(*credp);
4841
4842 old_value = OSAddAtomicLong(-1, (long*)&(*credp)->cr_ref);
4843
4844 #if DIAGNOSTIC
4845 if (old_value == 0)
4846 panic("%s:0x%08x kauth_cred_unref_hashlocked: dropping a reference on a cred with no references", current_proc()->p_comm, *credp);
4847 if (old_value == 1)
4848 panic("%s:0x%08x kauth_cred_unref_hashlocked: dropping a reference on a cred with no hash entry", current_proc()->p_comm, *credp);
4849 #endif
4850
4851 #if 0 // use this to watch a specific credential
4852 if ( is_target_cred( *credp ) != 0 ) {
4853 get_backtrace( );
4854 }
4855 #endif
4856
4857 /*
4858 * If the old_value is 2, then we have just released the last external
4859 * reference to this credential
4860 */
4861 if (old_value < 3) {
4862 /* The last absolute reference is our credential hash table */
4863 destroy_it = kauth_cred_remove(*credp);
4864 }
4865
4866 if (destroy_it == FALSE) {
4867 *credp = NOCRED;
4868 }
4869
4870 return (destroy_it);
4871 }
4872
4873
4874 /*
4875 * kauth_cred_unref
4876 *
4877 * Description: Release a credential reference while holding the credential
4878 * hash lock; when the last reference is released, the credential
4879 * will be freed.
4880 *
4881 * Parameters: credp Pointer to address containing
4882 * credential to be freed
4883 *
4884 * Returns: (void)
4885 *
4886 * Implicit returns:
4887 * *credp Set to NOCRED
4888 *
4889 * Notes: See kauth_cred_unref_hashlocked() for more information.
4890 *
4891 */
4892 void
4893 kauth_cred_unref(kauth_cred_t *credp)
4894 {
4895 boolean_t destroy_it;
4896
4897 KAUTH_CRED_HASH_LOCK();
4898 destroy_it = kauth_cred_unref_hashlocked(credp);
4899 KAUTH_CRED_HASH_UNLOCK();
4900
4901 if (destroy_it == TRUE) {
4902 assert(*credp != NOCRED);
4903 #if CONFIG_MACF
4904 mac_cred_label_destroy(*credp);
4905 #endif
4906 AUDIT_SESSION_UNREF(*credp);
4907
4908 (*credp)->cr_ref = 0;
4909 FREE_ZONE(*credp, sizeof(*(*credp)), M_CRED);
4910 *credp = NOCRED;
4911 }
4912 }
4913
4914
4915 #ifndef __LP64__
4916 /*
4917 * kauth_cred_rele
4918 *
4919 * Description: release a credential reference; when the last reference is
4920 * released, the credential will be freed
4921 *
4922 * Parameters: cred Credential to release
4923 *
4924 * Returns: (void)
4925 *
4926 * DEPRECATED: This interface is obsolete due to a failure to clear out the
4927 * clear the pointer in the caller to avoid multiple releases of
4928 * the same credential. The currently recommended interface is
4929 * kauth_cred_unref().
4930 */
4931 void
4932 kauth_cred_rele(kauth_cred_t cred)
4933 {
4934 kauth_cred_unref(&cred);
4935 }
4936 #endif /* !__LP64__ */
4937
4938
4939 /*
4940 * kauth_cred_dup
4941 *
4942 * Description: Duplicate a credential via alloc and copy; the new credential
4943 * has only it's own
4944 *
4945 * Parameters: cred The credential to duplicate
4946 *
4947 * Returns: (kauth_cred_t) The duplicate credential
4948 *
4949 * Notes: The typical value to calling this routine is if you are going
4950 * to modify an existing credential, and expect to need a new one
4951 * from the hash cache.
4952 *
4953 * This should probably not be used in the majority of cases;
4954 * if you are using it instead of kauth_cred_create(), you are
4955 * likely making a mistake.
4956 *
4957 * The newly allocated credential is copied as part of the
4958 * allocation process, with the exception of the reference
4959 * count, which is set to 1 to indicate a single reference
4960 * held by the caller.
4961 *
4962 * Since newly allocated credentials have no external pointers
4963 * referencing them, prior to making them visible in an externally
4964 * visible pointer (e.g. by adding them to the credential hash
4965 * cache) is the only legal time in which an existing credential
4966 * can be safely initialized or modified directly.
4967 *
4968 * After initialization, the caller is expected to call the
4969 * function kauth_cred_add() to add the credential to the hash
4970 * cache, after which time it's frozen and becomes publicly
4971 * visible.
4972 *
4973 * The release protocol depends on kauth_hash_add() being called
4974 * before kauth_cred_rele() (there is a diagnostic panic which
4975 * will trigger if this protocol is not observed).
4976 *
4977 */
4978 kauth_cred_t
4979 kauth_cred_dup(kauth_cred_t cred)
4980 {
4981 kauth_cred_t newcred;
4982 #if CONFIG_MACF
4983 struct label *temp_label;
4984 #endif
4985
4986 #if CRED_DIAGNOSTIC
4987 if (cred == NOCRED || cred == FSCRED)
4988 panic("kauth_cred_dup: bad credential");
4989 #endif
4990 newcred = kauth_cred_alloc();
4991 if (newcred != NULL) {
4992 #if CONFIG_MACF
4993 temp_label = newcred->cr_label;
4994 #endif
4995 bcopy(cred, newcred, sizeof(*newcred));
4996 #if CONFIG_MACF
4997 newcred->cr_label = temp_label;
4998 mac_cred_label_associate(cred, newcred);
4999 #endif
5000 AUDIT_SESSION_REF(cred);
5001 newcred->cr_ref = 1;
5002 }
5003 return(newcred);
5004 }
5005
5006 /*
5007 * kauth_cred_copy_real
5008 *
5009 * Description: Returns a credential based on the passed credential but which
5010 * reflects the real rather than effective UID and GID.
5011 *
5012 * Parameters: cred The credential from which to
5013 * derive the new credential
5014 *
5015 * Returns: (kauth_cred_t) The copied credential
5016 *
5017 * IMPORTANT: This function DOES NOT utilize kauth_cred_update(); as a
5018 * result, the caller is responsible for dropping BOTH the
5019 * additional reference on the passed cred (if any), and the
5020 * credential returned by this function. The drop should be
5021 * via the kauth_cred_unref() KPI.
5022 */
5023 kauth_cred_t
5024 kauth_cred_copy_real(kauth_cred_t cred)
5025 {
5026 kauth_cred_t newcred = NULL, found_cred;
5027 struct ucred temp_cred;
5028 posix_cred_t temp_pcred = posix_cred_get(&temp_cred);
5029 posix_cred_t pcred = posix_cred_get(cred);
5030
5031 /* if the credential is already 'real', just take a reference */
5032 if ((pcred->cr_ruid == pcred->cr_uid) &&
5033 (pcred->cr_rgid == pcred->cr_gid)) {
5034 kauth_cred_ref(cred);
5035 return(cred);
5036 }
5037
5038 /*
5039 * Look up in cred hash table to see if we have a matching credential
5040 * with the new values.
5041 */
5042 bcopy(cred, &temp_cred, sizeof(temp_cred));
5043 temp_pcred->cr_uid = pcred->cr_ruid;
5044 /* displacing a supplementary group opts us out of memberd */
5045 if (kauth_cred_change_egid(&temp_cred, pcred->cr_rgid)) {
5046 temp_pcred->cr_flags |= CRF_NOMEMBERD;
5047 temp_pcred->cr_gmuid = KAUTH_UID_NONE;
5048 }
5049 /*
5050 * If the cred is not opted out, make sure we are using the r/euid
5051 * for group checks
5052 */
5053 if (temp_pcred->cr_gmuid != KAUTH_UID_NONE)
5054 temp_pcred->cr_gmuid = pcred->cr_ruid;
5055
5056 for (;;) {
5057 int err;
5058
5059 KAUTH_CRED_HASH_LOCK();
5060 found_cred = kauth_cred_find(&temp_cred);
5061 if (found_cred == cred) {
5062 /* same cred so just bail */
5063 KAUTH_CRED_HASH_UNLOCK();
5064 return(cred);
5065 }
5066 if (found_cred != NULL) {
5067 /*
5068 * Found a match so we bump reference count on new
5069 * one. We leave the old one alone.
5070 */
5071 kauth_cred_ref(found_cred);
5072 KAUTH_CRED_HASH_UNLOCK();
5073 return(found_cred);
5074 }
5075
5076 /*
5077 * Must allocate a new credential, copy in old credential
5078 * data and update the real user and group IDs.
5079 */
5080 newcred = kauth_cred_dup(&temp_cred);
5081 err = kauth_cred_add(newcred);
5082 KAUTH_CRED_HASH_UNLOCK();
5083
5084 /* Retry if kauth_cred_add() fails */
5085 if (err == 0)
5086 break;
5087 #if CONFIG_MACF
5088 mac_cred_label_destroy(newcred);
5089 #endif
5090 AUDIT_SESSION_UNREF(newcred);
5091
5092 FREE_ZONE(newcred, sizeof(*newcred), M_CRED);
5093 newcred = NULL;
5094 }
5095
5096 return(newcred);
5097 }
5098
5099
5100 /*
5101 * kauth_cred_update
5102 *
5103 * Description: Common code to update a credential
5104 *
5105 * Parameters: old_cred Reference counted credential
5106 * to update
5107 * model_cred Non-reference counted model
5108 * credential to apply to the
5109 * credential to be updated
5110 * retain_auditinfo Flag as to whether or not the
5111 * audit information should be
5112 * copied from the old_cred into
5113 * the model_cred
5114 *
5115 * Returns: (kauth_cred_t) The updated credential
5116 *
5117 * IMPORTANT: This function will potentially return a credential other than
5118 * the one it is passed, and if so, it will have dropped the
5119 * reference on the passed credential. All callers should be
5120 * aware of this, and treat this function as an unref + ref,
5121 * potentially on different credentials.
5122 *
5123 * Because of this, the caller is expected to take its own
5124 * reference on the credential passed as the first parameter,
5125 * and be prepared to release the reference on the credential
5126 * that is returned to them, if it is not intended to be a
5127 * persistent reference.
5128 */
5129 static kauth_cred_t
5130 kauth_cred_update(kauth_cred_t old_cred, kauth_cred_t model_cred,
5131 boolean_t retain_auditinfo)
5132 {
5133 kauth_cred_t found_cred, new_cred = NULL;
5134
5135 /*
5136 * Make sure we carry the auditinfo forward to the new credential
5137 * unless we are actually updating the auditinfo.
5138 */
5139 if (retain_auditinfo) {
5140 bcopy(&old_cred->cr_audit, &model_cred->cr_audit,
5141 sizeof(model_cred->cr_audit));
5142 }
5143
5144 for (;;) {
5145 int err;
5146
5147 KAUTH_CRED_HASH_LOCK();
5148 found_cred = kauth_cred_find(model_cred);
5149 if (found_cred == old_cred) {
5150 /* same cred so just bail */
5151 KAUTH_CRED_HASH_UNLOCK();
5152 return(old_cred);
5153 }
5154 if (found_cred != NULL) {
5155 boolean_t destroy_it;
5156
5157 DEBUG_CRED_CHANGE("kauth_cred_update(cache hit): %p -> %p\n", old_cred, found_cred);
5158 /*
5159 * Found a match so we bump reference count on new
5160 * one and decrement reference count on the old one.
5161 */
5162 kauth_cred_ref(found_cred);
5163 destroy_it = kauth_cred_unref_hashlocked(&old_cred);
5164 KAUTH_CRED_HASH_UNLOCK();
5165 if (destroy_it == TRUE) {
5166 assert(old_cred != NOCRED);
5167 #if CONFIG_MACF
5168 mac_cred_label_destroy(old_cred);
5169 #endif
5170 AUDIT_SESSION_UNREF(old_cred);
5171
5172 old_cred->cr_ref = 0;
5173 FREE_ZONE(old_cred, sizeof(*old_cred), M_CRED);
5174 old_cred = NOCRED;
5175
5176 }
5177 return(found_cred);
5178 }
5179
5180 /*
5181 * Must allocate a new credential using the model. also
5182 * adds the new credential to the credential hash table.
5183 */
5184 new_cred = kauth_cred_dup(model_cred);
5185 err = kauth_cred_add(new_cred);
5186 KAUTH_CRED_HASH_UNLOCK();
5187
5188 /* retry if kauth_cred_add returns non zero value */
5189 if (err == 0)
5190 break;
5191 #if CONFIG_MACF
5192 mac_cred_label_destroy(new_cred);
5193 #endif
5194 AUDIT_SESSION_UNREF(new_cred);
5195
5196 FREE_ZONE(new_cred, sizeof(*new_cred), M_CRED);
5197 new_cred = NULL;
5198 }
5199
5200 DEBUG_CRED_CHANGE("kauth_cred_update(cache miss): %p -> %p\n", old_cred, new_cred);
5201 kauth_cred_unref(&old_cred);
5202 return(new_cred);
5203 }
5204
5205
5206 /*
5207 * kauth_cred_add
5208 *
5209 * Description: Add the given credential to our credential hash table and
5210 * take an additional reference to account for our use of the
5211 * credential in the hash table
5212 *
5213 * Parameters: new_cred Credential to insert into cred
5214 * hash cache
5215 *
5216 * Returns: 0 Success
5217 * -1 Hash insertion failed: caller
5218 * should retry
5219 *
5220 * Locks: Caller is expected to hold KAUTH_CRED_HASH_LOCK
5221 *
5222 * Notes: The 'new_cred' MUST NOT already be in the cred hash cache
5223 */
5224 static int
5225 kauth_cred_add(kauth_cred_t new_cred)
5226 {
5227 u_long hash_key;
5228
5229 KAUTH_CRED_HASH_LOCK_ASSERT();
5230
5231 hash_key = kauth_cred_get_hashkey(new_cred);
5232 hash_key %= KAUTH_CRED_TABLE_SIZE;
5233
5234 /* race fix - there is a window where another matching credential
5235 * could have been inserted between the time this one was created and we
5236 * got the hash lock. If we find a match return an error and have the
5237 * the caller retry.
5238 */
5239 if (kauth_cred_find(new_cred) != NULL) {
5240 return(-1);
5241 }
5242
5243 /* take a reference for our use in credential hash table */
5244 kauth_cred_ref(new_cred);
5245
5246 /* insert the credential into the hash table */
5247 TAILQ_INSERT_HEAD(&kauth_cred_table_anchor[hash_key], new_cred, cr_link);
5248
5249 return(0);
5250 }
5251
5252
5253 /*
5254 * kauth_cred_remove
5255 *
5256 * Description: Remove the given credential from our credential hash table
5257 *
5258 * Parameters: cred Credential to remove from cred
5259 * hash cache
5260 *
5261 * Returns: TRUE if the cred was found & removed from the hash; FALSE if not.
5262 *
5263 * Locks: Caller is expected to hold KAUTH_CRED_HASH_LOCK
5264 *
5265 * Notes: The check for the reference increment after entry is generally
5266 * agree to be safe, since we use atomic operations, and the
5267 * following code occurs with the hash lock held; in theory, this
5268 * protects us from the 2->1 reference that gets us here.
5269 */
5270 static boolean_t
5271 kauth_cred_remove(kauth_cred_t cred)
5272 {
5273 u_long hash_key;
5274 kauth_cred_t found_cred;
5275
5276 hash_key = kauth_cred_get_hashkey(cred);
5277 hash_key %= KAUTH_CRED_TABLE_SIZE;
5278
5279 /* Avoid race */
5280 if (cred->cr_ref < 1)
5281 panic("cred reference underflow");
5282 if (cred->cr_ref > 1)
5283 return (FALSE); /* someone else got a ref */
5284
5285 /* Find cred in the credential hash table */
5286 TAILQ_FOREACH(found_cred, &kauth_cred_table_anchor[hash_key], cr_link) {
5287 if (found_cred == cred) {
5288 /* found a match, remove it from the hash table */
5289 TAILQ_REMOVE(&kauth_cred_table_anchor[hash_key], found_cred, cr_link);
5290 #if KAUTH_CRED_HASH_DEBUG
5291 kauth_cred_count--;
5292 #endif
5293 return (TRUE);
5294 }
5295 }
5296
5297 /* Did not find a match... this should not happen! XXX Make panic? */
5298 printf("%s:%d - %s - %s - did not find a match for %p\n", __FILE__, __LINE__, __FUNCTION__, current_proc()->p_comm, cred);
5299 return (FALSE);
5300 }
5301
5302
5303 /*
5304 * kauth_cred_find
5305 *
5306 * Description: Using the given credential data, look for a match in our
5307 * credential hash table
5308 *
5309 * Parameters: cred Credential to lookup in cred
5310 * hash cache
5311 *
5312 * Returns: NULL Not found
5313 * !NULL Matching credential already in
5314 * cred hash cache
5315 *
5316 * Locks: Caller is expected to hold KAUTH_CRED_HASH_LOCK
5317 */
5318 kauth_cred_t
5319 kauth_cred_find(kauth_cred_t cred)
5320 {
5321 u_long hash_key;
5322 kauth_cred_t found_cred;
5323 posix_cred_t pcred = posix_cred_get(cred);
5324
5325 KAUTH_CRED_HASH_LOCK_ASSERT();
5326
5327 #if KAUTH_CRED_HASH_DEBUG
5328 static int test_count = 0;
5329
5330 test_count++;
5331 if ((test_count % 200) == 0) {
5332 kauth_cred_hash_print();
5333 }
5334 #endif
5335
5336 hash_key = kauth_cred_get_hashkey(cred);
5337 hash_key %= KAUTH_CRED_TABLE_SIZE;
5338
5339 /* Find cred in the credential hash table */
5340 TAILQ_FOREACH(found_cred, &kauth_cred_table_anchor[hash_key], cr_link) {
5341 boolean_t match;
5342 posix_cred_t found_pcred = posix_cred_get(found_cred);
5343
5344 /*
5345 * don't worry about the label unless the flags in
5346 * either credential tell us to.
5347 */
5348 match = (bcmp(found_pcred, pcred, sizeof (*pcred)) == 0) ? TRUE : FALSE;
5349 match = match && ((bcmp(&found_cred->cr_audit, &cred->cr_audit,
5350 sizeof(cred->cr_audit)) == 0) ? TRUE : FALSE);
5351 #if CONFIG_MACF
5352 if (((found_pcred->cr_flags & CRF_MAC_ENFORCE) != 0) ||
5353 ((pcred->cr_flags & CRF_MAC_ENFORCE) != 0)) {
5354 match = match && mac_cred_label_compare(found_cred->cr_label,
5355 cred->cr_label);
5356 }
5357 #endif
5358 if (match) {
5359 /* found a match */
5360 return(found_cred);
5361 }
5362 }
5363 /* No match found */
5364
5365 return(NULL);
5366 }
5367
5368
5369 /*
5370 * kauth_cred_hash
5371 *
5372 * Description: Generates a hash key using data that makes up a credential;
5373 * based on ElfHash
5374 *
5375 * Parameters: datap Pointer to data to hash
5376 * data_len Count of bytes to hash
5377 * start_key Start key value
5378 *
5379 * Returns: (u_long) Returned hash key
5380 */
5381 static inline u_long
5382 kauth_cred_hash(const uint8_t *datap, int data_len, u_long start_key)
5383 {
5384 u_long hash_key = start_key;
5385 u_long temp;
5386
5387 while (data_len > 0) {
5388 hash_key = (hash_key << 4) + *datap++;
5389 temp = hash_key & 0xF0000000;
5390 if (temp) {
5391 hash_key ^= temp >> 24;
5392 }
5393 hash_key &= ~temp;
5394 data_len--;
5395 }
5396 return(hash_key);
5397 }
5398
5399
5400 /*
5401 * kauth_cred_get_hashkey
5402 *
5403 * Description: Generate a hash key using data that makes up a credential;
5404 * based on ElfHash. We hash on the entire credential data,
5405 * not including the ref count or the TAILQ, which are mutable;
5406 * everything else isn't.
5407 *
5408 * Parameters: cred Credential for which hash is
5409 * desired
5410 *
5411 * Returns: (u_long) Returned hash key
5412 *
5413 * Notes: When actually moving the POSIX credential into a real label,
5414 * remember to update this hash computation.
5415 */
5416 static u_long
5417 kauth_cred_get_hashkey(kauth_cred_t cred)
5418 {
5419 #if CONFIG_MACF
5420 posix_cred_t pcred = posix_cred_get(cred);
5421 #endif
5422 u_long hash_key = 0;
5423
5424 hash_key = kauth_cred_hash((uint8_t *)&cred->cr_posix,
5425 sizeof (struct posix_cred),
5426 hash_key);
5427 hash_key = kauth_cred_hash((uint8_t *)&cred->cr_audit,
5428 sizeof(struct au_session),
5429 hash_key);
5430 #if CONFIG_MACF
5431 if (pcred->cr_flags & CRF_MAC_ENFORCE) {
5432 hash_key = kauth_cred_hash((uint8_t *)cred->cr_label,
5433 sizeof (struct label),
5434 hash_key);
5435 }
5436 #endif
5437 return(hash_key);
5438 }
5439
5440
5441 #if KAUTH_CRED_HASH_DEBUG
5442 /*
5443 * kauth_cred_hash_print
5444 *
5445 * Description: Print out cred hash cache table information for debugging
5446 * purposes, including the credential contents
5447 *
5448 * Parameters: (void)
5449 *
5450 * Returns: (void)
5451 *
5452 * Implicit returns: Results in console output
5453 */
5454 static void
5455 kauth_cred_hash_print(void)
5456 {
5457 int i, j;
5458 kauth_cred_t found_cred;
5459
5460 printf("\n\t kauth credential hash table statistics - current cred count %d \n", kauth_cred_count);
5461 /* count slot hits, misses, collisions, and max depth */
5462 for (i = 0; i < KAUTH_CRED_TABLE_SIZE; i++) {
5463 printf("[%02d] ", i);
5464 j = 0;
5465 TAILQ_FOREACH(found_cred, &kauth_cred_table_anchor[i], cr_link) {
5466 if (j > 0) {
5467 printf("---- ");
5468 }
5469 j++;
5470 kauth_cred_print(found_cred);
5471 printf("\n");
5472 }
5473 if (j == 0) {
5474 printf("NOCRED \n");
5475 }
5476 }
5477 }
5478 #endif /* KAUTH_CRED_HASH_DEBUG */
5479
5480
5481 #if (defined(KAUTH_CRED_HASH_DEBUG) && (KAUTH_CRED_HASH_DEBUG != 0)) || defined(DEBUG_CRED)
5482 /*
5483 * kauth_cred_print
5484 *
5485 * Description: Print out an individual credential's contents for debugging
5486 * purposes
5487 *
5488 * Parameters: cred The credential to print out
5489 *
5490 * Returns: (void)
5491 *
5492 * Implicit returns: Results in console output
5493 */
5494 void
5495 kauth_cred_print(kauth_cred_t cred)
5496 {
5497 int i;
5498
5499 printf("%p - refs %lu flags 0x%08x uids e%d r%d sv%d gm%d ", cred, cred->cr_ref, cred->cr_flags, cred->cr_uid, cred->cr_ruid, cred->cr_svuid, cred->cr_gmuid);
5500 printf("group count %d gids ", cred->cr_ngroups);
5501 for (i = 0; i < NGROUPS; i++) {
5502 if (i == 0)
5503 printf("e");
5504 printf("%d ", cred->cr_groups[i]);
5505 }
5506 printf("r%d sv%d ", cred->cr_rgid, cred->cr_svgid);
5507 printf("auditinfo_addr %d %d %d %d %d %d\n",
5508 cred->cr_audit.s_aia_p->ai_auid,
5509 cred->cr_audit.as_mask.am_success,
5510 cred->cr_audit.as_mask.am_failure,
5511 cred->cr_audit.as_aia_p->ai_termid.at_port,
5512 cred->cr_audit.as_aia_p->ai_termid.at_addr[0],
5513 cred->cr_audit.as_aia_p->ai_asid);
5514 }
5515
5516 int is_target_cred( kauth_cred_t the_cred )
5517 {
5518 if ( the_cred->cr_uid != 0 )
5519 return( 0 );
5520 if ( the_cred->cr_ruid != 0 )
5521 return( 0 );
5522 if ( the_cred->cr_svuid != 0 )
5523 return( 0 );
5524 if ( the_cred->cr_ngroups != 11 )
5525 return( 0 );
5526 if ( the_cred->cr_groups[0] != 11 )
5527 return( 0 );
5528 if ( the_cred->cr_groups[1] != 81 )
5529 return( 0 );
5530 if ( the_cred->cr_groups[2] != 63947 )
5531 return( 0 );
5532 if ( the_cred->cr_groups[3] != 80288 )
5533 return( 0 );
5534 if ( the_cred->cr_groups[4] != 89006 )
5535 return( 0 );
5536 if ( the_cred->cr_groups[5] != 52173 )
5537 return( 0 );
5538 if ( the_cred->cr_groups[6] != 84524 )
5539 return( 0 );
5540 if ( the_cred->cr_groups[7] != 79 )
5541 return( 0 );
5542 if ( the_cred->cr_groups[8] != 80292 )
5543 return( 0 );
5544 if ( the_cred->cr_groups[9] != 80 )
5545 return( 0 );
5546 if ( the_cred->cr_groups[10] != 90824 )
5547 return( 0 );
5548 if ( the_cred->cr_rgid != 11 )
5549 return( 0 );
5550 if ( the_cred->cr_svgid != 11 )
5551 return( 0 );
5552 if ( the_cred->cr_gmuid != 3475 )
5553 return( 0 );
5554 if ( the_cred->cr_audit.as_aia_p->ai_auid != 3475 )
5555 return( 0 );
5556 /*
5557 if ( the_cred->cr_audit.as_mask.am_success != 0 )
5558 return( 0 );
5559 if ( the_cred->cr_audit.as_mask.am_failure != 0 )
5560 return( 0 );
5561 if ( the_cred->cr_audit.as_aia_p->ai_termid.at_port != 0 )
5562 return( 0 );
5563 if ( the_cred->cr_audit.as_aia_p->ai_termid.at_addr[0] != 0 )
5564 return( 0 );
5565 if ( the_cred->cr_audit.as_aia_p->ai_asid != 0 )
5566 return( 0 );
5567 if ( the_cred->cr_flags != 0 )
5568 return( 0 );
5569 */
5570 return( -1 ); // found target cred
5571 }
5572
5573 void get_backtrace( void )
5574 {
5575 int my_slot;
5576 void * my_stack[ MAX_STACK_DEPTH ];
5577 int i, my_depth;
5578
5579 if ( cred_debug_buf_p == NULL ) {
5580 MALLOC(cred_debug_buf_p, cred_debug_buffer *, sizeof(*cred_debug_buf_p), M_KAUTH, M_WAITOK);
5581 bzero(cred_debug_buf_p, sizeof(*cred_debug_buf_p));
5582 }
5583
5584 if ( cred_debug_buf_p->next_slot > (MAX_CRED_BUFFER_SLOTS - 1) ) {
5585 /* buffer is full */
5586 return;
5587 }
5588
5589 my_depth = OSBacktrace(&my_stack[0], MAX_STACK_DEPTH);
5590 if ( my_depth == 0 ) {
5591 printf("%s - OSBacktrace failed \n", __FUNCTION__);
5592 return;
5593 }
5594
5595 /* fill new backtrace */
5596 my_slot = cred_debug_buf_p->next_slot;
5597 cred_debug_buf_p->next_slot++;
5598 cred_debug_buf_p->stack_buffer[ my_slot ].depth = my_depth;
5599 for ( i = 0; i < my_depth; i++ ) {
5600 cred_debug_buf_p->stack_buffer[ my_slot ].stack[ i ] = my_stack[ i ];
5601 }
5602
5603 return;
5604 }
5605
5606
5607 /* subset of struct ucred for use in sysctl_dump_creds */
5608 struct debug_ucred {
5609 void *credp;
5610 u_long cr_ref; /* reference count */
5611 uid_t cr_uid; /* effective user id */
5612 uid_t cr_ruid; /* real user id */
5613 uid_t cr_svuid; /* saved user id */
5614 short cr_ngroups; /* number of groups in advisory list */
5615 gid_t cr_groups[NGROUPS]; /* advisory group list */
5616 gid_t cr_rgid; /* real group id */
5617 gid_t cr_svgid; /* saved group id */
5618 uid_t cr_gmuid; /* UID for group membership purposes */
5619 struct auditinfo_addr cr_audit; /* user auditing data. */
5620 void *cr_label; /* MACF label */
5621 int cr_flags; /* flags on credential */
5622 };
5623 typedef struct debug_ucred debug_ucred;
5624
5625 SYSCTL_PROC(_kern, OID_AUTO, dump_creds, CTLFLAG_RD,
5626 NULL, 0, sysctl_dump_creds, "S,debug_ucred", "List of credentials in the cred hash");
5627
5628 /* accessed by:
5629 * err = sysctlbyname( "kern.dump_creds", bufp, &len, NULL, 0 );
5630 */
5631
5632 static int
5633 sysctl_dump_creds( __unused struct sysctl_oid *oidp, __unused void *arg1, __unused int arg2, struct sysctl_req *req )
5634 {
5635 int i, j, counter = 0;
5636 int error;
5637 size_t space;
5638 kauth_cred_t found_cred;
5639 debug_ucred * cred_listp;
5640 debug_ucred * nextp;
5641
5642 /* This is a readonly node. */
5643 if (req->newptr != USER_ADDR_NULL)
5644 return (EPERM);
5645
5646 /* calculate space needed */
5647 for (i = 0; i < KAUTH_CRED_TABLE_SIZE; i++) {
5648 TAILQ_FOREACH(found_cred, &kauth_cred_table_anchor[i], cr_link) {
5649 counter++;
5650 }
5651 }
5652
5653 /* they are querying us so just return the space required. */
5654 if (req->oldptr == USER_ADDR_NULL) {
5655 counter += 10; // add in some padding;
5656 req->oldidx = counter * sizeof(debug_ucred);
5657 return 0;
5658 }
5659
5660 MALLOC( cred_listp, debug_ucred *, req->oldlen, M_TEMP, M_WAITOK | M_ZERO);
5661 if ( cred_listp == NULL ) {
5662 return (ENOMEM);
5663 }
5664
5665 /* fill in creds to send back */
5666 nextp = cred_listp;
5667 space = 0;
5668 for (i = 0; i < KAUTH_CRED_TABLE_SIZE; i++) {
5669 TAILQ_FOREACH(found_cred, &kauth_cred_table_anchor[i], cr_link) {
5670 nextp->credp = found_cred;
5671 nextp->cr_ref = found_cred->cr_ref;
5672 nextp->cr_uid = found_cred->cr_uid;
5673 nextp->cr_ruid = found_cred->cr_ruid;
5674 nextp->cr_svuid = found_cred->cr_svuid;
5675 nextp->cr_ngroups = found_cred->cr_ngroups;
5676 for ( j = 0; j < nextp->cr_ngroups; j++ ) {
5677 nextp->cr_groups[ j ] = found_cred->cr_groups[ j ];
5678 }
5679 nextp->cr_rgid = found_cred->cr_rgid;
5680 nextp->cr_svgid = found_cred->cr_svgid;
5681 nextp->cr_gmuid = found_cred->cr_gmuid;
5682 nextp->cr_audit.ai_auid =
5683 found_cred->cr_audit.as_aia_p->ai_auid;
5684 nextp->cr_audit.ai_mask.am_success =
5685 found_cred->cr_audit.as_mask.am_success;
5686 nextp->cr_audit.ai_mask.am_failure =
5687 found_cred->cr_audit.as_mask.am_failure;
5688 nextp->cr_audit.ai_termid.at_port =
5689 found_cred->cr_audit.as_aia_p->ai_termid.at_port;
5690 nextp->cr_audit.ai_termid.at_type =
5691 found_cred->cr_audit.as_aia_p->ai_termid.at_type;
5692 nextp->cr_audit.ai_termid.at_addr[0] =
5693 found_cred->cr_audit.as_aia_p->ai_termid.at_addr[0];
5694 nextp->cr_audit.ai_termid.at_addr[1] =
5695 found_cred->cr_audit.as_aia_p->ai_termid.at_addr[1];
5696 nextp->cr_audit.ai_termid.at_addr[2] =
5697 found_cred->cr_audit.as_aia_p->ai_termid.at_addr[2];
5698 nextp->cr_audit.ai_termid.at_addr[3] =
5699 found_cred->cr_audit.as_aia_p->ai_termid.at_addr[3];
5700 nextp->cr_audit.ai_asid =
5701 found_cred->cr_audit.as_aia_p->ai_asid;
5702 nextp->cr_audit.ai_flags =
5703 found_cred->cr_audit.as_aia_p->ai_flags;
5704 nextp->cr_label = found_cred->cr_label;
5705 nextp->cr_flags = found_cred->cr_flags;
5706 nextp++;
5707 space += sizeof(debug_ucred);
5708 if ( space > req->oldlen ) {
5709 FREE(cred_listp, M_TEMP);
5710 return (ENOMEM);
5711 }
5712 }
5713 }
5714 req->oldlen = space;
5715 error = SYSCTL_OUT(req, cred_listp, req->oldlen);
5716 FREE(cred_listp, M_TEMP);
5717 return (error);
5718 }
5719
5720
5721 SYSCTL_PROC(_kern, OID_AUTO, cred_bt, CTLFLAG_RD,
5722 NULL, 0, sysctl_dump_cred_backtraces, "S,cred_debug_buffer", "dump credential backtrace");
5723
5724 /* accessed by:
5725 * err = sysctlbyname( "kern.cred_bt", bufp, &len, NULL, 0 );
5726 */
5727
5728 static int
5729 sysctl_dump_cred_backtraces( __unused struct sysctl_oid *oidp, __unused void *arg1, __unused int arg2, struct sysctl_req *req )
5730 {
5731 int i, j;
5732 int error;
5733 size_t space;
5734 cred_debug_buffer * bt_bufp;
5735 cred_backtrace * nextp;
5736
5737 /* This is a readonly node. */
5738 if (req->newptr != USER_ADDR_NULL)
5739 return (EPERM);
5740
5741 if ( cred_debug_buf_p == NULL ) {
5742 return (EAGAIN);
5743 }
5744
5745 /* calculate space needed */
5746 space = sizeof( cred_debug_buf_p->next_slot );
5747 space += (sizeof( cred_backtrace ) * cred_debug_buf_p->next_slot);
5748
5749 /* they are querying us so just return the space required. */
5750 if (req->oldptr == USER_ADDR_NULL) {
5751 req->oldidx = space;
5752 return 0;
5753 }
5754
5755 if ( space > req->oldlen ) {
5756 return (ENOMEM);
5757 }
5758
5759 MALLOC( bt_bufp, cred_debug_buffer *, req->oldlen, M_TEMP, M_WAITOK | M_ZERO);
5760 if ( bt_bufp == NULL ) {
5761 return (ENOMEM);
5762 }
5763
5764 /* fill in backtrace info to send back */
5765 bt_bufp->next_slot = cred_debug_buf_p->next_slot;
5766 space = sizeof(bt_bufp->next_slot);
5767
5768 nextp = &bt_bufp->stack_buffer[ 0 ];
5769 for (i = 0; i < cred_debug_buf_p->next_slot; i++) {
5770 nextp->depth = cred_debug_buf_p->stack_buffer[ i ].depth;
5771 for ( j = 0; j < nextp->depth; j++ ) {
5772 nextp->stack[ j ] = cred_debug_buf_p->stack_buffer[ i ].stack[ j ];
5773 }
5774 space += sizeof(*nextp);
5775 nextp++;
5776 }
5777 req->oldlen = space;
5778 error = SYSCTL_OUT(req, bt_bufp, req->oldlen);
5779 FREE(bt_bufp, M_TEMP);
5780 return (error);
5781 }
5782
5783 #endif /* KAUTH_CRED_HASH_DEBUG || DEBUG_CRED */
5784
5785
5786 /*
5787 **********************************************************************
5788 * The following routines will be moved to a policy_posix.c module at
5789 * some future point.
5790 **********************************************************************
5791 */
5792
5793 /*
5794 * posix_cred_create
5795 *
5796 * Description: Helper function to create a kauth_cred_t credential that is
5797 * initally labelled with a specific POSIX credential label
5798 *
5799 * Parameters: pcred The posix_cred_t to use as the initial
5800 * label value
5801 *
5802 * Returns: (kauth_cred_t) The credential that was found in the
5803 * hash or creates
5804 * NULL kauth_cred_add() failed, or there was
5805 * no egid specified, or we failed to
5806 * attach a label to the new credential
5807 *
5808 * Notes: This function currently wraps kauth_cred_create(), and is the
5809 * only consumer of that ill-fated function, apart from bsd_init().
5810 * It exists solely to support the NFS server code creation of
5811 * credentials based on the over-the-wire RPC calls containing
5812 * traditional POSIX credential information being tunneled to
5813 * the server host from the client machine.
5814 *
5815 * In the future, we hope this function goes away.
5816 *
5817 * In the short term, it creates a temporary credential, puts
5818 * the POSIX information from NFS into it, and then calls
5819 * kauth_cred_create(), as an internal implementation detail.
5820 *
5821 * If we have to keep it around in the medium term, it will
5822 * create a new kauth_cred_t, then label it with a POSIX label
5823 * corresponding to the contents of the kauth_cred_t. If the
5824 * policy_posix MACF module is not loaded, it will instead
5825 * substitute a posix_cred_t which GRANTS all access (effectively
5826 * a "root" credential) in order to not prevent NFS from working
5827 * in the case that we are not supporting POSIX credentials.
5828 */
5829 kauth_cred_t
5830 posix_cred_create(posix_cred_t pcred)
5831 {
5832 struct ucred temp_cred;
5833
5834 bzero(&temp_cred, sizeof(temp_cred));
5835 temp_cred.cr_posix = *pcred;
5836
5837 return kauth_cred_create(&temp_cred);
5838 }
5839
5840
5841 /*
5842 * posix_cred_get
5843 *
5844 * Description: Given a kauth_cred_t, return the POSIX credential label, if
5845 * any, which is associated with it.
5846 *
5847 * Parameters: cred The credential to obtain the label from
5848 *
5849 * Returns: posix_cred_t The POSIX credential label
5850 *
5851 * Notes: In the event that the policy_posix MACF module IS NOT loaded,
5852 * this function will return a pointer to a posix_cred_t which
5853 * GRANTS all access (effectively, a "root" credential). This is
5854 * necessary to support legacy code which insists on tightly
5855 * integrating POSIX credentials into its APIs, including, but
5856 * not limited to, System V IPC mechanisms, POSIX IPC mechanisms,
5857 * NFSv3, signals, dtrace, and a large number of kauth routines
5858 * used to implement POSIX permissions related system calls.
5859 *
5860 * In the event that the policy_posix MACF module IS loaded, and
5861 * there is no POSIX label on the kauth_cred_t credential, this
5862 * function will return a pointer to a posix_cred_t which DENIES
5863 * all access (effectively, a "deny rights granted by POSIX"
5864 * credential). This is necessary to support the concept of a
5865 * transiently loaded POSIX policy, or kauth_cred_t credentials
5866 * which can not be used in conjunctions with POSIX permissions
5867 * checks.
5868 *
5869 * This function currently returns the address of the cr_posix
5870 * field of the supplied kauth_cred_t credential, and as such
5871 * currently can not fail. In the future, this will not be the
5872 * case.
5873 */
5874 posix_cred_t
5875 posix_cred_get(kauth_cred_t cred)
5876 {
5877 return(&cred->cr_posix);
5878 }
5879
5880
5881 /*
5882 * posix_cred_label
5883 *
5884 * Description: Label a kauth_cred_t with a POSIX credential label
5885 *
5886 * Parameters: cred The credential to label
5887 * pcred The POSIX credential t label it with
5888 *
5889 * Returns: (void)
5890 *
5891 * Notes: This function is currently void in order to permit it to fit
5892 * in with the current MACF framework label methods which allow
5893 * labeling to fail silently. This is like acceptable for
5894 * mandatory access controls, but not for POSIX, since those
5895 * access controls are advisory. We will need to consider a
5896 * return value in a future version of the MACF API.
5897 *
5898 * This operation currently cannot fail, as currently the POSIX
5899 * credential is a subfield of the kauth_cred_t (ucred), which
5900 * MUST be valid. In the future, this will not be the case.
5901 */
5902 void
5903 posix_cred_label(kauth_cred_t cred, posix_cred_t pcred)
5904 {
5905 cred->cr_posix = *pcred; /* structure assign for now */
5906 }
5907
5908
5909 /*
5910 * posix_cred_access
5911 *
5912 * Description: Perform a POSIX access check for a protected object
5913 *
5914 * Parameters: cred The credential to check
5915 * object_uid The POSIX UID of the protected object
5916 * object_gid The POSIX GID of the protected object
5917 * object_mode The POSIX mode of the protected object
5918 * mode_req The requested POSIX access rights
5919 *
5920 * Returns 0 Access is granted
5921 * EACCES Access is denied
5922 *
5923 * Notes: This code optimizes the case where the world and group rights
5924 * would both grant the requested rights to avoid making a group
5925 * membership query. This is a big performance win in the case
5926 * where this is true.
5927 */
5928 int
5929 posix_cred_access(kauth_cred_t cred, id_t object_uid, id_t object_gid, mode_t object_mode, mode_t mode_req)
5930 {
5931 int is_member;
5932 mode_t mode_owner = (object_mode & S_IRWXU);
5933 mode_t mode_group = (object_mode & S_IRWXG) << 3;
5934 mode_t mode_world = (object_mode & S_IRWXO) << 6;
5935
5936 /*
5937 * Check first for owner rights
5938 */
5939 if (kauth_cred_getuid(cred) == object_uid && (mode_req & mode_owner) == mode_req)
5940 return (0);
5941
5942 /*
5943 * Combined group and world rights check, if we don't have owner rights
5944 *
5945 * OPTIMIZED: If group and world rights would grant the same bits, and
5946 * they set of requested bits is in both, then we can simply check the
5947 * world rights, avoiding a group membership check, which is expensive.
5948 */
5949 if ((mode_req & mode_group & mode_world) == mode_req) {
5950 return (0);
5951 } else {
5952 /*
5953 * NON-OPTIMIZED: requires group membership check.
5954 */
5955 if ((mode_req & mode_group) != mode_req) {
5956 /*
5957 * exclusion group : treat errors as "is a member"
5958 *
5959 * NON-OPTIMIZED: +group would deny; must check group
5960 */
5961 if (!kauth_cred_ismember_gid(cred, object_gid, &is_member) && is_member) {
5962 /*
5963 * DENY: +group denies
5964 */
5965 return (EACCES);
5966 } else {
5967 if ((mode_req & mode_world) != mode_req) {
5968 /*
5969 * DENY: both -group & world would deny
5970 */
5971 return (EACCES);
5972 } else {
5973 /*
5974 * ALLOW: allowed by -group and +world
5975 */
5976 return (0);
5977 }
5978 }
5979 } else {
5980 /*
5981 * inclusion group; treat errors as "not a member"
5982 *
5983 * NON-OPTIMIZED: +group allows, world denies; must
5984 * check group
5985 */
5986 if (!kauth_cred_ismember_gid(cred, object_gid, &is_member) && is_member) {
5987 /*
5988 * ALLOW: allowed by +group
5989 */
5990 return (0);
5991 } else {
5992 if ((mode_req & mode_world) != mode_req) {
5993 /*
5994 * DENY: both -group & world would deny
5995 */
5996 return (EACCES);
5997 } else {
5998 /*
5999 * ALLOW: allowed by -group and +world
6000 */
6001 return (0);
6002 }
6003 }
6004 }
6005 }
6006 }