- * Copyright (c) 2004-2010 Apple Inc. All rights reserved.
+ * Copyright (c) 2004-2011 Apple Inc. All rights reserved.
#include <sys/malloc.h>
#include <sys/kauth.h>
#include <sys/kernel.h>
+#include <sys/sdt.h>
#include <security/audit/audit.h>
#include <sys/mount.h>
#include <sys/stat.h> /* For manifest constants in posix_cred_access */
#include <sys/sysproto.h>
-#include <sys/kern_callout.h>
#include <mach/message.h>
#include <mach/host_security.h>
-/* mach_absolute_time() */
-#include <mach/clock_types.h>
-#include <mach/mach_types.h>
-#include <mach/mach_time.h>
#include <libkern/OSAtomic.h>
#include <kern/task.h>
#include <security/mac.h>
#include <security/mac_framework.h>
+#include <security/_label.h>
void mach_kauth_cred_uthread_update( void );
# define NULLCRED_CHECK(_c) do {if (!IS_VALID_CRED(_c)) panic("%s: bad credential %p", __FUNCTION__,_c);} while(0)
+/* Set to 1 to turn on KAUTH_DEBUG for kern_credential.c */
+#if 0
+#ifdef K_UUID_FMT
+#undef K_UUID_FMT
+#ifdef K_UUID_ARG
+#undef K_UUID_ARG
+# define K_UUID_FMT "%08x:%08x:%08x:%08x"
+# define K_UUID_ARG(_u) *(int *)&_u.g_guid[0],*(int *)&_u.g_guid[4],*(int *)&_u.g_guid[8],*(int *)&_u.g_guid[12]
+# define KAUTH_DEBUG(fmt, args...) do { printf("%s:%d: " fmt "\n", __PRETTY_FUNCTION__, __LINE__ , ##args); } while (0)
* Credential debugging; we can track entry into a function that might
* change a credential, and we can track actual credential changes that
#endif /* !DEBUG_CRED */
* Interface to external identity resolver.
#define KAUTH_RESOLVER_UNLOCK() lck_mtx_unlock(kauth_resolver_mtx);
static volatile pid_t kauth_resolver_identity;
+static int kauth_identitysvc_has_registered;
static int kauth_resolver_registered;
static uint32_t kauth_resolver_sequence;
static int kauth_resolver_timeout = 30; /* default: 30 seconds */
struct kauth_identity_extlookup kr_work;
uint64_t kr_extend;
uint32_t kr_seqno;
- uint64_t kr_subtime; /* submission time */
int kr_refs;
int kr_flags;
TAILQ_HEAD(kauth_resolver_submitted_head, kauth_resolver_work) kauth_resolver_submitted;
TAILQ_HEAD(kauth_resolver_done_head, kauth_resolver_work) kauth_resolver_done;
+/* Number of resolver timeouts between logged complaints */
+int kauth_resolver_timeout_cnt = 0;
static int kauth_resolver_submit(struct kauth_identity_extlookup *lkp, uint64_t extend_data);
static int kauth_resolver_complete(user_addr_t message);
static int kauth_resolver_getwork(user_addr_t message);
static int kauth_resolver_getwork2(user_addr_t message);
+static __attribute__((noinline)) int __KERNEL_IS_WAITING_ON_EXTERNAL_CREDENTIAL_RESOLVER__(
+ struct kauth_resolver_work *);
+#define KAUTH_CACHES_MAX_SIZE 10000 /* Max # entries for both groups and id caches */
+struct kauth_identity {
+ TAILQ_ENTRY(kauth_identity) ki_link;
+ int ki_valid;
+ uid_t ki_uid;
+ gid_t ki_gid;
+ int ki_supgrpcnt;
+ gid_t ki_supgrps[NGROUPS];
+ guid_t ki_guid;
+ ntsid_t ki_ntsid;
+ const char *ki_name; /* string name from string cache */
+ /*
+ * Expiry times are the earliest time at which we will disregard the
+ * cached state and go to userland. Before then if the valid bit is
+ * set, we will return the cached value. If it's not set, we will
+ * not go to userland to resolve, just assume that there is no answer
+ * available.
+ */
+ time_t ki_groups_expiry;
+ time_t ki_guid_expiry;
+ time_t ki_ntsid_expiry;
+static TAILQ_HEAD(kauth_identity_head, kauth_identity) kauth_identities;
+static lck_mtx_t *kauth_identity_mtx;
+#define KAUTH_IDENTITY_LOCK() lck_mtx_lock(kauth_identity_mtx);
+#define KAUTH_IDENTITY_UNLOCK() lck_mtx_unlock(kauth_identity_mtx);
+#define KAUTH_IDENTITY_CACHEMAX_DEFAULT 100 /* XXX default sizing? */
+static int kauth_identity_cachemax = KAUTH_IDENTITY_CACHEMAX_DEFAULT;
+static int kauth_identity_count;
+static struct kauth_identity *kauth_identity_alloc(uid_t uid, gid_t gid, guid_t *guidp, time_t guid_expiry,
+ ntsid_t *ntsidp, time_t ntsid_expiry, int supgrpcnt, gid_t *supgrps, time_t groups_expiry,
+ const char *name, int nametype);
+static void kauth_identity_register_and_free(struct kauth_identity *kip);
+static void kauth_identity_updatecache(struct kauth_identity_extlookup *elp, struct kauth_identity *kip, uint64_t extend_data);
+static void kauth_identity_trimcache(int newsize);
+static void kauth_identity_lru(struct kauth_identity *kip);
+static int kauth_identity_guid_expired(struct kauth_identity *kip);
+static int kauth_identity_ntsid_expired(struct kauth_identity *kip);
+static int kauth_identity_find_uid(uid_t uid, struct kauth_identity *kir, char *getname);
+static int kauth_identity_find_gid(gid_t gid, struct kauth_identity *kir, char *getname);
+static int kauth_identity_find_guid(guid_t *guidp, struct kauth_identity *kir, char *getname);
+static int kauth_identity_find_ntsid(ntsid_t *ntsid, struct kauth_identity *kir, char *getname);
+static int kauth_identity_find_nam(char *name, int valid, struct kauth_identity *kir);
+struct kauth_group_membership {
+ TAILQ_ENTRY(kauth_group_membership) gm_link;
+ uid_t gm_uid; /* the identity whose membership we're recording */
+ gid_t gm_gid; /* group of which they are a member */
+ time_t gm_expiry; /* TTL for the membership, or 0 for persistent entries */
+ int gm_flags;
+#define KAUTH_GROUP_ISMEMBER (1<<0)
+TAILQ_HEAD(kauth_groups_head, kauth_group_membership) kauth_groups;
+static lck_mtx_t *kauth_groups_mtx;
+#define KAUTH_GROUPS_LOCK() lck_mtx_lock(kauth_groups_mtx);
+#define KAUTH_GROUPS_UNLOCK() lck_mtx_unlock(kauth_groups_mtx);
+#define KAUTH_GROUPS_CACHEMAX_DEFAULT 100 /* XXX default sizing? */
+static int kauth_groups_cachemax = KAUTH_GROUPS_CACHEMAX_DEFAULT;
+static int kauth_groups_count;
+static int kauth_groups_expired(struct kauth_group_membership *gm);
+static void kauth_groups_lru(struct kauth_group_membership *gm);
+static void kauth_groups_updatecache(struct kauth_identity_extlookup *el);
+static void kauth_groups_trimcache(int newsize);
static const int kauth_cred_primes[KAUTH_CRED_PRIMES_COUNT] = KAUTH_CRED_PRIMES;
static int kauth_cred_primes_index = 0;
TAILQ_HEAD(kauth_cred_entry_head, ucred);
static struct kauth_cred_entry_head * kauth_cred_table_anchor = NULL;
-/* Weighted moving average for resolver response time */
-static struct kco_moving_average resolver_ma;
static int kauth_cred_add(kauth_cred_t new_cred);
-static void kauth_cred_remove(kauth_cred_t cred);
+static boolean_t kauth_cred_remove(kauth_cred_t cred);
static inline u_long kauth_cred_hash(const uint8_t *datap, int data_len, u_long start_key);
static u_long kauth_cred_get_hashkey(kauth_cred_t cred);
static kauth_cred_t kauth_cred_update(kauth_cred_t old_cred, kauth_cred_t new_cred, boolean_t retain_auditinfo);
-static void kauth_cred_unref_hashlocked(kauth_cred_t *credp);
+static boolean_t kauth_cred_unref_hashlocked(kauth_cred_t *credp);
static int kauth_cred_count = 0;
static void kauth_cred_print(kauth_cred_t cred);
+ *
+ * Description: Waits for the user space daemon to respond to the request
+ * we made. Function declared non inline to be visible in
+ * stackshots and spindumps as well as debugging.
+ *
+ * Parameters: workp Work queue entry.
+ *
+ * Returns: 0 on Success.
+ * EIO if Resolver is dead.
+ * EINTR thread interrupted in msleep
+ * EWOULDBLOCK thread timed out in msleep
+ * ERESTART returned by msleep.
+ *
+ */
+static __attribute__((noinline)) int
+ struct kauth_resolver_work *workp)
+ int error = 0;
+ struct timespec ts;
+ for (;;) {
+ /* we could compute a better timeout here */
+ ts.tv_sec = kauth_resolver_timeout;
+ ts.tv_nsec = 0;
+ error = msleep(workp, kauth_resolver_mtx, PCATCH, "kr_submit", &ts);
+ /* request has been completed? */
+ if ((error == 0) && (workp->kr_flags & KAUTH_REQUEST_DONE))
+ break;
+ /* woken because the resolver has died? */
+ if (kauth_resolver_identity == 0) {
+ error = EIO;
+ break;
+ }
+ /* an error? */
+ if (error != 0)
+ break;
+ }
+ return error;
* kauth_resolver_init
* Returns: (void)
- * Notes: Intialize the credential identity resolver for use; the
+ * Notes: Initialize the credential identity resolver for use; the
* credential identity resolver is the KPI used by the user
* space credential identity resolver daemon to communicate
* with the kernel via the identitysvc() system call..
kauth_resolver_sequence = 31337;
kauth_resolver_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0/*LCK_ATTR_NULL*/);
- /*
- * 110% of average response time is "too long" and should be reported
- */
- kco_ma_init(&resolver_ma, 110, KCO_MA_F_WMA);
struct kauth_resolver_work *workp, *killp;
struct timespec ts;
int error, shouldfree;
- uint64_t duration;
/* no point actually blocking if the resolver isn't up yet */
if (kauth_resolver_identity == 0) {
workp->kr_work.el_result = KAUTH_EXTLOOKUP_INPROG;
- * XXX We *MUST NOT* attempt to coelesce identical work items due to
+ * XXX We *MUST NOT* attempt to coalesce identical work items due to
* XXX the inability to ensure order of update of the request item
* XXX extended data vs. the wakeup; instead, we let whoever is waiting
* XXX for each item repeat the update when they wake up.
* Wake up an external resolver thread to deal with the new work; one
- * may not be available, and if not, then the request will be grabed
+ * may not be available, and if not, then the request will be grabbed
* when a resolver thread comes back into the kernel to request new
* work.
- for (;;) {
- /* we could compute a better timeout here */
- ts.tv_sec = kauth_resolver_timeout;
- ts.tv_nsec = 0;
- error = msleep(workp, kauth_resolver_mtx, PCATCH, "kr_submit", &ts);
- /* request has been completed? */
- if ((error == 0) && (workp->kr_flags & KAUTH_REQUEST_DONE))
- break;
- /* woken because the resolver has died? */
- if (kauth_resolver_identity == 0) {
- error = EIO;
- break;
- }
- /* an error? */
- if (error != 0)
- break;
- }
- /*
- * Update the moving average of how long the request took; if it
- * took longer than the time threshold, then we complain about it
- * being slow.
- */
- duration = mach_absolute_time() - workp->kr_subtime;
- if (kco_ma_addsample(&resolver_ma, duration)) {
- uint64_t average;
- uint64_t old_average;
- int32_t threshold;
- int count;
- /* If we can't get information, don't log anything */
- if (kco_ma_info(&resolver_ma, KCO_MA_F_WMA, &average, &old_average, &threshold, &count)) {
- char pname[MAXCOMLEN+1] = "(NULL)";
- proc_name(kauth_resolver_identity, pname, sizeof(pname));
- // <rdar://6276265> printf("kauth_resolver_submit: External resolver pid %d (name %s) response time %lld, average %lld new %lld threshold %d%% actual %d%% count %d\n", kauth_resolver_identity, pname, duration, old_average, average, threshold, (int)((duration * 100) / old_average), count);
- }
- }
/* if the request was processed, copy the result */
if (error == 0)
*lkp = workp->kr_work;
- /*
- * If the request timed out and was never collected, the resolver
- * is dead and probably not coming back anytime soon. In this
- * case we revert to no-resolver behaviour, and punt all the other
- * sleeping requests to clear the backlog.
- */
- if ((error == EWOULDBLOCK) && (workp->kr_flags & KAUTH_REQUEST_UNSUBMITTED)) {
- KAUTH_DEBUG("RESOLVER - request timed out without being collected for processing, resolver dead");
- /*
- * Make the current resolver non-authoritative, and mark it as
- * no longer registered to prevent kauth_cred_ismember_gid()
- * enqueueing more work until a new one is registered. This
- * mitigates the damage a crashing resolver may inflict.
- */
- kauth_resolver_identity = 0;
- kauth_resolver_registered = 0;
+ if (error == EWOULDBLOCK) {
+ if ((kauth_resolver_timeout_cnt++ % KAUTH_COMPLAINT_INTERVAL) == 0) {
+ printf("kauth external resolver timed out (%d timeout(s) of %d seconds).\n",
+ kauth_resolver_timeout_cnt, kauth_resolver_timeout);
+ }
+ if (workp->kr_flags & KAUTH_REQUEST_UNSUBMITTED) {
+ /*
+ * If the request timed out and was never collected, the resolver
+ * is dead and probably not coming back anytime soon. In this
+ * case we revert to no-resolver behaviour, and punt all the other
+ * sleeping requests to clear the backlog.
+ */
+ KAUTH_DEBUG("RESOLVER - request timed out without being collected for processing, resolver dead");
+ /*
+ * Make the current resolver non-authoritative, and mark it as
+ * no longer registered to prevent kauth_cred_ismember_gid()
+ * enqueueing more work until a new one is registered. This
+ * mitigates the damage a crashing resolver may inflict.
+ */
+ kauth_resolver_identity = 0;
+ kauth_resolver_registered = 0;
+ /* kill all the other requestes that are waiting as well */
+ TAILQ_FOREACH(killp, &kauth_resolver_submitted, kr_link)
+ wakeup(killp);
+ TAILQ_FOREACH(killp, &kauth_resolver_unsubmitted, kr_link)
+ wakeup(killp);
+ /* Cause all waiting-for-work threads to return EIO */
+ wakeup((caddr_t)&kauth_resolver_unsubmitted);
+ }
+ }
- /* kill all the other requestes that are waiting as well */
- TAILQ_FOREACH(killp, &kauth_resolver_submitted, kr_link)
- wakeup(killp);
- TAILQ_FOREACH(killp, &kauth_resolver_unsubmitted, kr_link)
- wakeup(killp);
- /* Cause all waiting-for-work threads to return EIO */
- wakeup((caddr_t)&kauth_resolver_unsubmitted);
- }
* drop our reference on the work item, and note whether we should
* free it or not
int opcode = uap->opcode;
user_addr_t message = uap->message;
struct kauth_resolver_work *workp;
+ struct kauth_cache_sizes sz_arg;
int error;
pid_t new_id;
kauth_resolver_identity = new_id;
kauth_resolver_registered = 1;
+ kauth_identitysvc_has_registered = 1;
KAUTH_DEBUG("RESOLVER - call from bogus resolver %d\n", current_proc()->p_pid);
+ if (opcode == KAUTH_GET_CACHE_SIZES) {
+ sz_arg.kcs_id_size = kauth_identity_cachemax;
+ sz_arg.kcs_group_size = kauth_groups_cachemax;
+ if ((error = copyout(&sz_arg, uap->message, sizeof (sz_arg))) != 0) {
+ return (error);
+ }
+ return (0);
+ } else if (opcode == KAUTH_SET_CACHE_SIZES) {
+ if ((error = copyin(uap->message, &sz_arg, sizeof (sz_arg))) != 0) {
+ return (error);
+ }
+ if ((sz_arg.kcs_group_size > KAUTH_CACHES_MAX_SIZE) ||
+ (sz_arg.kcs_id_size > KAUTH_CACHES_MAX_SIZE)) {
+ return (EINVAL);
+ }
+ kauth_identity_cachemax = sz_arg.kcs_id_size;
+ kauth_identity_trimcache(kauth_identity_cachemax);
+ kauth_groups_cachemax = sz_arg.kcs_group_size;
+ kauth_groups_trimcache(kauth_groups_cachemax);
+ return (0);
+ } else if (opcode == KAUTH_CLEAR_CACHES) {
+ kauth_identity_trimcache(0);
+ kauth_groups_trimcache(0);
+ } else if (opcode == KAUTH_EXTLOOKUP_DEREGISTER) {
* Terminate outstanding requests; without an authoritative
* resolver, we are now back on our own authority.
thread = current_thread();
ut = get_bsdthread_info(thread);
- message = ut->uu_kauth.message;
+ message = ut->uu_kevent.uu_kauth.message;
* EFAULT Bad user space message address
* Notes: This common function exists to permit the use of continuations
- * in the identity resoultion process. This frees up the stack
+ * in the identity resolution process. This frees up the stack
* while we are waiting for the user space resolver to complete
* a request. This is specifically used so that our per thread
* cost can be small, and we will therefore be willing to run a
TAILQ_REMOVE(&kauth_resolver_unsubmitted, workp, kr_link);
workp->kr_flags &= ~KAUTH_REQUEST_UNSUBMITTED;
workp->kr_flags |= KAUTH_REQUEST_SUBMITTED;
- workp->kr_subtime = mach_absolute_time();
TAILQ_INSERT_TAIL(&kauth_resolver_submitted, workp, kr_link);
* identity resolution daemon makes a request for work. This
* permits a large number of threads to be used by the daemon,
* without using a lot of wired kernel memory when there are no
- * acctual request outstanding.
+ * actual request outstanding.
static int
kauth_resolver_getwork(user_addr_t message)
thread_t thread = current_thread();
struct uthread *ut = get_bsdthread_info(thread);
- ut->uu_kauth.message = message;
+ ut->uu_kevent.uu_kauth.message = message;
error = msleep0(&kauth_resolver_unsubmitted, kauth_resolver_mtx, PCATCH, "GRGetWork", 0, kauth_resolver_getwork_continue);
* Identity cache.
-struct kauth_identity {
- TAILQ_ENTRY(kauth_identity) ki_link;
- int ki_valid;
#define KI_VALID_UID (1<<0) /* UID and GID are mutually exclusive */
#define KI_VALID_GID (1<<1)
#define KI_VALID_GUID (1<<2)
#define KI_VALID_NTSID (1<<3)
#define KI_VALID_PWNAM (1<<4) /* Used for translation */
#define KI_VALID_GRNAM (1<<5) /* Used for translation */
- uid_t ki_uid;
- gid_t ki_gid;
- guid_t ki_guid;
- ntsid_t ki_ntsid;
- const char *ki_name; /* string name from string cache */
- /*
- * Expiry times are the earliest time at which we will disregard the
- * cached state and go to userland. Before then if the valid bit is
- * set, we will return the cached value. If it's not set, we will
- * not go to userland to resolve, just assume that there is no answer
- * available.
- */
- time_t ki_guid_expiry;
- time_t ki_ntsid_expiry;
-static TAILQ_HEAD(kauth_identity_head, kauth_identity) kauth_identities;
-#define KAUTH_IDENTITY_CACHEMAX 100 /* XXX sizing? */
-static int kauth_identity_count;
-static lck_mtx_t *kauth_identity_mtx;
-#define KAUTH_IDENTITY_LOCK() lck_mtx_lock(kauth_identity_mtx);
-#define KAUTH_IDENTITY_UNLOCK() lck_mtx_unlock(kauth_identity_mtx);
-static struct kauth_identity *kauth_identity_alloc(uid_t uid, gid_t gid, guid_t *guidp, time_t guid_expiry,
- ntsid_t *ntsidp, time_t ntsid_expiry, const char *name, int nametype);
-static void kauth_identity_register_and_free(struct kauth_identity *kip);
-static void kauth_identity_updatecache(struct kauth_identity_extlookup *elp, struct kauth_identity *kip, uint64_t extend_data);
-static void kauth_identity_lru(struct kauth_identity *kip);
-static int kauth_identity_guid_expired(struct kauth_identity *kip);
-static int kauth_identity_ntsid_expired(struct kauth_identity *kip);
-static int kauth_identity_find_uid(uid_t uid, struct kauth_identity *kir, char *getname);
-static int kauth_identity_find_gid(gid_t gid, struct kauth_identity *kir, char *getname);
-static int kauth_identity_find_guid(guid_t *guidp, struct kauth_identity *kir, char *getname);
-static int kauth_identity_find_ntsid(ntsid_t *ntsid, struct kauth_identity *kir, char *getname);
-static int kauth_identity_find_nam(char *name, int valid, struct kauth_identity *kir);
+#define KI_VALID_GROUPS (1<<6)
* kauth_identity_init
* Returns: (void)
- * Notes: Intialize the credential identity resolver for use; the
+ * Notes: Initialize the credential identity resolver for use; the
* credential identity resolver is the KPI used to communicate
* with a user space credential identity resolver daemon.
* Returns: NULL Insufficient memory to satisfy
* the request
- * !NULL A pointer to the applocated
+ * !NULL A pointer to the allocated
* structure, filled in
* Notes: It is illegal to translate between UID and GID; any given UUID
* and *either* a UID *or* a GID, but not both.
static struct kauth_identity *
-kauth_identity_alloc(uid_t uid, gid_t gid, guid_t *guidp, time_t guid_expiry, ntsid_t *ntsidp, time_t ntsid_expiry, const char *name, int nametype)
+kauth_identity_alloc(uid_t uid, gid_t gid, guid_t *guidp, time_t guid_expiry,
+ ntsid_t *ntsidp, time_t ntsid_expiry, int supgrpcnt, gid_t *supgrps, time_t groups_expiry,
+ const char *name, int nametype)
struct kauth_identity *kip;
kip->ki_uid = uid;
kip->ki_valid = KI_VALID_UID;
+ if (supgrpcnt) {
+ assert(supgrpcnt <= NGROUPS);
+ assert(supgrps != NULL);
+ if (kip->ki_valid & KI_VALID_GID)
+ panic("can't allocate kauth identity with both gid and supplementary groups");
+ kip->ki_supgrpcnt = supgrpcnt;
+ memcpy(kip->ki_supgrps, supgrps, sizeof(supgrps[0]) * supgrpcnt);
+ kip->ki_valid |= KI_VALID_GROUPS;
+ }
+ kip->ki_groups_expiry = groups_expiry;
if (guidp != NULL) {
kip->ki_guid = *guidp;
kip->ki_valid |= KI_VALID_GUID;
* if it pushes us over our limit, discard the oldest one.
TAILQ_INSERT_HEAD(&kauth_identities, kip, ki_link);
- if (++kauth_identity_count > KAUTH_IDENTITY_CACHEMAX) {
+ if (++kauth_identity_count > kauth_identity_cachemax) {
ip = TAILQ_LAST(&kauth_identities, kauth_identity_head);
TAILQ_REMOVE(&kauth_identities, ip, ki_link);
TAILQ_FOREACH(kip, &kauth_identities, ki_link) {
/* matching record */
if ((kip->ki_valid & KI_VALID_UID) && (kip->ki_uid == elp->el_uid)) {
+ if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) {
+ assert(elp->el_sup_grp_cnt <= NGROUPS);
+ kip->ki_supgrpcnt = elp->el_sup_grp_cnt;
+ memcpy(kip->ki_supgrps, elp->el_sup_groups, sizeof(elp->el_sup_groups[0]) * kip->ki_supgrpcnt);
+ kip->ki_valid |= KI_VALID_GROUPS;
+ kip->ki_groups_expiry = (elp->el_member_valid) ? tv.tv_sec + elp->el_member_valid : 0;
+ }
if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_UGUID) {
kip->ki_guid = elp->el_uguid;
kip->ki_valid |= KI_VALID_GUID;
- kip->ki_guid_expiry = tv.tv_sec + elp->el_uguid_valid;
+ kip->ki_guid_expiry = (elp->el_uguid_valid) ? tv.tv_sec + elp->el_uguid_valid : 0;
if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_USID) {
kip->ki_ntsid = elp->el_usid;
kip->ki_valid |= KI_VALID_NTSID;
- kip->ki_ntsid_expiry = tv.tv_sec + elp->el_usid_valid;
+ kip->ki_ntsid_expiry = (elp->el_usid_valid) ? tv.tv_sec + elp->el_usid_valid : 0;
if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_PWNAM) {
const char *oname = kip->ki_name;
kip->ki_name = speculative_name;
if (kip == NULL) {
kip = kauth_identity_alloc(elp->el_uid, KAUTH_GID_NONE,
(elp->el_flags & KAUTH_EXTLOOKUP_VALID_UGUID) ? &elp->el_uguid : NULL,
- tv.tv_sec + elp->el_uguid_valid,
+ (elp->el_uguid_valid) ? tv.tv_sec + elp->el_uguid_valid : 0,
(elp->el_flags & KAUTH_EXTLOOKUP_VALID_USID) ? &elp->el_usid : NULL,
- tv.tv_sec + elp->el_usid_valid,
+ (elp->el_usid_valid) ? tv.tv_sec + elp->el_usid_valid : 0,
+ (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) ? elp->el_sup_grp_cnt : 0,
+ (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) ? elp->el_sup_groups : NULL,
+ (elp->el_member_valid) ? tv.tv_sec + elp->el_member_valid : 0,
(elp->el_flags & KAUTH_EXTLOOKUP_VALID_PWNAM) ? speculative_name : NULL,
if (kip != NULL) {
kip->ki_guid = elp->el_gguid;
kip->ki_valid |= KI_VALID_GUID;
- kip->ki_guid_expiry = tv.tv_sec + elp->el_gguid_valid;
+ kip->ki_guid_expiry = (elp->el_gguid_valid) ? tv.tv_sec + elp->el_gguid_valid : 0;
if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GSID) {
kip->ki_ntsid = elp->el_gsid;
kip->ki_valid |= KI_VALID_NTSID;
- kip->ki_ntsid_expiry = tv.tv_sec + elp->el_gsid_valid;
+ kip->ki_ntsid_expiry = (elp->el_gsid_valid) ? tv.tv_sec + elp->el_gsid_valid : 0;
if (elp->el_flags & KAUTH_EXTLOOKUP_VALID_GRNAM) {
const char *oname = kip->ki_name;
kip->ki_name = speculative_name;
if (kip == NULL) {
kip = kauth_identity_alloc(KAUTH_UID_NONE, elp->el_gid,
(elp->el_flags & KAUTH_EXTLOOKUP_VALID_GGUID) ? &elp->el_gguid : NULL,
- tv.tv_sec + elp->el_gguid_valid,
+ (elp->el_gguid_valid) ? tv.tv_sec + elp->el_gguid_valid : 0,
(elp->el_flags & KAUTH_EXTLOOKUP_VALID_GSID) ? &elp->el_gsid : NULL,
- tv.tv_sec + elp->el_gsid_valid,
+ (elp->el_gsid_valid) ? tv.tv_sec + elp->el_gsid_valid : 0,
+ (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) ? elp->el_sup_grp_cnt : 0,
+ (elp->el_flags & KAUTH_EXTLOOKUP_VALID_SUPGRPS) ? elp->el_sup_groups : NULL,
+ (elp->el_member_valid) ? tv.tv_sec + elp->el_member_valid : 0,
(elp->el_flags & KAUTH_EXTLOOKUP_VALID_GRNAM) ? speculative_name : NULL,
if (kip != NULL) {
+ * Trim older entries from the identity cache.
+ *
+ * Must be called with the identity cache lock held.
+ */
+static void
+kauth_identity_trimcache(int newsize) {
+ struct kauth_identity *kip;
+ lck_mtx_assert(kauth_identity_mtx, LCK_MTX_ASSERT_OWNED);
+ while (kauth_identity_count > newsize) {
+ kip = TAILQ_LAST(&kauth_identities, kauth_identity_head);
+ TAILQ_REMOVE(&kauth_identities, kip, ki_link);
+ kauth_identity_count--;
+ FREE(kip, M_KAUTH);
+ }
* kauth_identity_lru
struct timeval tv;
+ /*
+ * Expiration time of 0 means this entry is persistent.
+ */
+ if (kip->ki_guid_expiry == 0)
+ return (0);
- KAUTH_DEBUG("CACHE - GUID expires @ %d now %d", kip->ki_guid_expiry, tv.tv_sec);
+ KAUTH_DEBUG("CACHE - GUID expires @ %ld now %ld", kip->ki_guid_expiry, tv.tv_sec);
return((kip->ki_guid_expiry <= tv.tv_sec) ? 1 : 0);
struct timeval tv;
+ /*
+ * Expiration time of 0 means this entry is persistent.
+ */
+ if (kip->ki_ntsid_expiry == 0)
+ return (0);
- KAUTH_DEBUG("CACHE - NTSID expires @ %d now %d", kip->ki_ntsid_expiry, tv.tv_sec);
+ KAUTH_DEBUG("CACHE - NTSID expires @ %ld now %ld", kip->ki_ntsid_expiry, tv.tv_sec);
return((kip->ki_ntsid_expiry <= tv.tv_sec) ? 1 : 0);
+ * kauth_identity_groups_expired
+ *
+ * Description: Handle lazy expiration of supplemental group translations.
+ *
+ * Parameters: kip kauth identity to check for
+ * groups expiration
+ *
+ * Returns: 1 Expired
+ * 0 Not expired
+ */
+static int
+kauth_identity_groups_expired(struct kauth_identity *kip)
+ struct timeval tv;
+ /*
+ * Expiration time of 0 means this entry is persistent.
+ */
+ if (kip->ki_groups_expiry == 0)
+ return (0);
+ microuptime(&tv);
+ KAUTH_DEBUG("CACHE - GROUPS expires @ %ld now %ld\n", kip->ki_groups_expiry, tv.tv_sec);
+ return((kip->ki_groups_expiry <= tv.tv_sec) ? 1 : 0);
* kauth_identity_find_uid
* Parameters: name Pointer to name to find
- * kir Pointer to return aread
+ * kir Pointer to return area
* Returns: 0 Found
* ENOENT Not found
return((kip == NULL) ? ENOENT : 0);
* Parameters: guid1 Pointer to first GUID
* guid2 Pointer to second GUID
- * Returns: 0 If GUIDs are inequal
+ * Returns: 0 If GUIDs are unequal
* !0 If GUIDs are equal
* Parameters: guid Pointer to GUID to check
- * Returns: KAUTH_WKG_NOT Not a wel known GUID
+ * Returns: KAUTH_WKG_NOT Not a well known GUID
* Description: Determine the equality of two NTSIDs (NT Security Identifiers)
- * Paramters: sid1 Pointer to first NTSID
+ * Parameters: sid1 Pointer to first NTSID
* sid2 Pointer to second NTSID
- * Returns: 0 If GUIDs are inequal
+ * Returns: 0 If GUIDs are unequal
* !0 If GUIDs are equal
* be done using it.
-static int kauth_cred_cache_lookup(int from, int to, void *src, void *dst);
+static int kauth_cred_cache_lookup(int from, int to, void *src, void *dst);
+ * If there's no resolver, short-circuit the kauth_cred_x2y() lookups.
+ */
+static __inline int
+kauth_cred_cache_lookup(__unused int from, __unused int to,
+ __unused void *src, __unused void *dst)
+ return (EWOULDBLOCK);
+ * Structure to hold supplemental groups. Used for impedance matching with
+ * kauth_cred_cache_lookup below.
+ */
+struct supgroups {
+ int *count;
+ gid_t *groups;
+ * kauth_cred_uid2groups
+ *
+ * Description: Fetch supplemental GROUPS from UID
+ *
+ * Parameters: uid UID to examine
+ * groups pointer to an array of gid_ts
+ * gcount pointer to the number of groups wanted/returned
+ *
+ * Returns: 0 Success
+ * kauth_cred_cache_lookup:EINVAL
+ *
+ * Implicit returns:
+ * *groups Modified, if successful
+ * *gcount Modified, if successful
+ *
+ */
+static int
+kauth_cred_uid2groups(uid_t *uid, gid_t *groups, int *gcount)
+ int rv;
+ struct supgroups supgroups;
+ supgroups.count = gcount;
+ supgroups.groups = groups;
+ rv = kauth_cred_cache_lookup(KI_VALID_UID, KI_VALID_GROUPS, uid, &supgroups);
+ return (rv);
* kauth_cred_guid2pwnam
* Returns: 0 Success
* EINVAL Unknown source identity type
static int
kauth_cred_cache_lookup(int from, int to, void *src, void *dst)
} else {
- /* do we have a translation? */
- if (ki.ki_valid & to) {
- /* found a valid cached entry, check expiry */
- switch(to) {
+ /* found a valid cached entry, check expiry */
+ switch(to) {
+ expired = kauth_identity_guid_expired;
+ break;
+ expired = kauth_identity_ntsid_expired;
+ break;
+ expired = kauth_identity_groups_expired;
+ break;
+ default:
+ switch(from) {
expired = kauth_identity_guid_expired;
expired = kauth_identity_ntsid_expired;
- switch(from) {
- expired = kauth_identity_guid_expired;
- break;
- expired = kauth_identity_ntsid_expired;
- break;
- default:
- expired = NULL;
- }
- }
- KAUTH_DEBUG("CACHE - found matching entry with valid 0x%08x", ki.ki_valid);
- /*
- * If no expiry function, or not expired, we have found
- * a hit.
- */
- if (!expired) {
- KAUTH_DEBUG("CACHE - no expiry function");
- goto found;
+ expired = NULL;
+ }
+ /*
+ * If no expiry function, or not expired, we have found
+ * a hit.
+ */
+ if (expired) {
if (!expired(&ki)) {
KAUTH_DEBUG("CACHE - entry valid, unexpired");
- goto found;
+ expired = NULL; /* must clear it is used as a flag */
+ } else {
+ /*
+ * We leave ki_valid set here; it contains a
+ * translation but the TTL has expired. If we can't
+ * get a result from the resolver, we will use it as
+ * a better-than nothing alternative.
+ */
+ KAUTH_DEBUG("CACHE - expired entry found");
- /*
- * We leave ki_valid set here; it contains a
- * translation but the TTL has expired. If we can't
- * get a result from the resolver, we will use it as
- * a better-than nothing alternative.
- */
- KAUTH_DEBUG("CACHE - expired entry found");
} else {
- /*
- * A guid can't both match a uid and a gid, so if we
- * found a cache entry while looking for one or the
- * other from a guid, the 'from' is KI_VALID_GUID,
- * and the 'to' is one, and the other one is valid,
- * then we immediately return ENOENT without calling
- * the resolver again.
- */
- if (from == KI_VALID_GUID &&
- (((ki.ki_valid & KI_VALID_UID) &&
- to == KI_VALID_GID) ||
- ((ki.ki_valid & KI_VALID_GID) &&
- to == KI_VALID_UID))) {
- return (ENOENT);
+ KAUTH_DEBUG("CACHE - no expiry function");
+ }
+ if (!expired) {
+ /* do we have a translation? */
+ if (ki.ki_valid & to) {
+ KAUTH_DEBUG("CACHE - found matching entry with valid 0x%08x", ki.ki_valid);
+ DTRACE_PROC4(kauth__identity__cache__hit, int, from, int, to, void *, src, void *, dst);
+ goto found;
+ } else {
+ /*
+ * GUIDs and NTSIDs map to either a UID or a GID, but not both.
+ * If we went looking for a translation from GUID or NTSID and
+ * found a translation that wasn't for our desired type, then
+ * don't bother calling the resolver. We know that this
+ * GUID/NTSID can't translate to our desired type.
+ */
+ switch(from) {
+ switch(to) {
+ case KI_VALID_GID:
+ if ((ki.ki_valid & KI_VALID_UID)) {
+ KAUTH_DEBUG("CACHE - unexpected entry 0x%08x & %x", ki.ki_valid, KI_VALID_GID);
+ return (ENOENT);
+ }
+ break;
+ case KI_VALID_UID:
+ if ((ki.ki_valid & KI_VALID_GID)) {
+ KAUTH_DEBUG("CACHE - unexpected entry 0x%08x & %x", ki.ki_valid, KI_VALID_UID);
+ return (ENOENT);
+ }
+ break;
+ }
+ break;
+ }
extend_data = CAST_USER_ADDR_T(dst);
+ if (to == KI_VALID_GROUPS) {
+ /* Expensive and only useful for an NFS client not using kerberos */
+ if (ki.ki_valid & KI_VALID_GROUPS) {
+ /*
+ * Copy the current supplemental groups for the resolver.
+ * The resolver should check these groups first and if
+ * the user (uid) is still a member it should endeavor to
+ * keep them in the list. Otherwise NFS clients could get
+ * changing access to server file system objects on each
+ * expiration.
+ */
+ el.el_sup_grp_cnt = ki.ki_supgrpcnt;
+ memcpy(el.el_sup_groups, ki.ki_supgrps, sizeof (el.el_sup_groups[0]) * ki.ki_supgrpcnt);
+ /* Let the resolver know these were the previous valid groups */
+ KAUTH_DEBUG("GROUPS: Sending previously valid GROUPS");
+ } else
+ KAUTH_DEBUG("GROUPS: no valid groups to send");
+ }
/* Call resolver */
KAUTH_DEBUG("CACHE - calling resolver for %x", el.el_flags);
+ DTRACE_PROC3(kauth__id__resolver__submitted, int, from, int, to, uintptr_t, src);
error = kauth_resolver_submit(&el, extend_data);
+ DTRACE_PROC2(kauth__id__resolver__returned, int, error, struct kauth_identity_extlookup *, &el)
KAUTH_DEBUG("CACHE - resolver returned %d", error);
/* was the external lookup successful? */
*(ntsid_t *)dst = ki.ki_ntsid;
+ struct supgroups *gp = (struct supgroups *)dst;
+ u_int32_t limit = ki.ki_supgrpcnt;
+ if (gp->count) {
+ limit = MIN(ki.ki_supgrpcnt, *gp->count);
+ *gp->count = limit;
+ }
+ memcpy(gp->groups, ki.ki_supgrps, sizeof(gid_t) * limit);
+ }
+ break;
/* handled in kauth_resolver_complete() */
* XXX the linked-list implementation here needs to be optimized.
-struct kauth_group_membership {
- TAILQ_ENTRY(kauth_group_membership) gm_link;
- uid_t gm_uid; /* the identity whose membership we're recording */
- gid_t gm_gid; /* group of which they are a member */
- time_t gm_expiry; /* TTL for the membership */
- int gm_flags;
-#define KAUTH_GROUP_ISMEMBER (1<<0)
-TAILQ_HEAD(kauth_groups_head, kauth_group_membership) kauth_groups;
-#define KAUTH_GROUPS_CACHEMAX 100 /* XXX sizing? */
-static int kauth_groups_count;
-static lck_mtx_t *kauth_groups_mtx;
-#define KAUTH_GROUPS_LOCK() lck_mtx_lock(kauth_groups_mtx);
-#define KAUTH_GROUPS_UNLOCK() lck_mtx_unlock(kauth_groups_mtx);
-static int kauth_groups_expired(struct kauth_group_membership *gm);
-static void kauth_groups_lru(struct kauth_group_membership *gm);
-static void kauth_groups_updatecache(struct kauth_identity_extlookup *el);
* kauth_groups_init
* Returns: (void)
- * Notes: Intialize the groups cache for use; the group cache is used
+ * Notes: Initialize the groups cache for use; the group cache is used
* to avoid unnecessary calls out to user space.
* This function is called from kauth_init() in the file
struct timeval tv;
+ /*
+ * Expiration time of 0 means this entry is persistent.
+ */
+ if (gm->gm_expiry == 0)
+ return (0);
return((gm->gm_expiry <= tv.tv_sec) ? 1 : 0);
} else {
gm->gm_flags &= ~KAUTH_GROUP_ISMEMBER;
- gm->gm_expiry = el->el_member_valid + tv.tv_sec;
+ gm->gm_expiry = (el->el_member_valid) ? el->el_member_valid + tv.tv_sec : 0;
} else {
gm->gm_flags &= ~KAUTH_GROUP_ISMEMBER;
- gm->gm_expiry = el->el_member_valid + tv.tv_sec;
+ gm->gm_expiry = (el->el_member_valid) ? el->el_member_valid + tv.tv_sec : 0;
TAILQ_INSERT_HEAD(&kauth_groups, gm, gm_link);
- if (kauth_groups_count++ > KAUTH_GROUPS_CACHEMAX) {
+ if (++kauth_groups_count > kauth_groups_cachemax) {
gm = TAILQ_LAST(&kauth_groups, kauth_groups_head);
TAILQ_REMOVE(&kauth_groups, gm, gm_link);
+ * Trim older entries from the group membership cache.
+ *
+ * Must be called with the group cache lock held.
+ */
+static void
+kauth_groups_trimcache(int new_size) {
+ struct kauth_group_membership *gm;
+ lck_mtx_assert(kauth_groups_mtx, LCK_MTX_ASSERT_OWNED);
+ while (kauth_groups_count > new_size) {
+ gm = TAILQ_LAST(&kauth_groups, kauth_groups_head);
+ TAILQ_REMOVE(&kauth_groups, gm, gm_link);
+ kauth_groups_count--;
+ FREE(gm, M_KAUTH);
+ }
* Group membership KPI
* result of the call
* Returns: 0 Success
- * ENOENT Could not proform lookup
+ * ENOENT Could not perform lookup
* kauth_resolver_submit:EWOULDBLOCK
* kauth_resolver_submit:EINTR
* kauth_resolver_submit:ENOMEM
* Notes: This function guarantees not to modify resultp when returning
* an error.
- * This function effectively checkes the EGID as well, since the
+ * This function effectively checks the EGID as well, since the
* EGID is cr_groups[0] as an implementation detail.
kauth_cred_ismember_gid(kauth_cred_t cred, gid_t gid, int *resultp)
posix_cred_t pcred = posix_cred_get(cred);
- struct kauth_group_membership *gm;
- struct kauth_identity_extlookup el;
- int i, error;
+ int i;
* Check the per-credential list of override groups.
+ struct kauth_group_membership *gm;
+ struct kauth_identity_extlookup el;
+ int error;
* If the resolver hasn't checked in yet, we are early in the boot
* phase and the local group list is complete and authoritative.
*resultp = 0;
/* TODO: */
/* XXX check supplementary groups */
/* XXX check whiteout groups */
/* if we did, we can return now */
- if (gm != NULL)
+ if (gm != NULL) {
+ DTRACE_PROC2(kauth__group__cache__hit, int, pcred->cr_gmuid, int, gid);
+ }
/* nothing in the cache, need to go to userland */
bzero(&el, sizeof(el));
el.el_info_pid = current_proc()->p_pid;
el.el_uid = pcred->cr_gmuid;
el.el_gid = gid;
el.el_member_valid = 0; /* XXX set by resolver? */
+ DTRACE_PROC2(kauth__group__resolver__submitted, int, el.el_uid, int, el.el_gid);
error = kauth_resolver_submit(&el, 0ULL);
+ DTRACE_PROC2(kauth__group__resolver__returned, int, error, int, el.el_flags);
if (error != 0)
/* save the results from the lookup */
+ *resultp = 0;
+ return(0);
* kauth_cred_ismember_guid
* 0 Is not member
-kauth_cred_ismember_guid(kauth_cred_t cred, guid_t *guidp, int *resultp)
+kauth_cred_ismember_guid(__unused kauth_cred_t cred, guid_t *guidp, int *resultp)
- struct kauth_identity ki;
- gid_t gid;
- int error, wkg;
+ int error = 0;
- error = 0;
- wkg = kauth_wellknown_guid(guidp);
- switch(wkg) {
+ switch (kauth_wellknown_guid(guidp)) {
*resultp = 0;
*resultp = 1;
+ {
+ struct kauth_identity ki;
+ gid_t gid;
#if 6603280
* Grovel the identity cache looking for this GUID.
error = kauth_cred_ismember_gid(cred, gid, resultp);
+ error = ENOENT;
+ break;
+ }
* Parameters: cred The original credential
* groups Pointer to gid_t array which
* contains the new group list
- * groupcount The cound of valid groups which
+ * groupcount The count of valid groups which
* are contained in 'groups'
* gmuid KAUTH_UID_NONE -or- the new
* group membership UID
* that is returned to them, if it is not intended to be a
* persistent reference.
- * XXX: Changes are determined in ordinal order - if the caller pasess
+ * XXX: Changes are determined in ordinal order - if the caller passes
* in the same groups list that is already present in the
* credential, but the members are in a different order, even if
* the EGID is not modified (i.e. cr_groups[0] is the same), it
- * XXX temporary, for NFS support until we can come up with a better
- * XXX enumeration/comparison mechanism
- *
- * Notes: The return value exists to account for the possbility of a
+ * Notes: The return value exists to account for the possibility of a
* kauth_cred_t without a POSIX label. This will be the case in
* the future (see posix_cred_get() below, for more details).
+int kauth_external_supplementary_groups_supported = 1;
+SYSCTL_INT(_kern, OID_AUTO, ds_supgroups_supported, CTLFLAG_RW | CTLFLAG_LOCKED, &kauth_external_supplementary_groups_supported, 0, "");
kauth_cred_getgroups(kauth_cred_t cred, gid_t *grouplist, int *countp)
int limit = NGROUPS;
+ posix_cred_t pcred;
+ pcred = posix_cred_get(cred);
+ /*
+ * If we've not opted out of using the resolver, then convert the cred to a list
+ * of supplemental groups. We do this only if there has been a resolver to talk to,
+ * since we may be too early in boot, or in an environment that isn't using DS.
+ */
+ if (kauth_identitysvc_has_registered && kauth_external_supplementary_groups_supported && (pcred->cr_flags & CRF_NOMEMBERD) == 0) {
+ uid_t uid = kauth_cred_getuid(cred);
+ int err;
+ err = kauth_cred_uid2groups(&uid, grouplist, countp);
+ if (!err)
+ return 0;
+ /* On error just fall through */
+ KAUTH_DEBUG("kauth_cred_getgroups failed %d\n", err);
+ }
* If they just want a copy of the groups list, they may not care
* and limit the returned list to that size.
if (countp) {
- limit = MIN(*countp, cred->cr_posix.cr_ngroups);
+ limit = MIN(*countp, pcred->cr_ngroups);
*countp = limit;
- memcpy(grouplist, cred->cr_posix.cr_groups, sizeof(gid_t) * limit);
+ memcpy(grouplist, pcred->cr_groups, sizeof(gid_t) * limit);
return 0;
kauth_cred_label_update_execve(kauth_cred_t cred, vfs_context_t ctx,
- struct vnode *vp, struct label *scriptl, struct label *execl,
- int *disjointp)
+ struct vnode *vp, struct vnode *scriptvp, struct label *scriptl,
+ struct label *execl, void *macextensions, int *disjointp)
kauth_cred_t newcred;
struct ucred temp_cred;
mac_cred_label_associate(cred, &temp_cred);
*disjointp = mac_cred_label_update_execve(ctx, &temp_cred,
- vp, scriptl, execl);
+ vp, scriptvp, scriptl, execl,
+ macextensions);
newcred = kauth_cred_update(cred, &temp_cred, TRUE);
kauth_proc_label_update_execve(struct proc *p, vfs_context_t ctx,
- struct vnode *vp, struct label *scriptl, struct label *execl)
+ struct vnode *vp, struct vnode *scriptvp, struct label *scriptl,
+ struct label *execl, void *macextensions)
kauth_cred_t my_cred, my_new_cred;
int disjoint = 0;
* passed in. The subsequent compare is safe, because it is
* a pointer compare rather than a contents compare.
- my_new_cred = kauth_cred_label_update_execve(my_cred, ctx, vp, scriptl, execl, &disjoint);
+ my_new_cred = kauth_cred_label_update_execve(my_cred, ctx, vp, scriptvp, scriptl, execl, macextensions, &disjoint);
if (my_cred != my_new_cred) {
DEBUG_CRED_CHANGE("kauth_proc_label_update_execve_unlocked CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
* Parameters: credp Pointer to address containing
* credential to be freed
- * Returns: (void)
+ * Returns: TRUE if the credential must be destroyed by the caller.
+ * FALSE otherwise.
* Implicit returns:
* *credp Set to NOCRED
* scoped to this compilation unit.
* This function destroys the contents of the pointer passed by
- * the caller to prevent the caller accidently attempting to
+ * the caller to prevent the caller accidentally attempting to
* release a given reference twice in error.
* The last reference is considered to be released when a release
* of a credential of a reference count of 2 occurs; this is an
- * intended effect, to take into accout the reference held by
+ * intended effect, to take into account the reference held by
* the credential hash, which is released at the same time.
-static void
+static boolean_t
kauth_cred_unref_hashlocked(kauth_cred_t *credp)
int old_value;
+ boolean_t destroy_it = FALSE;
if (old_value < 3) {
/* The last absolute reference is our credential hash table */
- kauth_cred_remove(*credp);
+ destroy_it = kauth_cred_remove(*credp);
- *credp = NOCRED;
+ if (destroy_it == FALSE) {
+ *credp = NOCRED;
+ }
+ return (destroy_it);
kauth_cred_unref(kauth_cred_t *credp)
+ boolean_t destroy_it;
- kauth_cred_unref_hashlocked(credp);
+ destroy_it = kauth_cred_unref_hashlocked(credp);
+ if (destroy_it == TRUE) {
+ assert(*credp != NOCRED);
+ mac_cred_label_destroy(*credp);
+ (*credp)->cr_ref = 0;
+ FREE_ZONE(*credp, sizeof(*(*credp)), M_CRED);
+ *credp = NOCRED;
+ }
* referencing them, prior to making them visible in an externally
* visible pointer (e.g. by adding them to the credential hash
* cache) is the only legal time in which an existing credential
- * can be safely iinitialized or modified directly.
+ * can be safely initialized or modified directly.
* After initialization, the caller is expected to call the
* function kauth_cred_add() to add the credential to the hash
- * cache, after which time it's frozen and becomes publically
+ * cache, after which time it's frozen and becomes publicly
* visible.
* The release protocol depends on kauth_hash_add() being called
* result, the caller is responsible for dropping BOTH the
* additional reference on the passed cred (if any), and the
* credential returned by this function. The drop should be
- * via the satnadr kauth_cred_unref() KPI.
+ * via the kauth_cred_unref() KPI.
kauth_cred_copy_real(kauth_cred_t cred)
if (found_cred != NULL) {
+ boolean_t destroy_it;
DEBUG_CRED_CHANGE("kauth_cred_update(cache hit): %p -> %p\n", old_cred, found_cred);
* Found a match so we bump reference count on new
* one and decrement reference count on the old one.
- kauth_cred_unref_hashlocked(&old_cred);
+ destroy_it = kauth_cred_unref_hashlocked(&old_cred);
+ if (destroy_it == TRUE) {
+ assert(old_cred != NOCRED);
+ mac_cred_label_destroy(old_cred);
+ old_cred->cr_ref = 0;
+ FREE_ZONE(old_cred, sizeof(*old_cred), M_CRED);
+ old_cred = NOCRED;
+ }
* Must allocate a new credential using the model. also
* adds the new credential to the credential hash table.
* Parameters: cred Credential to remove from cred
* hash cache
- * Returns: (void)
+ * Returns: TRUE if the cred was found & removed from the hash; FALSE if not.
* Locks: Caller is expected to hold KAUTH_CRED_HASH_LOCK
* following code occurs with the hash lock held; in theory, this
* protects us from the 2->1 reference that gets us here.
-static void
+static boolean_t
kauth_cred_remove(kauth_cred_t cred)
u_long hash_key;
if (cred->cr_ref < 1)
panic("cred reference underflow");
if (cred->cr_ref > 1)
- return; /* someone else got a ref */
+ return (FALSE); /* someone else got a ref */
/* Find cred in the credential hash table */
TAILQ_FOREACH(found_cred, &kauth_cred_table_anchor[hash_key], cr_link) {
if (found_cred == cred) {
/* found a match, remove it from the hash table */
TAILQ_REMOVE(&kauth_cred_table_anchor[hash_key], found_cred, cr_link);
- mac_cred_label_destroy(cred);
- cred->cr_ref = 0;
- FREE_ZONE(cred, sizeof(*cred), M_CRED);
- return;
+ return (TRUE);
/* Did not find a match... this should not happen! XXX Make panic? */
printf("%s:%d - %s - %s - did not find a match for %p\n", __FILE__, __LINE__, __FUNCTION__, current_proc()->p_comm, cred);
- return;
+ return (FALSE);
* hash cache
* Returns: NULL Not found
- * !NULL Matching cedential already in
+ * !NULL Matching credential already in
* cred hash cache
* Locks: Caller is expected to hold KAUTH_CRED_HASH_LOCK
* don't worry about the label unless the flags in
* either credential tell us to.
- if ((found_pcred->cr_flags & CRF_MAC_ENFORCE) != 0 ||
- (pcred->cr_flags & CRF_MAC_ENFORCE) != 0) {
- /* include the label pointer in the compare */
- match = (bcmp(&found_pcred->cr_uid, &pcred->cr_uid,
- (sizeof(struct ucred) -
- offsetof(struct ucred, cr_posix))) == 0);
- } else {
- /* flags have to match, but skip the label in bcmp */
- match = (found_pcred->cr_flags == pcred->cr_flags &&
- bcmp(&found_pcred->cr_uid, &pcred->cr_uid,
- sizeof(struct posix_cred)) == 0 &&
- bcmp(&found_cred->cr_audit, &cred->cr_audit,
- sizeof(cred->cr_audit)) == 0);
+ match = (bcmp(found_pcred, pcred, sizeof (*pcred)) == 0) ? TRUE : FALSE;
+ match = match && ((bcmp(&found_cred->cr_audit, &cred->cr_audit,
+ sizeof(cred->cr_audit)) == 0) ? TRUE : FALSE);
+ if (((found_pcred->cr_flags & CRF_MAC_ENFORCE) != 0) ||
+ ((pcred->cr_flags & CRF_MAC_ENFORCE) != 0)) {
+ match = match && mac_cred_label_compare(found_cred->cr_label,
+ cred->cr_label);
if (match) {
/* found a match */
static u_long
kauth_cred_get_hashkey(kauth_cred_t cred)
posix_cred_t pcred = posix_cred_get(cred);
u_long hash_key = 0;
+ hash_key = kauth_cred_hash((uint8_t *)&cred->cr_posix,
+ sizeof (struct posix_cred),
+ hash_key);
+ hash_key = kauth_cred_hash((uint8_t *)&cred->cr_audit,
+ sizeof(struct au_session),
+ hash_key);
if (pcred->cr_flags & CRF_MAC_ENFORCE) {
- hash_key = kauth_cred_hash((uint8_t *)&cred->cr_posix,
- sizeof(struct ucred) - offsetof(struct ucred, cr_posix),
- hash_key);
- } else {
- /* skip label */
- hash_key = kauth_cred_hash((uint8_t *)&cred->cr_posix,
- sizeof(struct posix_cred),
- hash_key);
- hash_key = kauth_cred_hash((uint8_t *)&cred->cr_audit,
- sizeof(struct au_session),
+ hash_key = kauth_cred_hash((uint8_t *)cred->cr_label,
+ sizeof (struct label),
* attach a label to the new credential
* Notes: This function currently wraps kauth_cred_create(), and is the
- * only consume of tht ill-fated function, apart from bsd_init().
+ * only consumer of that ill-fated function, apart from bsd_init().
* It exists solely to support the NFS server code creation of
- * credentials based on the over-the-wire RPC cals containing
+ * credentials based on the over-the-wire RPC calls containing
* traditional POSIX credential information being tunneled to
* the server host from the client machine.
* In the short term, it creates a temporary credential, puts
* the POSIX information from NFS into it, and then calls
- * kauth_cred_create(), as an internal implementaiton detail.
+ * kauth_cred_create(), as an internal implementation detail.
* If we have to keep it around in the medium term, it will
* create a new kauth_cred_t, then label it with a POSIX label
* this function will return a pointer to a posix_cred_t which
* GRANTS all access (effectively, a "root" credential). This is
* necessary to support legacy code which insists on tightly
- * integrating POSIX credentails into its APIs, including, but
+ * integrating POSIX credentials into its APIs, including, but
* not limited to, System V IPC mechanisms, POSIX IPC mechanisms,
* NFSv3, signals, dtrace, and a large number of kauth routines
* used to implement POSIX permissions related system calls.
* Returns: (void)
* Notes: This function is currently void in order to permit it to fit
- * in with the currrent MACF framework label methods which allow
- * labelling to fail silently. This is like acceptable for
+ * in with the current MACF framework label methods which allow
+ * labeling to fail silently. This is like acceptable for
* mandatory access controls, but not for POSIX, since those
* access controls are advisory. We will need to consider a
* return value in a future version of the MACF API.
- * This operation currenty can not fail, as currently the POSIX
+ * This operation currently cannot fail, as currently the POSIX
* credential is a subfield of the kauth_cred_t (ucred), which
* MUST be valid. In the future, this will not be the case.