+int
+sodefunct(struct proc *p, struct socket *so, int level)
+{
+ struct sockbuf *rcv, *snd;
+
+ if (!(so->so_flags & SOF_DEFUNCT)) {
+ panic("%s improperly called", __func__);
+ /* NOTREACHED */
+ }
+ if (so->so_state & SS_DEFUNCT)
+ goto done;
+
+ rcv = &so->so_rcv;
+ snd = &so->so_snd;
+
+ if (SOCK_DOM(so) == PF_INET || SOCK_DOM(so) == PF_INET6) {
+ char s[MAX_IPv6_STR_LEN];
+ char d[MAX_IPv6_STR_LEN];
+ struct inpcb *inp = sotoinpcb(so);
+
+ SODEFUNCTLOG(("%s[%d]: (target pid %d level %d) so 0x%llx [%s "
+ "%s:%d -> %s:%d] is now defunct [rcv_si 0x%x, snd_si 0x%x, "
+ "rcv_fl 0x%x, snd_fl 0x%x]\n", __func__, proc_selfpid(),
+ proc_pid(p), level, (uint64_t)VM_KERNEL_ADDRPERM(so),
+ (SOCK_TYPE(so) == SOCK_STREAM) ? "TCP" : "UDP",
+ inet_ntop(SOCK_DOM(so), ((SOCK_DOM(so) == PF_INET) ?
+ (void *)&inp->inp_laddr.s_addr : (void *)&inp->in6p_laddr),
+ s, sizeof (s)), ntohs(inp->in6p_lport),
+ inet_ntop(SOCK_DOM(so), (SOCK_DOM(so) == PF_INET) ?
+ (void *)&inp->inp_faddr.s_addr : (void *)&inp->in6p_faddr,
+ d, sizeof (d)), ntohs(inp->in6p_fport),
+ (uint32_t)rcv->sb_sel.si_flags,
+ (uint32_t)snd->sb_sel.si_flags,
+ rcv->sb_flags, snd->sb_flags));
+ } else {
+ SODEFUNCTLOG(("%s[%d]: (target pid %d level %d) so 0x%llx "
+ "[%d,%d] is now defunct [rcv_si 0x%x, snd_si 0x%x, "
+ "rcv_fl 0x%x, snd_fl 0x%x]\n", __func__, proc_selfpid(),
+ proc_pid(p), level, (uint64_t)VM_KERNEL_ADDRPERM(so),
+ SOCK_DOM(so), SOCK_TYPE(so), (uint32_t)rcv->sb_sel.si_flags,
+ (uint32_t)snd->sb_sel.si_flags, rcv->sb_flags,
+ snd->sb_flags));
+ }
+
+ /*
+ * Unwedge threads blocked on sbwait() and sb_lock().
+ */
+ sbwakeup(rcv);
+ sbwakeup(snd);
+
+ if (rcv->sb_flags & SB_LOCK)
+ sbunlock(rcv, TRUE); /* keep socket locked */
+ if (snd->sb_flags & SB_LOCK)
+ sbunlock(snd, TRUE); /* keep socket locked */
+
+ /*
+ * Flush the buffers and disconnect. We explicitly call shutdown
+ * on both data directions to ensure that SS_CANT{RCV,SEND}MORE
+ * states are set for the socket. This would also flush out data
+ * hanging off the receive list of this socket.
+ */
+ (void) soshutdownlock(so, SHUT_RD);
+ (void) soshutdownlock(so, SHUT_WR);
+ (void) sodisconnectlocked(so);
+
+ /*
+ * Explicitly handle connectionless-protocol disconnection
+ * and release any remaining data in the socket buffers.
+ */
+ if (!(so->so_flags & SS_ISDISCONNECTED))
+ (void) soisdisconnected(so);
+
+ if (so->so_error == 0)
+ so->so_error = EBADF;
+
+ if (rcv->sb_cc != 0) {
+ rcv->sb_flags &= ~SB_SEL;
+ selthreadclear(&rcv->sb_sel);
+ sbrelease(rcv);
+ }
+ if (snd->sb_cc != 0) {
+ snd->sb_flags &= ~SB_SEL;
+ selthreadclear(&snd->sb_sel);
+ sbrelease(snd);
+ }
+ so->so_state |= SS_DEFUNCT;
+
+done:
+ return (0);
+}
+
+__private_extern__ int
+so_set_recv_anyif(struct socket *so, int optval)
+{
+ int ret = 0;
+
+#if INET6
+ if (SOCK_DOM(so) == PF_INET || SOCK_DOM(so) == PF_INET6) {
+#else
+ if (SOCK_DOM(so) == PF_INET) {
+#endif /* !INET6 */
+ if (optval)
+ sotoinpcb(so)->inp_flags |= INP_RECV_ANYIF;
+ else
+ sotoinpcb(so)->inp_flags &= ~INP_RECV_ANYIF;
+ }
+
+ return (ret);
+}
+
+__private_extern__ int
+so_get_recv_anyif(struct socket *so)
+{
+ int ret = 0;
+
+#if INET6
+ if (SOCK_DOM(so) == PF_INET || SOCK_DOM(so) == PF_INET6) {
+#else
+ if (SOCK_DOM(so) == PF_INET) {
+#endif /* !INET6 */
+ ret = (sotoinpcb(so)->inp_flags & INP_RECV_ANYIF) ? 1 : 0;
+ }
+
+ return (ret);
+}
+
+int
+so_set_restrictions(struct socket *so, uint32_t vals)
+{
+ int nocell_old, nocell_new;
+ int ret = 0;
+
+ /*
+ * Deny-type restrictions are trapdoors; once set they cannot be
+ * unset for the lifetime of the socket. This allows them to be
+ * issued by a framework on behalf of the application without
+ * having to worry that they can be undone.
+ *
+ * Note here that socket-level restrictions overrides any protocol
+ * level restrictions. For instance, SO_RESTRICT_DENY_CELLULAR
+ * socket restriction issued on the socket has a higher precendence
+ * than INP_NO_IFT_CELLULAR. The latter is affected by the UUID
+ * policy PROC_UUID_NO_CELLULAR for unrestricted sockets only,
+ * i.e. when SO_RESTRICT_DENY_CELLULAR has not been issued.
+ */
+ nocell_old = (so->so_restrictions & SO_RESTRICT_DENY_CELLULAR);
+ so->so_restrictions |= (vals & (SO_RESTRICT_DENY_IN |
+ SO_RESTRICT_DENY_OUT | SO_RESTRICT_DENY_CELLULAR));
+ nocell_new = (so->so_restrictions & SO_RESTRICT_DENY_CELLULAR);
+
+ /* other than deny cellular, there's nothing more to do */
+ if ((nocell_new - nocell_old) == 0)
+ return (ret);
+
+ /* we can only set, not clear restrictions */
+ VERIFY((nocell_new - nocell_old) > 0);
+
+#if INET6
+ if (SOCK_DOM(so) == PF_INET || SOCK_DOM(so) == PF_INET6) {
+#else
+ if (SOCK_DOM(so) == PF_INET) {
+#endif /* !INET6 */
+ /* if deny cellular is now set, do what's needed for INPCB */
+ inp_set_nocellular(sotoinpcb(so));
+ }
+
+ return (ret);
+}
+
+uint32_t
+so_get_restrictions(struct socket *so)
+{
+ return (so->so_restrictions & (SO_RESTRICT_DENY_IN |
+ SO_RESTRICT_DENY_OUT | SO_RESTRICT_DENY_CELLULAR));
+}
+
+struct sockaddr_entry *
+sockaddrentry_alloc(int how)
+{
+ struct sockaddr_entry *se;
+
+ se = (how == M_WAITOK) ? zalloc(se_zone) : zalloc_noblock(se_zone);
+ if (se != NULL)
+ bzero(se, se_zone_size);
+
+ return (se);
+}
+
+void
+sockaddrentry_free(struct sockaddr_entry *se)
+{
+ if (se->se_addr != NULL) {
+ FREE(se->se_addr, M_SONAME);
+ se->se_addr = NULL;
+ }
+ zfree(se_zone, se);
+}
+
+struct sockaddr_entry *
+sockaddrentry_dup(const struct sockaddr_entry *src_se, int how)
+{
+ struct sockaddr_entry *dst_se;
+
+ dst_se = sockaddrentry_alloc(how);
+ if (dst_se != NULL) {
+ int len = src_se->se_addr->sa_len;
+
+ MALLOC(dst_se->se_addr, struct sockaddr *,
+ len, M_SONAME, how | M_ZERO);
+ if (dst_se->se_addr != NULL) {
+ bcopy(src_se->se_addr, dst_se->se_addr, len);
+ } else {
+ sockaddrentry_free(dst_se);
+ dst_se = NULL;
+ }
+ }
+
+ return (dst_se);
+}
+
+struct sockaddr_list *
+sockaddrlist_alloc(int how)
+{
+ struct sockaddr_list *sl;
+
+ sl = (how == M_WAITOK) ? zalloc(sl_zone) : zalloc_noblock(sl_zone);
+ if (sl != NULL) {
+ bzero(sl, sl_zone_size);
+ TAILQ_INIT(&sl->sl_head);
+ }
+ return (sl);
+}
+
+void
+sockaddrlist_free(struct sockaddr_list *sl)
+{
+ struct sockaddr_entry *se, *tse;
+
+ TAILQ_FOREACH_SAFE(se, &sl->sl_head, se_link, tse) {
+ sockaddrlist_remove(sl, se);
+ sockaddrentry_free(se);
+ }
+ VERIFY(sl->sl_cnt == 0 && TAILQ_EMPTY(&sl->sl_head));
+ zfree(sl_zone, sl);
+}
+
+void
+sockaddrlist_insert(struct sockaddr_list *sl, struct sockaddr_entry *se)
+{
+ VERIFY(!(se->se_flags & SEF_ATTACHED));
+ se->se_flags |= SEF_ATTACHED;
+ TAILQ_INSERT_TAIL(&sl->sl_head, se, se_link);
+ sl->sl_cnt++;
+ VERIFY(sl->sl_cnt != 0);
+}
+
+void
+sockaddrlist_remove(struct sockaddr_list *sl, struct sockaddr_entry *se)
+{
+ VERIFY(se->se_flags & SEF_ATTACHED);
+ se->se_flags &= ~SEF_ATTACHED;
+ VERIFY(sl->sl_cnt != 0);
+ sl->sl_cnt--;
+ TAILQ_REMOVE(&sl->sl_head, se, se_link);
+}
+
+struct sockaddr_list *
+sockaddrlist_dup(const struct sockaddr_list *src_sl, int how)
+{
+ struct sockaddr_entry *src_se, *tse;
+ struct sockaddr_list *dst_sl;
+
+ dst_sl = sockaddrlist_alloc(how);
+ if (dst_sl == NULL)
+ return (NULL);
+
+ TAILQ_FOREACH_SAFE(src_se, &src_sl->sl_head, se_link, tse) {
+ struct sockaddr_entry *dst_se;
+
+ if (src_se->se_addr == NULL)
+ continue;
+
+ dst_se = sockaddrentry_dup(src_se, how);
+ if (dst_se == NULL) {
+ sockaddrlist_free(dst_sl);
+ return (NULL);
+ }
+
+ sockaddrlist_insert(dst_sl, dst_se);
+ }
+ VERIFY(src_sl->sl_cnt == dst_sl->sl_cnt);
+
+ return (dst_sl);
+}
+
+int
+so_set_effective_pid(struct socket *so, int epid, struct proc *p)
+{
+ struct proc *ep = PROC_NULL;
+ int error = 0;
+
+ /* pid 0 is reserved for kernel */
+ if (epid == 0) {
+ error = EINVAL;
+ goto done;
+ }
+
+ /*
+ * If this is an in-kernel socket, prevent its delegate
+ * association from changing unless the socket option is
+ * coming from within the kernel itself.
+ */
+ if (so->last_pid == 0 && p != kernproc) {
+ error = EACCES;
+ goto done;
+ }
+
+ /*
+ * If this is issued by a process that's recorded as the
+ * real owner of the socket, or if the pid is the same as
+ * the process's own pid, then proceed. Otherwise ensure
+ * that the issuing process has the necessary privileges.
+ */
+ if (epid != so->last_pid || epid != proc_pid(p)) {
+ if ((error = priv_check_cred(kauth_cred_get(),
+ PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, 0))) {
+ error = EACCES;
+ goto done;
+ }
+ }
+
+ /* Find the process that corresponds to the effective pid */
+ if ((ep = proc_find(epid)) == PROC_NULL) {
+ error = ESRCH;
+ goto done;
+ }
+
+ /*
+ * If a process tries to delegate the socket to itself, then
+ * there's really nothing to do; treat it as a way for the
+ * delegate association to be cleared. Note that we check
+ * the passed-in proc rather than calling proc_selfpid(),
+ * as we need to check the process issuing the socket option
+ * which could be kernproc. Given that we don't allow 0 for
+ * effective pid, it means that a delegated in-kernel socket
+ * stays delegated during its lifetime (which is probably OK.)
+ */
+ if (epid == proc_pid(p)) {
+ so->so_flags &= ~SOF_DELEGATED;
+ so->e_upid = 0;
+ so->e_pid = 0;
+ uuid_clear(so->e_uuid);
+ } else {
+ so->so_flags |= SOF_DELEGATED;
+ so->e_upid = proc_uniqueid(ep);
+ so->e_pid = proc_pid(ep);
+ proc_getexecutableuuid(ep, so->e_uuid, sizeof (so->e_uuid));
+ }
+
+done:
+ if (error == 0 && net_io_policy_log) {
+ uuid_string_t buf;
+
+ uuid_unparse(so->e_uuid, buf);
+ log(LOG_DEBUG, "%s[%s,%d]: so 0x%llx [%d,%d] epid %d (%s) "
+ "euuid %s%s\n", __func__, proc_name_address(p),
+ proc_pid(p), (uint64_t)VM_KERNEL_ADDRPERM(so), SOCK_DOM(so),
+ SOCK_TYPE(so), so->e_pid, proc_name_address(ep), buf,
+ ((so->so_flags & SOF_DELEGATED) ? " [delegated]" : ""));
+ } else if (error != 0 && net_io_policy_log) {
+ log(LOG_ERR, "%s[%s,%d]: so 0x%llx [%d,%d] epid %d (%s) "
+ "ERROR (%d)\n", __func__, proc_name_address(p),
+ proc_pid(p), (uint64_t)VM_KERNEL_ADDRPERM(so), SOCK_DOM(so),
+ SOCK_TYPE(so), epid, (ep == PROC_NULL) ? "PROC_NULL" :
+ proc_name_address(ep), error);
+ }
+
+ if (ep != PROC_NULL)
+ proc_rele(ep);
+
+ return (error);
+}
+
+int
+so_set_effective_uuid(struct socket *so, uuid_t euuid, struct proc *p)
+{
+ uuid_string_t buf;
+ uuid_t uuid;
+ int error = 0;
+
+ /* UUID must not be all-zeroes (reserved for kernel) */
+ if (uuid_is_null(euuid)) {
+ error = EINVAL;
+ goto done;;
+ }
+
+ /*
+ * If this is an in-kernel socket, prevent its delegate
+ * association from changing unless the socket option is
+ * coming from within the kernel itself.
+ */
+ if (so->last_pid == 0 && p != kernproc) {
+ error = EACCES;
+ goto done;
+ }
+
+ /* Get the UUID of the issuing process */
+ proc_getexecutableuuid(p, uuid, sizeof (uuid));
+
+ /*
+ * If this is issued by a process that's recorded as the
+ * real owner of the socket, or if the uuid is the same as
+ * the process's own uuid, then proceed. Otherwise ensure
+ * that the issuing process has the necessary privileges.
+ */
+ if (uuid_compare(euuid, so->last_uuid) != 0 ||
+ uuid_compare(euuid, uuid) != 0) {
+ if ((error = priv_check_cred(kauth_cred_get(),
+ PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, 0))) {
+ error = EACCES;
+ goto done;
+ }
+ }
+
+ /*
+ * If a process tries to delegate the socket to itself, then
+ * there's really nothing to do; treat it as a way for the
+ * delegate association to be cleared. Note that we check
+ * the uuid of the passed-in proc rather than that of the
+ * current process, as we need to check the process issuing
+ * the socket option which could be kernproc itself. Given
+ * that we don't allow 0 for effective uuid, it means that
+ * a delegated in-kernel socket stays delegated during its
+ * lifetime (which is okay.)
+ */
+ if (uuid_compare(euuid, uuid) == 0) {
+ so->so_flags &= ~SOF_DELEGATED;
+ so->e_upid = 0;
+ so->e_pid = 0;
+ uuid_clear(so->e_uuid);
+ } else {
+ so->so_flags |= SOF_DELEGATED;
+ /*
+ * Unlike so_set_effective_pid(), we only have the UUID
+ * here and the process ID is not known. Inherit the
+ * real {pid,upid} of the socket.
+ */
+ so->e_upid = so->last_upid;
+ so->e_pid = so->last_pid;
+ uuid_copy(so->e_uuid, euuid);
+ }
+
+done:
+ if (error == 0 && net_io_policy_log) {
+ uuid_unparse(so->e_uuid, buf);
+ log(LOG_DEBUG, "%s[%s,%d]: so 0x%llx [%d,%d] epid %d "
+ "euuid %s%s\n", __func__, proc_name_address(p), proc_pid(p),
+ (uint64_t)VM_KERNEL_ADDRPERM(so), SOCK_DOM(so),
+ SOCK_TYPE(so), so->e_pid, buf,
+ ((so->so_flags & SOF_DELEGATED) ? " [delegated]" : ""));
+ } else if (error != 0 && net_io_policy_log) {
+ uuid_unparse(euuid, buf);
+ log(LOG_DEBUG, "%s[%s,%d]: so 0x%llx [%d,%d] euuid %s "
+ "ERROR (%d)\n", __func__, proc_name_address(p), proc_pid(p),
+ (uint64_t)VM_KERNEL_ADDRPERM(so), SOCK_DOM(so),
+ SOCK_TYPE(so), buf, error);
+ }
+
+ return (error);
+}
+
+void
+netpolicy_post_msg(uint32_t ev_code, struct netpolicy_event_data *ev_data,
+ uint32_t ev_datalen)
+{
+ struct kev_msg ev_msg;
+
+ /*
+ * A netpolicy event always starts with a netpolicy_event_data
+ * structure, but the caller can provide for a longer event
+ * structure to post, depending on the event code.
+ */
+ VERIFY(ev_data != NULL && ev_datalen >= sizeof (*ev_data));
+
+ bzero(&ev_msg, sizeof (ev_msg));
+ ev_msg.vendor_code = KEV_VENDOR_APPLE;
+ ev_msg.kev_class = KEV_NETWORK_CLASS;
+ ev_msg.kev_subclass = KEV_NETPOLICY_SUBCLASS;
+ ev_msg.event_code = ev_code;
+
+ ev_msg.dv[0].data_ptr = ev_data;
+ ev_msg.dv[0].data_length = ev_datalen;
+
+ kev_post_msg(&ev_msg);
+}
projects / apple / xnu.git / blobdiff