xnu-1699.24.8.tar.gz
[apple/xnu.git] / bsd / kern / kern_authorization.c
1 /*
2 * Copyright (c) 2004-2007 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /*
30 * Centralized authorisation framework.
31 */
32
33 #include <sys/appleapiopts.h>
34 #include <sys/param.h> /* XXX trim includes */
35 #include <sys/acct.h>
36 #include <sys/systm.h>
37 #include <sys/ucred.h>
38 #include <sys/proc_internal.h>
39 #include <sys/timeb.h>
40 #include <sys/times.h>
41 #include <sys/malloc.h>
42 #include <sys/vnode_internal.h>
43 #include <sys/kauth.h>
44 #include <sys/stat.h>
45
46 #include <security/audit/audit.h>
47
48 #include <sys/mount.h>
49 #include <sys/sysproto.h>
50 #include <mach/message.h>
51 #include <mach/host_security.h>
52
53 #include <kern/locks.h>
54
55
56 /*
57 * Authorization scopes.
58 */
59
60 lck_grp_t *kauth_lck_grp;
61 static lck_mtx_t *kauth_scope_mtx;
62 #define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx);
63 #define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx);
64
65 /*
66 * We support listeners for scopes that have not been registered yet.
67 * If a listener comes in for a scope that is not active we hang the listener
68 * off our kauth_dangling_listeners list and once the scope becomes active we
69 * remove it from kauth_dangling_listeners and add it to the active scope.
70 */
71 struct kauth_listener {
72 TAILQ_ENTRY(kauth_listener) kl_link;
73 const char * kl_identifier;
74 kauth_scope_callback_t kl_callback;
75 void * kl_idata;
76 };
77
78 /* XXX - kauth_todo - there is a race if a scope listener is removed while we
79 * we are in the kauth_authorize_action code path. We intentionally do not take
80 * a scope lock in order to get the best possible performance. we will fix this
81 * post Tiger.
82 * Until the race is fixed our kext clients are responsible for all active
83 * requests that may be in their callback code or on the way to their callback
84 * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata.
85 * We keep copies of these in our kauth_local_listener in an attempt to limit
86 * our expose to unlisten race.
87 */
88 struct kauth_local_listener {
89 kauth_listener_t kll_listenerp;
90 kauth_scope_callback_t kll_callback;
91 void * kll_idata;
92 };
93 typedef struct kauth_local_listener *kauth_local_listener_t;
94
95 static TAILQ_HEAD(,kauth_listener) kauth_dangling_listeners;
96
97 /*
98 * Scope listeners need to be reworked to be dynamic.
99 * We intentionally used a static table to avoid locking issues with linked
100 * lists. The listeners may be called quite often.
101 * XXX - kauth_todo
102 */
103 #define KAUTH_SCOPE_MAX_LISTENERS 15
104
105 struct kauth_scope {
106 TAILQ_ENTRY(kauth_scope) ks_link;
107 volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS];
108 const char * ks_identifier;
109 kauth_scope_callback_t ks_callback;
110 void * ks_idata;
111 u_int ks_flags;
112 };
113
114 /* values for kauth_scope.ks_flags */
115 #define KS_F_HAS_LISTENERS (1 << 0)
116
117 static TAILQ_HEAD(,kauth_scope) kauth_scopes;
118
119 static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp);
120 static void kauth_scope_init(void) __attribute__((section("__TEXT, initcode")));
121 static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata);
122 static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata);
123 #if 0
124 static int kauth_scope_valid(kauth_scope_t scope);
125 #endif
126
127 kauth_scope_t kauth_scope_process;
128 static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
129 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3);
130 kauth_scope_t kauth_scope_generic;
131 static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action,
132 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
133 kauth_scope_t kauth_scope_fileop;
134
135 extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int, int);
136 extern char * get_pathbuff(void);
137 extern void release_pathbuff(char *path);
138
139 /*
140 * Initialization.
141 */
142 void
143 kauth_init(void)
144 {
145 lck_grp_attr_t *grp_attributes;
146
147 TAILQ_INIT(&kauth_scopes);
148 TAILQ_INIT(&kauth_dangling_listeners);
149
150 /* set up our lock group */
151 grp_attributes = lck_grp_attr_alloc_init();
152 kauth_lck_grp = lck_grp_alloc_init("kauth", grp_attributes);
153 lck_grp_attr_free(grp_attributes);
154
155 /* bring up kauth subsystem components */
156 kauth_cred_init();
157 kauth_identity_init();
158 kauth_groups_init();
159 kauth_scope_init();
160 kauth_resolver_init();
161
162 /* can't alloc locks after this */
163 lck_grp_free(kauth_lck_grp);
164 kauth_lck_grp = NULL;
165 }
166
167 static void
168 kauth_scope_init(void)
169 {
170 kauth_scope_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0 /*LCK_ATTR_NULL*/);
171 kauth_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS, kauth_authorize_process_callback, NULL);
172 kauth_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC, kauth_authorize_generic_callback, NULL);
173 kauth_scope_fileop = kauth_register_scope(KAUTH_SCOPE_FILEOP, NULL, NULL);
174 }
175
176 /*
177 * Scope registration.
178 */
179
180 static kauth_scope_t
181 kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
182 {
183 kauth_scope_t sp;
184
185 /*
186 * Allocate and populate the scope structure.
187 */
188 MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK | M_ZERO);
189 if (sp == NULL)
190 return(NULL);
191 sp->ks_flags = 0;
192 sp->ks_identifier = identifier;
193 sp->ks_idata = idata;
194 sp->ks_callback = callback;
195 return(sp);
196 }
197
198 static kauth_listener_t
199 kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata)
200 {
201 kauth_listener_t lsp;
202
203 /*
204 * Allocate and populate the listener structure.
205 */
206 MALLOC(lsp, kauth_listener_t, sizeof(*lsp), M_KAUTH, M_WAITOK);
207 if (lsp == NULL)
208 return(NULL);
209 lsp->kl_identifier = identifier;
210 lsp->kl_idata = idata;
211 lsp->kl_callback = callback;
212 return(lsp);
213 }
214
215 kauth_scope_t
216 kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
217 {
218 kauth_scope_t sp, tsp;
219 kauth_listener_t klp;
220
221 if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL)
222 return(NULL);
223
224 /*
225 * Lock the list and insert.
226 */
227 KAUTH_SCOPELOCK();
228 TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) {
229 /* duplicate! */
230 if (strncmp(tsp->ks_identifier, identifier,
231 strlen(tsp->ks_identifier) + 1) == 0) {
232 KAUTH_SCOPEUNLOCK();
233 FREE(sp, M_KAUTH);
234 return(NULL);
235 }
236 }
237 TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link);
238
239 /*
240 * Look for listeners waiting for this scope, move them to the active scope
241 * listener table.
242 * Note that we have to restart the scan every time we remove an entry
243 * from the list, since we can't remove the current item from the list.
244 */
245 restart:
246 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
247 if (strncmp(klp->kl_identifier, sp->ks_identifier,
248 strlen(klp->kl_identifier) + 1) == 0) {
249 /* found a match on the dangling listener list. add it to the
250 * the active scope.
251 */
252 if (kauth_add_callback_to_scope(sp, klp) == 0) {
253 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
254 }
255 else {
256 #if 0
257 printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier);
258 #endif
259 break;
260 }
261 goto restart;
262 }
263 }
264
265 KAUTH_SCOPEUNLOCK();
266 return(sp);
267 }
268
269
270
271 void
272 kauth_deregister_scope(kauth_scope_t scope)
273 {
274 int i;
275
276 KAUTH_SCOPELOCK();
277
278 TAILQ_REMOVE(&kauth_scopes, scope, ks_link);
279
280 /* relocate listeners back to the waiting list */
281 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
282 if (scope->ks_listeners[i].kll_listenerp != NULL) {
283 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link);
284 scope->ks_listeners[i].kll_listenerp = NULL;
285 /*
286 * XXX - kauth_todo - WARNING, do not clear kll_callback or
287 * kll_idata here. they are part of our scope unlisten race hack
288 */
289 }
290 }
291 KAUTH_SCOPEUNLOCK();
292 FREE(scope, M_KAUTH);
293
294 return;
295 }
296
297 kauth_listener_t
298 kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata)
299 {
300 kauth_listener_t klp;
301 kauth_scope_t sp;
302
303 if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL)
304 return(NULL);
305
306 /*
307 * Lock the scope list and check to see whether this scope already exists.
308 */
309 KAUTH_SCOPELOCK();
310 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
311 if (strncmp(sp->ks_identifier, identifier,
312 strlen(sp->ks_identifier) + 1) == 0) {
313 /* scope exists, add it to scope listener table */
314 if (kauth_add_callback_to_scope(sp, klp) == 0) {
315 KAUTH_SCOPEUNLOCK();
316 return(klp);
317 }
318 /* table already full */
319 KAUTH_SCOPEUNLOCK();
320 FREE(klp, M_KAUTH);
321 return(NULL);
322 }
323 }
324
325 /* scope doesn't exist, put on waiting list. */
326 TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link);
327
328 KAUTH_SCOPEUNLOCK();
329
330 return(klp);
331 }
332
333 void
334 kauth_unlisten_scope(kauth_listener_t listener)
335 {
336 kauth_scope_t sp;
337 kauth_listener_t klp;
338 int i, listener_count, do_free;
339
340 KAUTH_SCOPELOCK();
341
342 /* search the active scope for this listener */
343 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
344 do_free = 0;
345 if ((sp->ks_flags & KS_F_HAS_LISTENERS) != 0) {
346 listener_count = 0;
347 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
348 if (sp->ks_listeners[i].kll_listenerp == listener) {
349 sp->ks_listeners[i].kll_listenerp = NULL;
350 do_free = 1;
351 /*
352 * XXX - kauth_todo - WARNING, do not clear kll_callback or
353 * kll_idata here. they are part of our scope unlisten race hack
354 */
355 }
356 else if (sp->ks_listeners[i].kll_listenerp != NULL) {
357 listener_count++;
358 }
359 }
360 if (do_free) {
361 if (listener_count == 0) {
362 sp->ks_flags &= ~KS_F_HAS_LISTENERS;
363 }
364 KAUTH_SCOPEUNLOCK();
365 FREE(listener, M_KAUTH);
366 return;
367 }
368 }
369 }
370
371 /* if not active, check the dangling list */
372 TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
373 if (klp == listener) {
374 TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link);
375 KAUTH_SCOPEUNLOCK();
376 FREE(listener, M_KAUTH);
377 return;
378 }
379 }
380
381 KAUTH_SCOPEUNLOCK();
382 return;
383 }
384
385 /*
386 * Authorization requests.
387 *
388 * Returns: 0 Success
389 * EPERM Operation not permitted
390 *
391 * Imputed: *arg3, modified Callback return - depends on callback
392 * modification of *arg3, if any
393 */
394 int
395 kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action,
396 uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
397 {
398 int result, ret, i;
399
400 /* ask the scope */
401 if (scope->ks_callback != NULL)
402 result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3);
403 else
404 result = KAUTH_RESULT_DEFER;
405
406 /* check with listeners */
407 if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) {
408 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
409 /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger.
410 * Until the race is fixed our kext clients are responsible for all active requests that may
411 * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata.
412 * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to
413 * unlisten race.
414 */
415 if (scope->ks_listeners[i].kll_listenerp == NULL ||
416 scope->ks_listeners[i].kll_callback == NULL)
417 continue;
418
419 ret = scope->ks_listeners[i].kll_callback(
420 credential, scope->ks_listeners[i].kll_idata,
421 action, arg0, arg1, arg2, arg3);
422 if ((ret == KAUTH_RESULT_DENY) ||
423 (result == KAUTH_RESULT_DEFER))
424 result = ret;
425 }
426 }
427
428 /* we need an explicit allow, or the auth fails */
429 /* XXX need a mechanism for auth failure to be signalled vs. denial */
430 return(result == KAUTH_RESULT_ALLOW ? 0 : EPERM);
431 }
432
433 /*
434 * Default authorization handlers.
435 */
436 int
437 kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action,
438 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
439 {
440
441 return(KAUTH_RESULT_ALLOW);
442 }
443
444 #if 0
445 /*
446 * Debugging support.
447 */
448 static int
449 kauth_scope_valid(kauth_scope_t scope)
450 {
451 kauth_scope_t sp;
452
453 KAUTH_SCOPELOCK();
454 TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
455 if (sp == scope)
456 break;
457 }
458 KAUTH_SCOPEUNLOCK();
459 return((sp == NULL) ? 0 : 1);
460 }
461 #endif
462
463 /*
464 * Process authorization scope.
465 */
466
467 int
468 kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
469 {
470 return(kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3));
471 }
472
473 static int
474 kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
475 uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
476 {
477 switch(action) {
478 case KAUTH_PROCESS_CANSIGNAL:
479 panic("KAUTH_PROCESS_CANSIGNAL not implemented");
480 /* XXX credential wrong here */
481 /* arg0 - process to signal
482 * arg1 - signal to send the process
483 */
484 if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1, 0))
485 return(KAUTH_RESULT_ALLOW);
486 break;
487 case KAUTH_PROCESS_CANTRACE:
488 /* current_proc() - process that will do the tracing
489 * arg0 - process to be traced
490 * arg1 - pointer to int - reason (errno) for denial
491 */
492 if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1))
493 return(KAUTH_RESULT_ALLOW);
494 break;
495 }
496
497 /* no explicit result, so defer to others in the chain */
498 return(KAUTH_RESULT_DEFER);
499 }
500
501 /*
502 * File system operation authorization scope. This is really only a notification
503 * of the file system operation, not an authorization check. Thus the result is
504 * not relevant.
505 * arguments passed to KAUTH_FILEOP_OPEN listeners
506 * arg0 is pointer to vnode (vnode *) for given user path.
507 * arg1 is pointer to path (char *) passed in to open.
508 * arguments passed to KAUTH_FILEOP_CLOSE listeners
509 * arg0 is pointer to vnode (vnode *) for file to be closed.
510 * arg1 is pointer to path (char *) of file to be closed.
511 * arg2 is close flags.
512 * arguments passed to KAUTH_FILEOP_RENAME listeners
513 * arg0 is pointer to "from" path (char *).
514 * arg1 is pointer to "to" path (char *).
515 * arguments passed to KAUTH_FILEOP_EXCHANGE listeners
516 * arg0 is pointer to file 1 path (char *).
517 * arg1 is pointer to file 2 path (char *).
518 * arguments passed to KAUTH_FILEOP_EXEC listeners
519 * arg0 is pointer to vnode (vnode *) for executable.
520 * arg1 is pointer to path (char *) to executable.
521 */
522
523 int
524 kauth_authorize_fileop_has_listeners(void)
525 {
526 /*
527 * return 1 if we have any listeners for the fileop scope
528 * otherwize return 0
529 */
530 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) {
531 return(1);
532 }
533 return (0);
534 }
535
536 int
537 kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1)
538 {
539 char *namep = NULL;
540 int name_len;
541 uintptr_t arg2 = 0;
542
543 /* we do not have a primary handler for the fileop scope so bail out if
544 * there are no listeners.
545 */
546 if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) {
547 return(0);
548 }
549
550 if (action == KAUTH_FILEOP_OPEN || action == KAUTH_FILEOP_CLOSE || action == KAUTH_FILEOP_EXEC) {
551 /* get path to the given vnode as a convenience to our listeners.
552 */
553 namep = get_pathbuff();
554 name_len = MAXPATHLEN;
555 if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) {
556 release_pathbuff(namep);
557 return(0);
558 }
559 if (action == KAUTH_FILEOP_CLOSE) {
560 arg2 = arg1; /* close has some flags that come in via arg1 */
561 }
562 arg1 = (uintptr_t)namep;
563 }
564 kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0);
565
566 if (namep != NULL) {
567 release_pathbuff(namep);
568 }
569
570 return(0);
571 }
572
573 /*
574 * Generic authorization scope.
575 */
576
577 int
578 kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action)
579 {
580 if (credential == NULL)
581 panic("auth against NULL credential");
582
583 return(kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0));
584
585 }
586
587 static int
588 kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action,
589 __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3)
590 {
591 switch(action) {
592 case KAUTH_GENERIC_ISSUSER:
593 /* XXX == 0 ? */
594 return((kauth_cred_getuid(credential) == 0) ?
595 KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY);
596 break;
597 }
598
599 /* no explicit result, so defer to others in the chain */
600 return(KAUTH_RESULT_DEFER);
601 }
602
603 /*
604 * ACL evaluator.
605 *
606 * Determines whether the credential has the requested rights for an object secured by the supplied
607 * ACL.
608 *
609 * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested
610 * rights, or granted if all of the requested rights are satisfied by the ACEs so far.
611 */
612 int
613 kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval)
614 {
615 int applies, error, i, gotguid;
616 kauth_ace_t ace;
617 guid_t guid;
618 uint32_t rights;
619 int wkguid;
620
621 /* always allowed to do nothing */
622 if (eval->ae_requested == 0) {
623 eval->ae_result = KAUTH_RESULT_ALLOW;
624 return(0);
625 }
626
627 eval->ae_residual = eval->ae_requested;
628 eval->ae_found_deny = FALSE;
629
630 /*
631 * Get our guid for comparison purposes.
632 */
633 if ((error = kauth_cred_getguid(cred, &guid)) != 0) {
634 KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error);
635 error = 0;
636 gotguid = 0;
637 } else {
638 gotguid = 1;
639 }
640
641 KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual);
642 for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) {
643
644 /*
645 * Skip inherit-only entries.
646 */
647 if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT)
648 continue;
649
650 /*
651 * Expand generic rights, if appropriate.
652 */
653 rights = ace->ace_rights;
654 if (rights & KAUTH_ACE_GENERIC_ALL)
655 rights |= eval->ae_exp_gall;
656 if (rights & KAUTH_ACE_GENERIC_READ)
657 rights |= eval->ae_exp_gread;
658 if (rights & KAUTH_ACE_GENERIC_WRITE)
659 rights |= eval->ae_exp_gwrite;
660 if (rights & KAUTH_ACE_GENERIC_EXECUTE)
661 rights |= eval->ae_exp_gexec;
662
663 /*
664 * Determine whether this entry applies to the current request. This
665 * saves us checking the GUID if the entry has nothing to do with what
666 * we're currently doing.
667 */
668 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
669 case KAUTH_ACE_PERMIT:
670 if (!(eval->ae_residual & rights))
671 continue;
672 break;
673 case KAUTH_ACE_DENY:
674 if (!(eval->ae_requested & rights))
675 continue;
676 eval->ae_found_deny = TRUE;
677 break;
678 default:
679 /* we don't recognise this ACE, skip it */
680 continue;
681 }
682
683 /*
684 * Verify whether this entry applies to the credential.
685 */
686 wkguid = kauth_wellknown_guid(&ace->ace_applicable);
687 switch(wkguid) {
688 case KAUTH_WKG_OWNER:
689 applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER;
690 break;
691 case KAUTH_WKG_GROUP:
692 if (!gotguid || (eval->ae_options & KAUTH_AEVAL_IN_GROUP_UNKNOWN))
693 applies = ((ace->ace_flags & KAUTH_ACE_KINDMASK) == KAUTH_ACE_DENY);
694 else
695 applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP;
696 break;
697 /* we short-circuit these here rather than wasting time calling the group membership code */
698 case KAUTH_WKG_EVERYBODY:
699 applies = 1;
700 break;
701 case KAUTH_WKG_NOBODY:
702 applies = 0;
703 break;
704
705 default:
706 /* check to see whether it's exactly us, or a group we are a member of */
707 applies = !gotguid ? 0 : kauth_guid_equal(&guid, &ace->ace_applicable);
708 KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched",
709 K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not ");
710
711 if (!applies) {
712 error = !gotguid ? ENOENT : kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies);
713 /*
714 * If we can't resolve group membership, we have to limit misbehaviour.
715 * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid
716 * granting excess access). If the ACE is a 'deny' ACE, assume the cred
717 * is a member (avoid failing to deny).
718 */
719 if (error != 0) {
720 KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i);
721 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
722 case KAUTH_ACE_PERMIT:
723 applies = 0;
724 break;
725 case KAUTH_ACE_DENY:
726 applies = 1;
727 break;
728 }
729 } else {
730 KAUTH_DEBUG(" ACL - %s group member", applies ? "is" : "not");
731 }
732 } else {
733 KAUTH_DEBUG(" ACL - entry matches caller");
734 }
735 }
736 if (!applies)
737 continue;
738
739 /*
740 * Apply ACE to outstanding rights.
741 */
742 switch(ace->ace_flags & KAUTH_ACE_KINDMASK) {
743 case KAUTH_ACE_PERMIT:
744 /* satisfy any rights that this ACE grants */
745 eval->ae_residual = eval->ae_residual & ~rights;
746 KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i, rights, eval->ae_residual);
747 /* all rights satisfied? */
748 if (eval->ae_residual == 0) {
749 eval->ae_result = KAUTH_RESULT_ALLOW;
750 return(0);
751 }
752 break;
753 case KAUTH_ACE_DENY:
754 /* deny the request if any of the requested rights is denied */
755 if (eval->ae_requested & rights) {
756 KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights);
757 eval->ae_result = KAUTH_RESULT_DENY;
758 return(0);
759 }
760 break;
761 default:
762 KAUTH_DEBUG(" ACL - unknown entry kind %d", ace->ace_flags & KAUTH_ACE_KINDMASK);
763 break;
764 }
765 }
766 /* if not permitted, defer to other modes of authorisation */
767 eval->ae_result = KAUTH_RESULT_DEFER;
768 return(0);
769 }
770
771 /*
772 * Perform ACL inheritance and umask-ACL handling.
773 *
774 * Entries are inherited from the ACL on dvp. A caller-supplied
775 * ACL is in initial, and the result is output into product.
776 * If the process has a umask ACL and one is not supplied, we use
777 * the umask ACL.
778 * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file.
779 */
780 int
781 kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx)
782 {
783 int entries, error, index;
784 unsigned int i;
785 struct vnode_attr dva;
786 kauth_acl_t inherit, result;
787
788 /*
789 * Fetch the ACL from the directory. This should never fail.
790 * Note that we don't manage inheritance when the remote server is
791 * doing authorization, since this means server enforcement of
792 * inheritance semantics; we just want to compose the initial
793 * ACL and any inherited ACE entries from the container object.
794 *
795 * XXX TODO: <rdar://3634665> wants a "umask ACL" from the process.
796 */
797 inherit = NULL;
798 /*
799 * If there is no initial ACL, or there is, and the initial ACLs
800 * flags do not request "no inheritance", then we inherit. This allows
801 * initial object creation via open_extended() and mkdir_extended()
802 * to reject inheritance for themselves and for inferior nodes by
803 * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT
804 * flag set in the flags field.
805 */
806 if ((initial == NULL || !(initial->acl_flags & KAUTH_ACL_NO_INHERIT)) &&
807 (dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) {
808 VATTR_INIT(&dva);
809 VATTR_WANTED(&dva, va_acl);
810 if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) {
811 KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance");
812 return(error);
813 }
814 if (VATTR_IS_SUPPORTED(&dva, va_acl)) {
815 inherit = dva.va_acl;
816 /*
817 * If there is an ACL on the parent directory, then
818 * there are potentially inheritable ACE entries, but
819 * if the flags on the directory ACL say not to
820 * inherit, then we don't inherit. This allows for
821 * per directory rerooting of the inheritable ACL
822 * hierarchy.
823 */
824 if (inherit != NULL && inherit->acl_flags & KAUTH_ACL_NO_INHERIT) {
825 kauth_acl_free(inherit);
826 inherit = NULL;
827 }
828 }
829 }
830
831 /*
832 * Compute the number of entries in the result ACL by scanning the
833 * input lists.
834 */
835 entries = 0;
836 if (inherit != NULL) {
837 for (i = 0; i < inherit->acl_entrycount; i++) {
838 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT))
839 entries++;
840 }
841 }
842
843 if (initial == NULL) {
844 /*
845 * XXX 3634665 TODO: if the initial ACL is not specfied by
846 * XXX the caller, fetch the umask ACL from the process,
847 * and use it in place of "initial".
848 */
849 }
850
851 if (initial != NULL) {
852 if (initial->acl_entrycount != KAUTH_FILESEC_NOACL)
853 entries += initial->acl_entrycount;
854 else
855 initial = NULL;
856 }
857
858 /*
859 * If there is no initial ACL, and no inheritable entries, the
860 * object should be created with no ACL at all.
861 * Note that this differs from the case where the initial ACL
862 * is empty, in which case the object must also have an empty ACL.
863 */
864 if ((entries == 0) && (initial == NULL)) {
865 *product = NULL;
866 error = 0;
867 goto out;
868 }
869
870 /*
871 * Allocate the result buffer.
872 */
873 if ((result = kauth_acl_alloc(entries)) == NULL) {
874 KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL", entries);
875 error = ENOMEM;
876 goto out;
877 }
878
879 /*
880 * Composition is simply:
881 * - initial direct ACEs
882 * - inherited ACEs from new parent
883 */
884 index = 0;
885 if (initial != NULL) {
886 for (i = 0; i < initial->acl_entrycount; i++) {
887 if (!(initial->acl_ace[i].ace_flags & KAUTH_ACE_INHERITED)) {
888 result->acl_ace[index++] = initial->acl_ace[i];
889 }
890 }
891 KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index, initial->acl_entrycount);
892 }
893 if (inherit != NULL) {
894 for (i = 0; i < inherit->acl_entrycount; i++) {
895 /*
896 * Inherit onto this object? We inherit only if
897 * the target object is a container object and the
898 * KAUTH_ACE_DIRECTORY_INHERIT bit is set, OR if
899 * if the target object is not a container, and
900 * the KAUTH_ACE_FILE_INHERIT bit is set.
901 */
902 if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
903 result->acl_ace[index] = inherit->acl_ace[i];
904 result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED;
905 result->acl_ace[index].ace_flags &= ~KAUTH_ACE_ONLY_INHERIT;
906 /*
907 * We do not re-inherit inheritance flags
908 * if the ACE from the container has a
909 * KAUTH_ACE_LIMIT_INHERIT, OR if the new
910 * object is not itself a container (since
911 * inheritance is always container-based).
912 */
913 if ((result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT) || !isdir) {
914 result->acl_ace[index].ace_flags &=
915 ~(KAUTH_ACE_INHERIT_CONTROL_FLAGS);
916 }
917 index++;
918 }
919 }
920 }
921 result->acl_entrycount = index;
922 *product = result;
923 KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index);
924 error = 0;
925 out:
926 if (inherit != NULL)
927 kauth_acl_free(inherit);
928 return(error);
929 }
930
931 /*
932 * Optimistically copy in a kauth_filesec structure
933 *
934 * Parameters: xsecurity user space kauth_filesec_t
935 * xsecdstpp pointer to kauth_filesec_t to be
936 * modified to contain the contain a
937 * pointer to an allocated copy of the
938 * user space argument
939 *
940 * Returns: 0 Success
941 * ENOMEM Insufficient memory for the copy.
942 * EINVAL The user space data was invalid, or
943 * there were too many ACE entries.
944 * EFAULT The user space address was invalid;
945 * this may mean 'fsec_entrycount' in
946 * the user copy is corrupt/incorrect.
947 *
948 * Implicit returns: xsecdestpp, modified (only if successful!)
949 *
950 * Notes: The returned kauth_filesec_t is in host byte order
951 *
952 * The caller is responsible for freeing the returned
953 * kauth_filesec_t in the success case using the function
954 * kauth_filesec_free()
955 *
956 * Our largest initial guess is 32; this needs to move to
957 * a manifest constant in <sys/kauth.h>.
958 */
959 int
960 kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp)
961 {
962 user_addr_t uaddr, known_bound;
963 int error;
964 kauth_filesec_t fsec;
965 u_int32_t count;
966 size_t copysize;
967
968 error = 0;
969 fsec = NULL;
970
971 /*
972 * Make a guess at the size of the filesec. We start with the base
973 * pointer, and look at how much room is left on the page, clipped
974 * to a sensible upper bound. If it turns out this isn't enough,
975 * we'll size based on the actual ACL contents and come back again.
976 *
977 * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The
978 * value here is fairly arbitrary. It's ok to have a zero count.
979 */
980 known_bound = xsecurity + KAUTH_FILESEC_SIZE(0);
981 uaddr = mach_vm_round_page(known_bound);
982 count = (uaddr - known_bound) / sizeof(struct kauth_ace);
983 if (count > 32)
984 count = 32;
985 restart:
986 if ((fsec = kauth_filesec_alloc(count)) == NULL) {
987 error = ENOMEM;
988 goto out;
989 }
990 copysize = KAUTH_FILESEC_SIZE(count);
991 if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0)
992 goto out;
993
994 /* validate the filesec header */
995 if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) {
996 error = EINVAL;
997 goto out;
998 }
999
1000 /*
1001 * Is there an ACL payload, and is it too big?
1002 */
1003 if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) &&
1004 (fsec->fsec_entrycount > count)) {
1005 if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) {
1006 /* XXX This should be E2BIG */
1007 error = EINVAL;
1008 goto out;
1009 }
1010 count = fsec->fsec_entrycount;
1011 kauth_filesec_free(fsec);
1012 goto restart;
1013 }
1014
1015 out:
1016 if (error) {
1017 if (fsec)
1018 kauth_filesec_free(fsec);
1019 } else {
1020 *xsecdestpp = fsec;
1021 AUDIT_ARG(opaque, fsec, copysize);
1022 }
1023 return(error);
1024 }
1025
1026 /*
1027 * Allocate a block of memory containing a filesec structure, immediately
1028 * followed by 'count' kauth_ace structures.
1029 *
1030 * Parameters: count Number of kauth_ace structures needed
1031 *
1032 * Returns: !NULL A pointer to the allocated block
1033 * NULL Invalid 'count' or insufficient memory
1034 *
1035 * Notes: Returned memory area assumes that the structures are packed
1036 * densely, so this function may only be used by code that also
1037 * assumes no padding following structures.
1038 *
1039 * The returned structure must be freed by the caller using the
1040 * function kauth_filesec_free(), in case we decide to use an
1041 * allocation mechanism that is aware of the object size at some
1042 * point, since the object size is only available by introspecting
1043 * the object itself.
1044 */
1045 kauth_filesec_t
1046 kauth_filesec_alloc(int count)
1047 {
1048 kauth_filesec_t fsp;
1049
1050 /* if the caller hasn't given us a valid size hint, assume the worst */
1051 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
1052 return(NULL);
1053
1054 MALLOC(fsp, kauth_filesec_t, KAUTH_FILESEC_SIZE(count), M_KAUTH, M_WAITOK);
1055 if (fsp != NULL) {
1056 fsp->fsec_magic = KAUTH_FILESEC_MAGIC;
1057 fsp->fsec_owner = kauth_null_guid;
1058 fsp->fsec_group = kauth_null_guid;
1059 fsp->fsec_entrycount = KAUTH_FILESEC_NOACL;
1060 fsp->fsec_flags = 0;
1061 }
1062 return(fsp);
1063 }
1064
1065 /*
1066 * Free a kauth_filesec_t that was previous allocated, either by a direct
1067 * call to kauth_filesec_alloc() or by calling a function that calls it.
1068 *
1069 * Parameters: fsp kauth_filesec_t to free
1070 *
1071 * Returns: (void)
1072 *
1073 * Notes: The kauth_filesec_t to be freed is assumed to be in host
1074 * byte order so that this function can introspect it in the
1075 * future to determine its size, if necesssary.
1076 */
1077 void
1078 kauth_filesec_free(kauth_filesec_t fsp)
1079 {
1080 #ifdef KAUTH_DEBUG_ENABLE
1081 if (fsp == KAUTH_FILESEC_NONE)
1082 panic("freeing KAUTH_FILESEC_NONE");
1083 if (fsp == KAUTH_FILESEC_WANTED)
1084 panic("freeing KAUTH_FILESEC_WANTED");
1085 #endif
1086 FREE(fsp, M_KAUTH);
1087 }
1088
1089 /*
1090 * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the
1091 * ACL interior to 'fsec' instead. If the endianness doesn't change, then
1092 * this function will have no effect.
1093 *
1094 * Parameters: kendian The endianness to set; this is either
1095 * KAUTH_ENDIAN_HOST or KAUTH_ENDIAN_DISK.
1096 * fsec The filesec to convert.
1097 * acl The ACL to convert (optional)
1098 *
1099 * Returns: (void)
1100 *
1101 * Notes: We use ntohl() because it has a transitive property on Intel
1102 * machines and no effect on PPC mancines. This guarantees us
1103 * that the swapping only occurs if the endiannes is wrong.
1104 */
1105 void
1106 kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl)
1107 {
1108 uint32_t compare_magic = KAUTH_FILESEC_MAGIC;
1109 uint32_t invert_magic = ntohl(KAUTH_FILESEC_MAGIC);
1110 uint32_t compare_acl_entrycount;
1111 uint32_t i;
1112
1113 if (compare_magic == invert_magic)
1114 return;
1115
1116 /* If no ACL, use ACL interior to 'fsec' instead */
1117 if (acl == NULL)
1118 acl = &fsec->fsec_acl;
1119
1120 compare_acl_entrycount = acl->acl_entrycount;
1121
1122 /*
1123 * Only convert what needs to be converted, and only if the arguments
1124 * are valid. The following switch and tests effectively reject
1125 * conversions on invalid magic numbers as a desirable side effect.
1126 */
1127 switch(kendian) {
1128 case KAUTH_ENDIAN_HOST: /* not in host, convert to host */
1129 if (fsec->fsec_magic != invert_magic)
1130 return;
1131 /* acl_entrycount is byteswapped */
1132 compare_acl_entrycount = ntohl(acl->acl_entrycount);
1133 break;
1134 case KAUTH_ENDIAN_DISK: /* not in disk, convert to disk */
1135 if (fsec->fsec_magic != compare_magic)
1136 return;
1137 break;
1138 default: /* bad argument */
1139 return;
1140 }
1141
1142 /* We are go for conversion */
1143 fsec->fsec_magic = ntohl(fsec->fsec_magic);
1144 acl->acl_entrycount = ntohl(acl->acl_entrycount);
1145 if (compare_acl_entrycount != KAUTH_FILESEC_NOACL) {
1146 acl->acl_flags = ntohl(acl->acl_flags);
1147
1148 /* swap ACE rights and flags */
1149 for (i = 0; i < compare_acl_entrycount; i++) {
1150 acl->acl_ace[i].ace_flags = ntohl(acl->acl_ace[i].ace_flags);
1151 acl->acl_ace[i].ace_rights = ntohl(acl->acl_ace[i].ace_rights);
1152 }
1153 }
1154 }
1155
1156
1157 /*
1158 * Allocate an ACL buffer.
1159 */
1160 kauth_acl_t
1161 kauth_acl_alloc(int count)
1162 {
1163 kauth_acl_t aclp;
1164
1165 /* if the caller hasn't given us a valid size hint, assume the worst */
1166 if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES))
1167 return(NULL);
1168
1169 MALLOC(aclp, kauth_acl_t, KAUTH_ACL_SIZE(count), M_KAUTH, M_WAITOK);
1170 if (aclp != NULL) {
1171 aclp->acl_entrycount = 0;
1172 aclp->acl_flags = 0;
1173 }
1174 return(aclp);
1175 }
1176
1177 void
1178 kauth_acl_free(kauth_acl_t aclp)
1179 {
1180 FREE(aclp, M_KAUTH);
1181 }
1182
1183
1184 /*
1185 * WARNING - caller must hold KAUTH_SCOPELOCK
1186 */
1187 static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp)
1188 {
1189 int i;
1190
1191 for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) {
1192 if (sp->ks_listeners[i].kll_listenerp == NULL) {
1193 sp->ks_listeners[i].kll_callback = klp->kl_callback;
1194 sp->ks_listeners[i].kll_idata = klp->kl_idata;
1195 sp->ks_listeners[i].kll_listenerp = klp;
1196 sp->ks_flags |= KS_F_HAS_LISTENERS;
1197 return(0);
1198 }
1199 }
1200 return(ENOSPC);
1201 }