/*
- * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2004-2011 Apple Inc. All rights reserved.
*
- * @APPLE_LICENSE_HEADER_START@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License"). You may not use this file except in compliance with the
- * License. Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
*
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
- * License for the specific language governing rights and limitations
- * under the License.
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
*
- * @APPLE_LICENSE_HEADER_END@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*
#include <sys/kauth.h>
#include <sys/stat.h>
-#include <bsm/audit_kernel.h>
+#include <security/audit/audit.h>
#include <sys/mount.h>
#include <sys/sysproto.h>
static TAILQ_HEAD(,kauth_scope) kauth_scopes;
static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp);
-static void kauth_scope_init(void);
+static void kauth_scope_init(void) __attribute__((section("__TEXT, initcode")));
static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata);
static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata);
#if 0
uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
kauth_scope_t kauth_scope_fileop;
-extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int);
+extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int, int);
extern char * get_pathbuff(void);
extern void release_pathbuff(char *path);
/* bring up kauth subsystem components */
kauth_cred_init();
+#if CONFIG_EXT_RESOLVER
kauth_identity_init();
kauth_groups_init();
+#endif
kauth_scope_init();
+#if CONFIG_EXT_RESOLVER
kauth_resolver_init();
-
+#endif
/* can't alloc locks after this */
lck_grp_free(kauth_lck_grp);
kauth_lck_grp = NULL;
/*
* Allocate and populate the scope structure.
*/
- MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK);
+ MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK | M_ZERO);
if (sp == NULL)
return(NULL);
- bzero(&sp->ks_listeners, sizeof(sp->ks_listeners));
sp->ks_flags = 0;
sp->ks_identifier = identifier;
sp->ks_idata = idata;
KAUTH_SCOPELOCK();
TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) {
/* duplicate! */
- if (strcmp(tsp->ks_identifier, identifier) == 0) {
+ if (strncmp(tsp->ks_identifier, identifier,
+ strlen(tsp->ks_identifier) + 1) == 0) {
KAUTH_SCOPEUNLOCK();
FREE(sp, M_KAUTH);
return(NULL);
*/
restart:
TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) {
- if (strcmp(klp->kl_identifier, sp->ks_identifier) == 0) {
+ if (strncmp(klp->kl_identifier, sp->ks_identifier,
+ strlen(klp->kl_identifier) + 1) == 0) {
/* found a match on the dangling listener list. add it to the
* the active scope.
*/
*/
KAUTH_SCOPELOCK();
TAILQ_FOREACH(sp, &kauth_scopes, ks_link) {
- if (strcmp(sp->ks_identifier, identifier) == 0) {
+ if (strncmp(sp->ks_identifier, identifier,
+ strlen(sp->ks_identifier) + 1) == 0) {
/* scope exists, add it to scope listener table */
if (kauth_add_callback_to_scope(sp, klp) == 0) {
KAUTH_SCOPEUNLOCK();
/*
* Authorization requests.
+ *
+ * Returns: 0 Success
+ * EPERM Operation not permitted
+ *
+ * Imputed: *arg3, modified Callback return - depends on callback
+ * modification of *arg3, if any
*/
int
kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action,
/* arg0 - process to signal
* arg1 - signal to send the process
*/
- if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1))
+ if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1, 0))
return(KAUTH_RESULT_ALLOW);
break;
case KAUTH_PROCESS_CANTRACE:
int
kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval)
{
- int applies, error, i;
+ int applies, error, i, gotguid;
kauth_ace_t ace;
guid_t guid;
uint32_t rights;
}
eval->ae_residual = eval->ae_requested;
+ eval->ae_found_deny = FALSE;
/*
* Get our guid for comparison purposes.
*/
if ((error = kauth_cred_getguid(cred, &guid)) != 0) {
- eval->ae_result = KAUTH_RESULT_DENY;
- KAUTH_DEBUG(" ACL - can't get credential GUID (%d), ACL denied", error);
- return(error);
+ KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error);
+ error = 0;
+ gotguid = 0;
+ } else {
+ gotguid = 1;
}
KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual);
case KAUTH_ACE_DENY:
if (!(eval->ae_requested & rights))
continue;
+ eval->ae_found_deny = TRUE;
break;
default:
/* we don't recognise this ACE, skip it */
continue;
}
-
+
/*
* Verify whether this entry applies to the credential.
*/
applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER;
break;
case KAUTH_WKG_GROUP:
- applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP;
+ if (!gotguid || (eval->ae_options & KAUTH_AEVAL_IN_GROUP_UNKNOWN))
+ applies = ((ace->ace_flags & KAUTH_ACE_KINDMASK) == KAUTH_ACE_DENY);
+ else
+ applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP;
break;
/* we short-circuit these here rather than wasting time calling the group membership code */
case KAUTH_WKG_EVERYBODY:
default:
/* check to see whether it's exactly us, or a group we are a member of */
- applies = kauth_guid_equal(&guid, &ace->ace_applicable);
+ applies = !gotguid ? 0 : kauth_guid_equal(&guid, &ace->ace_applicable);
KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched",
K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not ");
if (!applies) {
- error = kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies);
+ error = !gotguid ? ENOENT : kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies);
/*
* If we can't resolve group membership, we have to limit misbehaviour.
* If the ACE is an 'allow' ACE, assume the cred is not a member (avoid
kauth_acl_t inherit, result;
/*
- * Fetch the ACL from the directory. This should never fail. Note that we don't
- * manage inheritance when the remote server is doing authorization; we just
- * want to compose the umask-ACL and any initial ACL.
+ * Fetch the ACL from the directory. This should never fail.
+ * Note that we don't manage inheritance when the remote server is
+ * doing authorization, since this means server enforcement of
+ * inheritance semantics; we just want to compose the initial
+ * ACL and any inherited ACE entries from the container object.
+ *
+ * XXX TODO: <rdar://3634665> wants a "umask ACL" from the process.
*/
inherit = NULL;
- if ((dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) {
+ /*
+ * If there is no initial ACL, or there is, and the initial ACLs
+ * flags do not request "no inheritance", then we inherit. This allows
+ * initial object creation via open_extended() and mkdir_extended()
+ * to reject inheritance for themselves and for inferior nodes by
+ * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT
+ * flag set in the flags field.
+ */
+ if ((initial == NULL || !(initial->acl_flags & KAUTH_ACL_NO_INHERIT)) &&
+ (dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) {
VATTR_INIT(&dva);
VATTR_WANTED(&dva, va_acl);
if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) {
KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance");
return(error);
}
- if (VATTR_IS_SUPPORTED(&dva, va_acl))
+ if (VATTR_IS_SUPPORTED(&dva, va_acl)) {
inherit = dva.va_acl;
+ /*
+ * If there is an ACL on the parent directory, then
+ * there are potentially inheritable ACE entries, but
+ * if the flags on the directory ACL say not to
+ * inherit, then we don't inherit. This allows for
+ * per directory rerooting of the inheritable ACL
+ * hierarchy.
+ */
+ if (inherit != NULL && inherit->acl_flags & KAUTH_ACL_NO_INHERIT) {
+ kauth_acl_free(inherit);
+ inherit = NULL;
+ }
+ }
}
/*
- * Compute the number of entries in the result ACL by scanning the input lists.
+ * Compute the number of entries in the result ACL by scanning the
+ * input lists.
*/
entries = 0;
if (inherit != NULL) {
}
if (initial == NULL) {
- /* XXX 3634665 TODO: fetch umask ACL from the process, set in initial */
+ /*
+ * XXX 3634665 TODO: if the initial ACL is not specfied by
+ * XXX the caller, fetch the umask ACL from the process,
+ * and use it in place of "initial".
+ */
}
if (initial != NULL) {
- entries += initial->acl_entrycount;
+ if (initial->acl_entrycount != KAUTH_FILESEC_NOACL)
+ entries += initial->acl_entrycount;
+ else
+ initial = NULL;
}
/*
* If there is no initial ACL, and no inheritable entries, the
- * object should have no ACL at all.
+ * object should be created with no ACL at all.
* Note that this differs from the case where the initial ACL
* is empty, in which case the object must also have an empty ACL.
*/
* Allocate the result buffer.
*/
if ((result = kauth_acl_alloc(entries)) == NULL) {
- KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL");
+ KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL", entries);
error = ENOMEM;
goto out;
}
/*
* Composition is simply:
- * - initial
- * - inherited
+ * - initial direct ACEs
+ * - inherited ACEs from new parent
*/
index = 0;
if (initial != NULL) {
- for (i = 0; i < initial->acl_entrycount; i++)
- result->acl_ace[index++] = initial->acl_ace[i];
- KAUTH_DEBUG(" INHERIT - applied %d initial entries", index);
+ for (i = 0; i < initial->acl_entrycount; i++) {
+ if (!(initial->acl_ace[i].ace_flags & KAUTH_ACE_INHERITED)) {
+ result->acl_ace[index++] = initial->acl_ace[i];
+ }
+ }
+ KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index, initial->acl_entrycount);
}
if (inherit != NULL) {
for (i = 0; i < inherit->acl_entrycount; i++) {
- /* inherit onto this object? */
+ /*
+ * Inherit onto this object? We inherit only if
+ * the target object is a container object and the
+ * KAUTH_ACE_DIRECTORY_INHERIT bit is set, OR if
+ * if the target object is not a container, and
+ * the KAUTH_ACE_FILE_INHERIT bit is set.
+ */
if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) {
result->acl_ace[index] = inherit->acl_ace[i];
result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED;
- /* don't re-inherit? */
- if (result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT)
+ result->acl_ace[index].ace_flags &= ~KAUTH_ACE_ONLY_INHERIT;
+ /*
+ * We do not re-inherit inheritance flags
+ * if the ACE from the container has a
+ * KAUTH_ACE_LIMIT_INHERIT, OR if the new
+ * object is not itself a container (since
+ * inheritance is always container-based).
+ */
+ if ((result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT) || !isdir) {
result->acl_ace[index].ace_flags &=
- ~(KAUTH_ACE_DIRECTORY_INHERIT | KAUTH_ACE_FILE_INHERIT | KAUTH_ACE_LIMIT_INHERIT);
+ ~(KAUTH_ACE_INHERIT_CONTROL_FLAGS);
+ }
index++;
}
}
/*
* Optimistically copy in a kauth_filesec structure
+ *
* Parameters: xsecurity user space kauth_filesec_t
- * xsecdstpp pointer to kauth_filesec_t
+ * xsecdstpp pointer to kauth_filesec_t to be
+ * modified to contain the contain a
+ * pointer to an allocated copy of the
+ * user space argument
+ *
+ * Returns: 0 Success
+ * ENOMEM Insufficient memory for the copy.
+ * EINVAL The user space data was invalid, or
+ * there were too many ACE entries.
+ * EFAULT The user space address was invalid;
+ * this may mean 'fsec_entrycount' in
+ * the user copy is corrupt/incorrect.
+ *
+ * Implicit returns: xsecdestpp, modified (only if successful!)
+ *
+ * Notes: The returned kauth_filesec_t is in host byte order
*
- * Returns: 0 on success, EINVAL or EFAULT depending on failure mode.
- * Modifies: xsecdestpp, which contains a pointer to an allocated
- * and copied-in kauth_filesec_t
+ * The caller is responsible for freeing the returned
+ * kauth_filesec_t in the success case using the function
+ * kauth_filesec_free()
+ *
+ * Our largest initial guess is 32; this needs to move to
+ * a manifest constant in <sys/kauth.h>.
*/
-
int
kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp)
{
* The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The
* value here is fairly arbitrary. It's ok to have a zero count.
*/
- known_bound = xsecurity + sizeof(struct kauth_filesec);
+ known_bound = xsecurity + KAUTH_FILESEC_SIZE(0);
uaddr = mach_vm_round_page(known_bound);
count = (uaddr - known_bound) / sizeof(struct kauth_ace);
if (count > 32)
if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) &&
(fsec->fsec_entrycount > count)) {
if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) {
+ /* XXX This should be E2BIG */
error = EINVAL;
goto out;
}
kauth_filesec_free(fsec);
} else {
*xsecdestpp = fsec;
+ AUDIT_ARG(opaque, fsec, copysize);
}
return(error);
}
/*
- * Allocate a filesec structure.
+ * Allocate a block of memory containing a filesec structure, immediately
+ * followed by 'count' kauth_ace structures.
+ *
+ * Parameters: count Number of kauth_ace structures needed
+ *
+ * Returns: !NULL A pointer to the allocated block
+ * NULL Invalid 'count' or insufficient memory
+ *
+ * Notes: Returned memory area assumes that the structures are packed
+ * densely, so this function may only be used by code that also
+ * assumes no padding following structures.
+ *
+ * The returned structure must be freed by the caller using the
+ * function kauth_filesec_free(), in case we decide to use an
+ * allocation mechanism that is aware of the object size at some
+ * point, since the object size is only available by introspecting
+ * the object itself.
*/
kauth_filesec_t
kauth_filesec_alloc(int count)
return(fsp);
}
+/*
+ * Free a kauth_filesec_t that was previous allocated, either by a direct
+ * call to kauth_filesec_alloc() or by calling a function that calls it.
+ *
+ * Parameters: fsp kauth_filesec_t to free
+ *
+ * Returns: (void)
+ *
+ * Notes: The kauth_filesec_t to be freed is assumed to be in host
+ * byte order so that this function can introspect it in the
+ * future to determine its size, if necesssary.
+ */
void
kauth_filesec_free(kauth_filesec_t fsp)
{
FREE(fsp, M_KAUTH);
}
+/*
+ * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the
+ * ACL interior to 'fsec' instead. If the endianness doesn't change, then
+ * this function will have no effect.
+ *
+ * Parameters: kendian The endianness to set; this is either
+ * KAUTH_ENDIAN_HOST or KAUTH_ENDIAN_DISK.
+ * fsec The filesec to convert.
+ * acl The ACL to convert (optional)
+ *
+ * Returns: (void)
+ *
+ * Notes: We use ntohl() because it has a transitive property on Intel
+ * machines and no effect on PPC mancines. This guarantees us
+ * that the swapping only occurs if the endiannes is wrong.
+ */
+void
+kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl)
+{
+ uint32_t compare_magic = KAUTH_FILESEC_MAGIC;
+ uint32_t invert_magic = ntohl(KAUTH_FILESEC_MAGIC);
+ uint32_t compare_acl_entrycount;
+ uint32_t i;
+
+ if (compare_magic == invert_magic)
+ return;
+
+ /* If no ACL, use ACL interior to 'fsec' instead */
+ if (acl == NULL)
+ acl = &fsec->fsec_acl;
+
+ compare_acl_entrycount = acl->acl_entrycount;
+
+ /*
+ * Only convert what needs to be converted, and only if the arguments
+ * are valid. The following switch and tests effectively reject
+ * conversions on invalid magic numbers as a desirable side effect.
+ */
+ switch(kendian) {
+ case KAUTH_ENDIAN_HOST: /* not in host, convert to host */
+ if (fsec->fsec_magic != invert_magic)
+ return;
+ /* acl_entrycount is byteswapped */
+ compare_acl_entrycount = ntohl(acl->acl_entrycount);
+ break;
+ case KAUTH_ENDIAN_DISK: /* not in disk, convert to disk */
+ if (fsec->fsec_magic != compare_magic)
+ return;
+ break;
+ default: /* bad argument */
+ return;
+ }
+
+ /* We are go for conversion */
+ fsec->fsec_magic = ntohl(fsec->fsec_magic);
+ acl->acl_entrycount = ntohl(acl->acl_entrycount);
+ if (compare_acl_entrycount != KAUTH_FILESEC_NOACL) {
+ acl->acl_flags = ntohl(acl->acl_flags);
+
+ /* swap ACE rights and flags */
+ for (i = 0; i < compare_acl_entrycount; i++) {
+ acl->acl_ace[i].ace_flags = ntohl(acl->acl_ace[i].ace_flags);
+ acl->acl_ace[i].ace_rights = ntohl(acl->acl_ace[i].ace_rights);
+ }
+ }
+ }
+
/*
* Allocate an ACL buffer.